mapping_objects: - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-40044 comments: Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands. mapping_type: secondary_impact references: - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 - https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp - attack_object_id: T1071.002 attack_object_name: File Transfer Protocols capability_description: Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-40044 comments: Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands. mapping_type: primary_impact references: - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 - https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Atlassian Bitbucket Server and Data Center Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2022-36804 comments: This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2021-26085 comments: This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability. mapping_type: primary_impact references: - https://www.exploit-db.com/exploits/50377 - attack_object_id: T1499.004 attack_object_name: Application or System Exploitation capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2015-3043 comments: This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system. mapping_type: primary_impact references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4073/adobe-flash-player-memory-corruption-vulnerability-cve-2015-3043 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2015-3043 comments: This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system. mapping_type: exploitation_technique references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4073/adobe-flash-player-memory-corruption-vulnerability-cve-2015-3043 - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-26369 comments: 'This vulnerability is exploited through a user opening a malicious PDF file. ' mapping_type: primary_impact references: - https://www.rapid7.com/db/vulnerabilities/adobe-acrobat-cve-2023-26369/ - https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2023/CVE-2023-26369.html - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Adobe Acrobat and Reader Sandbox Bypass Vulnerability capability_group: sandbox_bypass capability_id: CVE-2014-0546 comments: This vulnerability allows bypassing sandbox protection and run native code. mapping_type: primary_impact references: - https://securelist.com/cve-2014-0546-used-in-targeted-attacks-adobe-reader-update/65577/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2010-2883 comments: This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution. mapping_type: secondary_impact references: - https://www.exploit-db.com/exploits/16619 - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2010-2883 comments: This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution. mapping_type: primary_impact references: - https://www.exploit-db.com/exploits/16619 - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Adobe Acrobat and Reader Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2023-21608 comments: This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution. mapping_type: primary_impact references: - https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26359 comments: This vulnerability is utilized by exploiting a public-facing server. mapping_type: primary_impact references: - https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2013-0629 comments: This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories mapping_type: secondary_impact references: - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=34403 - https://www.exploit-db.com/exploits/24946 - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2013-0629 comments: This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories mapping_type: primary_impact references: - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=34403 - https://www.exploit-db.com/exploits/24946 - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2022-24086 comments: This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated. mapping_type: secondary_impact references: - https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=In%20early%202022%2C%20the%20CVE - PHP%20code%20on%20susceptible%20targets. - https://sansec.io/research/magento-2-cve-2022-24086 - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2022-24086 comments: This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated. mapping_type: primary_impact references: - https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=In%20early%202022%2C%20the%20CVE,PHP%20code%20on%20susceptible%20targets. - https://sansec.io/research/magento-2-cve-2022-24086 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-7169 comments: 'CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: exploitation_technique references: - http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-7169 comments: 'CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: exploitation_technique references: - http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-7169 comments: 'CVE-2014-7169 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: primary_impact references: - http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-6271 comments: 'CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: exploitation_technique references: - https://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-6271 comments: 'CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: exploitation_technique references: - https://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2014-6271 comments: 'CVE-2014-6271 allows environment variables set from service/HTTP requests on a serve (e.g. HTTP_COOKIE) in Bash shell that allows for spawning a child shell with the authority/privilege level of the parent shell to perform RCE of code provided by the adversary in the request. ' mapping_type: primary_impact references: - https://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium Blink Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-21206 comments: CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code. mapping_type: exploitation_technique references: - https://www.zerodayinitiative.com/advisories/ZDI-21-411/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Google Chromium Blink Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-21206 comments: CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code. mapping_type: exploitation_technique references: - https://www.zerodayinitiative.com/advisories/ZDI-21-411/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Google Chromium WebGL Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-30554 comments: CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code. mapping_type: exploitation_technique references: - https://attackerkb.com/topics/BAdojKKNTO/cve-2021-30554 - https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium WebGL Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-30554 comments: CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code. mapping_type: exploitation_technique references: - https://attackerkb.com/topics/BAdojKKNTO/cve-2021-30554 - https://thehackernews.com/2021/06/update-your-chrome-browser-to-patch-yet.html - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Google Chromium V8 Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-37975 comments: CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap. mapping_type: exploitation_technique references: - https://github.blog/security/vulnerability-research/chrome-in-the-wild-bug-analysis-cve-2021-37975/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium V8 Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-37975 comments: CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap. mapping_type: primary_impact references: - https://github.blog/security/vulnerability-research/chrome-in-the-wild-bug-analysis-cve-2021-37975/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Google Chromium V8 Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2021-21148 comments: CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap. mapping_type: exploitation_technique references: - https://threatprotect.qualys.com/2021/02/08/google-chrome-heap-buffer-overflow-vulnerability-cve-2021-21148/ - https://www.tenable.com/blog/cve-2021-21148-google-chrome-heap-buffer-overflow-vulnerability-exploited-in-the-wild - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium V8 Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2021-21148 comments: CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap. mapping_type: primary_impact references: - https://www.tenable.com/blog/cve-2021-21148-google-chrome-heap-buffer-overflow-vulnerability-exploited-in-the-wild - https://threatprotect.qualys.com/2021/02/08/google-chrome-heap-buffer-overflow-vulnerability-cve-2021-21148/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Google Chromium Race Condition Vulnerability capability_group: race_condition capability_id: CVE-2021-21166 comments: 'CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap. ' mapping_type: exploitation_technique references: - https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-21166.html - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium Race Condition Vulnerability capability_group: race_condition capability_id: CVE-2021-21166 comments: 'CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap. ' mapping_type: primary_impact references: - https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-21166.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Microsoft Windows Hyper-V Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2024-38080 comments: "This zero-day vulnerability presents itself after an adversary has already\ \ infiltrated the victim's network and enables the adversary to obtain SYSTEM\ \ level privileges via Microsoft Windows Hyper-V product. As of now, details of\ \ how the attacker's methods to exploit this vulnerability are undisclosed. \n" mapping_type: exploitation_technique references: - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-july-2024/ - https://thehackernews.com/2024/07/microsofts-july-update-patches-143.html - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-47966 comments: 'CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally. They''ve also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting** ' mapping_type: primary_impact references: - https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_1.pdf - https://github.com/horizon3ai/CVE-2022-47966 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-47966 comments: 'CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally. They''ve also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting** ' mapping_type: primary_impact references: - https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_1.pdf - https://github.com/horizon3ai/CVE-2022-47966 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Arm Mali GPU Kernel Driver Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-29256 comments: 'This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available. ' mapping_type: secondary_impact references: - https://vuldb.com/?id.175586 - https://www.tenable.com/plugins/nessus/178128 - https://www.lexology.com/library/detail.aspx?g=c57b19cd-73e4-43e2-8034-f7fa78166c63 - https://source.android.com/docs/security/bulletin/2023-07-01#arm-components - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Arm Mali GPU Kernel Driver Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-29256 comments: 'This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available. ' mapping_type: primary_impact references: - https://vuldb.com/?id.175586 - https://www.tenable.com/plugins/nessus/178128 - https://www.lexology.com/library/detail.aspx?g=c57b19cd-73e4-43e2-8034-f7fa78166c63 - https://source.android.com/docs/security/bulletin/2023-07-01#arm-components - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072 - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Google Chromium V8 Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2024-5274 comments: This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome. mapping_type: primary_impact references: - https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/ - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-0688 comments: "CVE-2020-0688 is a remote code execution vulnerability exists in Microsoft\ \ Exchange Server. CISA has observed the actors exploiting CVE-2020-0688 for remote\ \ code execution to enable email collection of targeted networks. Also, Threat\ \ actors used credentials in conjunction with known vulnerabilities on public-facing\ \ applications, such as virtual private networks (VPNs)\u2014CVE-2020-0688 and\ \ CVE-2020-17144\u2014to escalate privileges and gain remote code execution (RCE)\ \ on the exposed applications." mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-0688 comments: CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: CVE-2020-1472 is a privilege escalation vulnerability in Windows Netlogon. After gaining initial access, the actors exploit CVE-2020-1472 to compromise all Active Directory (AD) identity services. Actors have then been observed using legitimate remote access tools, such as VPN and Remote Desktop Protocol (RDP), to access the environment with the compromised credentials. mapping_type: secondary_impact references: - https://cisa.gov/news-events/cybersecurity-advisories/aa20-283a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: VMware vCenter Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-21972 comments: ' CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.' mapping_type: primary_impact references: - https://outpost24.com/blog/attackers-collaborate-to-exploit-cve-2021-21972-and-cve-2021-21973/ - https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware vCenter Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-21972 comments: ' CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.' mapping_type: exploitation_technique references: - https://outpost24.com/blog/attackers-collaborate-to-exploit-cve-2021-21972-and-cve-2021-21973/ - https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-27065 comments: CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-27065 comments: CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26858 comments: CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26858 comments: CVE-2021-26858, part of Proxy Logon, is a post-authentication arbitrary file write vulnerability in Exchange. CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26857 comments: CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26857 comments: CVE-2021-26857, part of Proxy Logon, is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26855 comments: CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26855 comments: CVE-2021-26855, also known as ProxyLogon, allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - attack_object_id: T1090 attack_object_name: Proxy capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26855 comments: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-26855 comments: CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-34473 comments: 'CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit. ' mapping_type: secondary_impact references: - https://www.darkreading.com/cyberattacks-data-breaches/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise - https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-34473 comments: 'CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit. ' mapping_type: secondary_impact references: - https://www.darkreading.com/cyberattacks-data-breaches/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise - https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a - attack_object_id: T1136 attack_object_name: Create Account capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-34473 comments: 'CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit. ' mapping_type: secondary_impact references: - https://www.darkreading.com/cyberattacks-data-breaches/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise - https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-34473 comments: 'CVE-2021-34473 is a part of the ProxyShell vulnerabilities in Microsoft Exchange and CVE-2021-34473 is a code execution vulnerability that requires no user action or privileges to exploit. ' mapping_type: primary_impact references: - https://www.darkreading.com/cyberattacks-data-breaches/attackers-now-exploiting-proxyshell-exchange-server-flaws-for-business-email-compromise - https://thehackernews.com/2024/05/ms-exchange-server-flaws-exploited-to.html - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-34473 comments: This is a remote code execution vulnerability that is often chained with CVE-2021-34523, a privilege escalation vulnerability. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft Exchange Server Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-34523 comments: This privilege escalation vulnerability can be exploited by sending a specially crafted HTTP request to the exchange server, is it often chained together with CVE-2021-34473, a remote code execution vulnerability. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1560.001 attack_object_name: Archive via Utility capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1070.004 attack_object_name: File Deletion capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1136 attack_object_name: Create Account capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1140 attack_object_name: Deobfuscate/Decode Files or Information capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: 'CVE-2021-40539 is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. ' mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Apache Log4j2 Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44228 comments: "CVE-2021-44228, known as Log4Shell, affects Apache\u2019s Log4j library,\ \ an open-source logging framework. An actor can exploit this vulnerability by\ \ submitting a specially crafted request to a vulnerable system that causes that\ \ system to execute arbitrary code. The request allows a cyber actor to take full\ \ control over the system. The actor can then steal information, launch ransomware,\ \ or conduct other malicious activity." mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#attacks - https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf - https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Apache Log4j2 Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44228 comments: "CVE-2021-44228, known as Log4Shell, affects Apache\u2019s Log4j library,\ \ an open-source logging framework. An actor can exploit this vulnerability by\ \ submitting a specially crafted request to a vulnerable system that causes that\ \ system to execute arbitrary code. The request allows a cyber actor to take full\ \ control over the system. The actor can then steal information, launch ransomware,\ \ or conduct other malicious activity." mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#attacks - https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf - https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: Apache Log4j2 Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44228 comments: "CVE-2021-44228, known as Log4Shell, affects Apache\u2019s Log4j library,\ \ an open-source logging framework. An actor can exploit this vulnerability by\ \ submitting a specially crafted request to a vulnerable system that causes that\ \ system to execute arbitrary code. The request allows a cyber actor to take full\ \ control over the system. The actor can then steal information, launch ransomware,\ \ or conduct other malicious activity." mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#attacks - https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf - https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Apache Log4j2 Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44228 comments: "CVE-2021-44228, known as Log4Shell, affects Apache\u2019s Log4j library,\ \ an open-source logging framework. An actor can exploit this vulnerability by\ \ submitting a specially crafted request to a vulnerable system that causes that\ \ system to execute arbitrary code. The request allows a cyber actor to take full\ \ control over the system. The actor can then steal information, launch ransomware,\ \ or conduct other malicious activity." mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#attacks - https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf - https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Log4j2 Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44228 comments: 'This remote code execution vulnerability is exploited through maliciously-crafted requests to a web application. ' mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-0688 comments: CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Microsoft Exchange Server Validation Key Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-0688 comments: CVE-2020-0688 is a RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. A nation-state APT actor has been observed exploiting this vulnerability to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts. mapping_type: secondary_impact references: - https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts. mapping_type: primary_impact references: - https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: CVE-2020-1472 is a privilege elevation vulnerability. The immediate effect of successful exploitation results in the ability to authentication to the vulnerable Domain Controller with Domain Administrator level credentials. In compromises exploiting this vulnerability, exploitation was typically followed immediately by dumping all hashes for Domain accounts. mapping_type: exploitation_technique references: - https://www.crowdstrike.com/en-us/blog/cve-2020-1472-zerologon-security-advisory/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability capability_group: priv_mgmt capability_id: CVE-2020-0787 comments: CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability capability_group: priv_mgmt capability_id: CVE-2020-0787 comments: CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Microsoft SharePoint Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0604 comments: 'CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts. ' mapping_type: primary_impact references: - https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/ - https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: Microsoft SharePoint Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0604 comments: 'CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts. ' mapping_type: primary_impact references: - https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/ - https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Microsoft SharePoint Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0604 comments: 'CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts. ' mapping_type: secondary_impact references: - https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/ - https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft SharePoint Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0604 comments: 'CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts. ' mapping_type: primary_impact references: - https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/ - https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft SharePoint Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0604 comments: 'CVE-2019-0604 is a vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to typically install webshell malware to vulnerable hosts. ' mapping_type: exploitation_technique references: - https://www.zdnet.com/article/fbi-nation-state-actors-have-breached-two-us-municipalities/ - https://ociso.ucla.edu/news/cyber-actors-exploit-sharepoint-vulnerability-gain-access-unprotected-networks - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2019-18935 comments: 'CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. ' mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ - https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2019-18935 comments: 'CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. ' mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ - https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2019-18935 comments: 'CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. ' mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ - https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2019-18935 comments: 'CVE 2019-18935 is a Insecure Deserialization vulnerability with the Telerik UI, which does not properly sanitize serialized data inputs from the user. This vulnerability leads to the application being vulnerable to RCE attacks that may lead to a full system compromise. ' mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/us-federal-agency-hacked-using-old-telerik-bug-to-steal-data/ - https://news.sophos.com/en-us/2022/06/15/telerik-ui-exploitation-leads-to-cryptominer-cobalt-strike-infections/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Office Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2017-11882 comments: CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems. mapping_type: primary_impact references: - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-11882 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Microsoft Office Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2017-11882 comments: CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phishing campaigns, and it enables RCE on vulnerable systems. mapping_type: exploitation_technique references: - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-11882 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-15505 comments: 'CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.' mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-15505 comments: 'CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.' mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI) mapping_type: secondary_impact references: - https://www.nccgroup.com/us/research-blog/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI) mapping_type: secondary_impact references: - https://www.nccgroup.com/us/research-blog/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1070.004 attack_object_name: File Deletion capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI) mapping_type: secondary_impact references: - https://www.nccgroup.com/us/research-blog/rift-f5-networks-k52145254-tmui-rce-vulnerability-cve-2020-5902-intelligence/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: "CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management\ \ User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5\ \ disclosed CVE-2020-5902, stating that it allows attackers to, \u201Cexecute\ \ arbitrary system commands, create or delete files, disable services, and/or\ \ execute arbitrary Java code.\u201D - CISA Advisory" mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: CVE-2020-5902 is a RCE vulnerability in the Traffic Management User Interface (TMUI) that allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Utility (through the BIG-IP management port and/or self IPs) to execute arbitrary system commands, create or delete files, disable services, and execute arbitrary Java code.The Traffic Management User Interface (TMUI) mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2019-11510 comments: 'CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. ' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2019-11510 comments: 'CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. ' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2019-11510 comments: 'CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. ' mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2019-11510 comments: 'CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials. ' mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-110a - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-19781 comments: 'CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC). ' mapping_type: secondary_impact references: - https://www.ic3.gov/CSA/2021/210426.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-19781 comments: 'CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC). ' mapping_type: primary_impact references: - https://www.ic3.gov/CSA/2021/210426.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-19781 comments: 'CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC). ' mapping_type: exploitation_technique references: - https://www.ic3.gov/CSA/2021/210426.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-40539 comments: "This is an authentication bypass vulnerability that can enable remote\ \ code execution. \n\nNumerous post-exploitation impacts by threat actors are\ \ detailed in the referenced CISA report." mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet FortiOS SSL VPN Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2018-13379 comments: This is a path traversal vulnerability that allows adversary to download system files through specially-crafted HTTP requests. mapping_type: exploitation_technique references: - https://blog.orange.tw/posts/2019-08-attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn/ - https://www.ic3.gov/CSA/2021/210402.pdf - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: F5 BIG-IP Missing Authentication Vulnerability capability_group: auth_missing capability_id: CVE-2022-1388 comments: This CVE is an authentication bypass vulnerability. Unauthenticated users with network access can execute arbitrary commands. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-0313 comments: This use-after-free vulnerability is exploited in-the-wild by drive-by-download. mapping_type: exploitation_technique references: - https://helpx.adobe.com/security/products/flash-player/apsa15-02.html - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Microsoft Exchange Server Security Feature Bypass Vulnerability capability_group: feature_bypass capability_id: CVE-2021-31207 comments: This vulnerability is exploited via authentication bypass, allowing the adversary to write to files. mapping_type: primary_impact references: - https://www.rescana.com/post/critical-analysis-of-cve-2021-31207-bypassing-security-in-microsoft-exchange-server - https://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1055.001 attack_object_name: Dynamic-link Library Injection capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: 'This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts. These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.' mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload. mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: 'This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts. These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.' mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2015-5119 comments: To exploit this vulnerability, adversaries sent spearphishing emails with URLs to webpages with maliciously crafted javascript. The adversaries then download a payload. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/demonstrating-hustle/ - attack_object_id: T1548.002 attack_object_name: Bypass User Account Control capability_description: Microsoft Exchange Server Security Feature Bypass Vulnerability capability_group: feature_bypass capability_id: CVE-2021-31207 comments: This vulnerability is exploited via authentication bypass, allowing the adversary to write to files. mapping_type: exploitation_technique references: - https://www.rescana.com/post/critical-analysis-of-cve-2021-31207-bypassing-security-in-microsoft-exchange-server - https://packetstormsecurity.com/files/163895/Microsoft-Exchange-ProxyShell-Remote-Code-Execution.html - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability capability_group: inject capability_id: CVE-2022-22954 comments: 'This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root. ' mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b - https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html - attack_object_id: T1222 attack_object_name: File and Directory Permissions Modification capability_description: VMware Multiple Products Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22960 comments: This vulnerability allows adversaries with local access to escalate privileges to root. Adversaries have been observed chaining this following exploit of CVE-2022-22954. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Google Chromium V8 Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2024-5274 comments: This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome. mapping_type: exploitation_technique references: - https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/ - attack_object_id: T1221 attack_object_name: Template Injection capability_description: VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability capability_group: inject capability_id: CVE-2022-22954 comments: 'This vulnerability is exploited via server-side template injection to achieve remote code execution. This access is then used to establish backdoors. Adversaries have been observed chaining this with CVE-2022-22960 in order to escalate privileges to root. ' mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/ - https://www.rapid7.com/blog/post/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b - https://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2012-0767 comments: "This cross-site scripting vulnerability has been exploited in the wild\ \ by enticing a user to click on a link to a malicious website. The attacker\ \ \ncan then impersonate the user and perform actions such as changing the user's\ \ settings on the website or accessing the user's webmail." mapping_type: secondary_impact references: - https://www.jpcert.or.jp/english/at/2012/at120006.html - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2012-0767 comments: "This cross-site scripting vulnerability has been exploited in the wild\ \ by enticing a user to click on a link to a malicious website. The attacker\ \ \ncan then impersonate the user and perform actions such as changing the user's\ \ settings on the website or accessing the user's webmail." mapping_type: secondary_impact references: - https://www.jpcert.or.jp/english/at/2012/at120006.html - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2012-0767 comments: "This cross-site scripting vulnerability has been exploited in the wild\ \ by enticing a user to click on a link to a malicious website. The attacker\ \ \ncan then impersonate the user and perform actions such as changing the user's\ \ settings on the website or accessing the user's webmail." mapping_type: primary_impact references: - https://www.jpcert.or.jp/english/at/2012/at120006.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2019-1653 comments: CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices. mapping_type: exploitation_technique references: - https://thehackernews.com/2019/01/hacking-cisco-routers.html - https://therecord.media/cisco-routers-end-of-life-china-espionage-volt-typhoon - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1003.001 attack_object_name: LSASS Memory capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: primary_impact references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Shiro Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-4437 comments: CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature. mapping_type: exploitation_technique references: - https://s4e.io/tools/apache-shiro-remote-code-execution-rce-cve-2016-4437 - https://attackerkb.com/topics/FkiFlo1T9T/cve-2016-4437 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Shiro Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-4437 comments: CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature. mapping_type: primary_impact references: - https://s4e.io/tools/apache-shiro-remote-code-execution-rce-cve-2016-4437 - https://attackerkb.com/topics/FkiFlo1T9T/cve-2016-4437 - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Apache HTTP Server Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2021-42013 comments: CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50. CVE-2021-42013 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. mapping_type: exploitation_technique references: - https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013 - https://github.com/battleoverflow/apache-traversal - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache HTTP Server Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2021-42013 comments: CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50. CVE-2021-42013 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. mapping_type: primary_impact references: - https://github.com/battleoverflow/apache-traversal - https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache HTTP Server Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2021-41773 comments: CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. mapping_type: primary_impact references: - https://github.com/battleoverflow/apache-traversal - https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013 - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Apache HTTP Server Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2021-41773 comments: CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. mapping_type: exploitation_technique references: - https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013 - https://github.com/battleoverflow/apache-traversal - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Mediatek Multiple Chipsets Insufficient Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2020-0069 comments: CVE-2020-0069 is an insufficient input validation vulnerability in multiple MediaTek chipsets that, combined with missing SELinux restrictions in the Command Queue drivers' ioctl handlers, allows an adversary to perform an out-of-bounds write leading to privilege escalation. mapping_type: exploitation_technique references: - https://secalerts.co/vulnerability/CVE-2020-0069 - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2020-5735 comments: CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device. mapping_type: primary_impact references: - https://www.tenable.com/security/research/tra-2020-20 - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Amcrest Cameras and NVR Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2020-5735 comments: CVE-2020-5735 is a stack-based buffer overflow vulnerability in Amcrest cameras and NVR that allows an authenticated remote attacker to possibly execute unauthorized code over port 37777 and crash the device. mapping_type: secondary_impact references: - https://www.tenable.com/security/research/tra-2020-20 - attack_object_id: T1007 attack_object_name: System Service Discovery capability_description: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2019-1653 comments: CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices. mapping_type: secondary_impact references: - https://thehackernews.com/2019/01/hacking-cisco-routers.html - https://therecord.media/cisco-routers-end-of-life-china-espionage-volt-typhoon - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2019-1653 comments: CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices. mapping_type: primary_impact references: - https://thehackernews.com/2019/01/hacking-cisco-routers.html - https://therecord.media/cisco-routers-end-of-life-china-espionage-volt-typhoon - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2019-1653 comments: CVE-2019-1653 is a critical information disclosure vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers. This vulnerability allows unauthenticated, remote attackers to access sensitive information from affected devices. mapping_type: secondary_impact references: - https://thehackernews.com/2019/01/hacking-cisco-routers.html - https://therecord.media/cisco-routers-end-of-life-china-espionage-volt-typhoon - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26360 comments: This vulnerability gives an adversary access through exploitation of a public-facing server. mapping_type: exploitation_technique references: - https://www.cisa.gov/sites/default/files/2023-12/aa23-339a-threat-actors-exploit-adobe-coldfusion-cve-2023-26360.pdf - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2013-0625 comments: This vulnerability is exploited because of password misconfiguration. mapping_type: exploitation_technique references: - https://www.itnews.com.au/news/a-million-drivers-licenses-possibly-stolen-via-coldfusion-hole-342953 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2013-0632 comments: 'This vulnerability is exploited by logging in with an empty password on a misconfigured system. ' mapping_type: exploitation_technique references: - https://www.itnews.com.au/news/a-million-drivers-licenses-possibly-stolen-via-coldfusion-hole-342953 - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/5814/adobe-coldfusion-authentication-bypass-vulnerability-cve20130632 - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Adobe BlazeDS Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2009-3960 comments: 'This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine. This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.' mapping_type: primary_impact references: - https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe BlazeDS Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2009-3960 comments: 'This vulnerability is exploited through an XML injection or XML external entity injection. In-the-wild reporting indicates adversaries have used this exploit to establish a web shell on a victim machine. This adversary took actions to cover their tracks, establish persistence, exfiltrate Registry data, escalated privileges, moved laterally, disabled security software, installed and ran ransomware.' mapping_type: exploitation_technique references: - https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Adobe Flash Player Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2012-0767 comments: "This cross-site scripting vulnerability has been exploited in the wild\ \ by enticing a user to click on a link to a malicious website. The attacker\ \ \ncan then impersonate the user and perform actions such as changing the user's\ \ settings on the website or accessing the user's webmail." mapping_type: exploitation_technique references: - https://www.jpcert.or.jp/english/at/2012/at120006.html - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-1019 comments: This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware. mapping_type: secondary_impact references: - https://securityaffairs.com/46107/malware/adobe-fixes-cve-2016-1019.html - https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-1019 comments: This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware. mapping_type: primary_impact references: - https://securityaffairs.com/46107/malware/adobe-fixes-cve-2016-1019.html - https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-1019 comments: This vulnerability is exploited by taking advantage of a flaw of Adobe Flash embedded within browsers. In the wild, threat actors have been seen using a browser-based exploit kit to initiate a drive-by compromise of the exploit. After exploit, adversaries can install their own malware or specifically ransomware. mapping_type: exploitation_technique references: - https://securityaffairs.com/46107/malware/adobe-fixes-cve-2016-1019.html - https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Arm Mali GPU Kernel Driver Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-29256 comments: 'This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available. ' mapping_type: exploitation_technique references: - https://vuldb.com/?id.175586 - https://www.tenable.com/plugins/nessus/178128 - https://www.lexology.com/library/detail.aspx?g=c57b19cd-73e4-43e2-8034-f7fa78166c63 - https://source.android.com/docs/security/bulletin/2023-07-01#arm-components - https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-android-os-could-allow-for-remote-code-execution_2023-072 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Hyper-V Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2024-38080 comments: "This zero-day vulnerability presents itself after an adversary has already\ \ infiltrated the victim's network and enables the adversary to obtain SYSTEM\ \ level privileges via Microsoft Windows Hyper-V product. As of now, details of\ \ how the attacker's methods to exploit this vulnerability are undisclosed. \n" mapping_type: primary_impact references: - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-july-2024/ - https://thehackernews.com/2024/07/microsofts-july-update-patches-143.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-47966 comments: 'CVE-2022-47966 is a remote code execution vulnerability that affects many ManageEngine products due to misconfiguration of security features. Adversaries can utilized this vulnerability to run arbitrary java. APTs have been observed exploiting this vulnerability to gain access, to public-facing applications, establish persistence, and move laterally. They''ve also been observed to create local user accounts with administrative privileges, use valid but disabled user accounts, delete logs, establish command and control communications, ... **the list goes on and on due to fantastic, detailed reporting** ' mapping_type: exploitation_technique references: - https://www.cisa.gov/sites/default/files/2023-09/aa23-250a-apt-actors-exploit-cve-2022-47966-and-cve-2022-42475_1.pdf - https://github.com/horizon3ai/CVE-2022-47966 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-11776 comments: CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. Volexity also reports active scanning and attempts to exploit CVE-2018-11776 in order to deploy cryptocurrency miners. mapping_type: secondary_impact references: - https://www.volexity.com/blog/2018/08/27/active-exploitation-of-new-apache-struts-vulnerability-cve-2018-11776-deploys-cryptocurrency-miner/ - https://www.keysight.com/blogs/en/tech/nwvs/2022/06/03/strutting-to-remote-code-execution-anatomy-of-cve-2018-11776 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-11776 comments: 'CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. ' mapping_type: primary_impact references: - https://www.volexity.com/blog/2018/08/27/active-exploitation-of-new-apache-struts-vulnerability-cve-2018-11776-deploys-cryptocurrency-miner/ - https://www.keysight.com/blogs/en/tech/nwvs/2022/06/03/strutting-to-remote-code-execution-anatomy-of-cve-2018-11776 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-11776 comments: 'CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace. ' mapping_type: exploitation_technique references: - https://www.volexity.com/blog/2018/08/27/active-exploitation-of-new-apache-struts-vulnerability-cve-2018-11776-deploys-cryptocurrency-miner/ - https://www.keysight.com/blogs/en/tech/nwvs/2022/06/03/strutting-to-remote-code-execution-anatomy-of-cve-2018-11776 - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-5638 comments: 'CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach. ' mapping_type: secondary_impact references: - https://securityaffairs.com/63043/hacking/equifax-data-breach.html - https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-5638 comments: 'CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach. ' mapping_type: primary_impact references: - https://securityaffairs.com/63043/hacking/equifax-data-breach.html - https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-5638 comments: 'CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach. ' mapping_type: exploitation_technique references: - https://securityaffairs.com/63043/hacking/equifax-data-breach.html - https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-17530 comments: 'CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute code via forced Object Graph Navigational Language (OGNL). ' mapping_type: primary_impact references: - https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/ - https://blog.qualys.com/vulnerabilities-threat-research/2021/09/21/apache-struts-2-double-ognl-evaluation-vulnerability-cve-2020-17530 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Struts Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-17530 comments: CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute arbitrary code via forced Object Graph Navigational Language (OGNL) evaluation on raw user input in tag attributes. mapping_type: exploitation_technique references: - https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/ - https://blog.qualys.com/vulnerabilities-threat-research/2021/09/21/apache-struts-2-double-ognl-evaluation-vulnerability-cve-2020-17530 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-17558 comments: 'CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter. ' mapping_type: primary_impact references: - https://thehackernews.com/2023/12/behind-scenes-of-matveevs-ransomware.html - https://www.tenable.com/blog/cve-2019-17558-apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Solr VelocityResponseWriter Plug-In Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-17558 comments: 'CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/12/behind-scenes-of-matveevs-ransomware.html - https://www.tenable.com/blog/cve-2019-17558-apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Apache HTTP Server Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2019-0211 comments: CVE-2019-0211 is a privilege escalation vulnerability in Apache HTTP Server with MPM event, worker, or prefork that allows an attacker to execute code with the privileges of that parent process (usually root). mapping_type: exploitation_technique references: - https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html - https://ubuntu.com/security/CVE-2019-0211 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Struts Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2017-9805 comments: CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application. mapping_type: primary_impact references: - https://securityaffairs.com/62746/hacking/struts-cve-2017-9805-flaw.html - https://www.rapid7.com/blog/post/2017/09/06/apache-struts-s2-052-cve-2017-9805-what-you-need-to-know/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Struts Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2017-9805 comments: CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2017/09/06/apache-struts-s2-052-cve-2017-9805-what-you-need-to-know/ - https://securityaffairs.com/62746/hacking/struts-cve-2017-9805-flaw.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27104 comments: CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27104 comments: CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Accellion FTA SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2021-27101 comments: CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2021-27103 comments: CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27102 comments: CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27102 comments: CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2021-27103 comments: CVE-2021-27103 is a server-side request forgery vulnerability in Accellion File Transfer Appliance in Accellion that allows an adversary to manipulate server requests via a crafted POST request. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27102 comments: "CVE-2021-27102 is an operating system command execution vulnerability\ \ in Accellion File Transfer Appliance that allows an adversary to execute arbitrary\ \ commands via a local web service call.\n " mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Accellion FTA SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2021-27101 comments: CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands. mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Accellion FTA OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-27104 comments: CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Adobe Acrobat and Reader Double Free Vulnerability capability_group: pointer_vuln capability_id: CVE-2018-4990 comments: This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE. mapping_type: exploitation_technique references: - https://srcincite.io/blog/2018/05/21/adobe-me-and-a-double-free.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Double Free Vulnerability capability_group: pointer_vuln capability_id: CVE-2018-4990 comments: This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE. mapping_type: exploitation_technique references: - https://srcincite.io/blog/2018/05/21/adobe-me-and-a-double-free.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2007-5659 comments: This vulnerability is exploited via a malicious PDF file in order to execute arbitrary code. mapping_type: exploitation_technique references: - https://www.rapid7.com/db/modules/exploit/windows/fileformat/adobe_collectemailinfo/ - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2018-4878 comments: 'The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.' mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/attacks-leveraging-adobe-zero-day-cve-2018-4878-threat-attribution-attack-scenario-and-recommendations/ - https://blog.talosintelligence.com/group-123-goes-wild/ - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2018-4878 comments: 'The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration. Installation of the remote access software could allow for a number of different secondary impacts. See the MITRE ATT&CK reference on the DOGCALL software for more information.' mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/attacks-leveraging-adobe-zero-day-cve-2018-4878-threat-attribution-attack-scenario-and-recommendations/ - https://blog.talosintelligence.com/group-123-goes-wild/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2018-4878 comments: 'The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.' mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/attacks-leveraging-adobe-zero-day-cve-2018-4878-threat-attribution-attack-scenario-and-recommendations/ - https://blog.talosintelligence.com/group-123-goes-wild/ - attack_object_id: T1491.002 attack_object_name: External Defacement capability_description: Adobe ColdFusion Unrestricted File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2018-15961 comments: In the wild, this CVE was seen to result in defacement. mapping_type: primary_impact references: - https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/ - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Unrestricted File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2018-15961 comments: 'This vulnerability is exploited by uploading a file to a public-facing ColdFusion server. ' mapping_type: exploitation_technique references: - https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/ - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2018-4939 comments: As referenced in the attached report, T1190 is a known impact of this exploit. mapping_type: primary_impact references: - https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2018-4939 comments: As referenced in the attached report, T1133 is a known impact of this exploit. mapping_type: primary_impact references: - https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2018-4939 comments: This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution. mapping_type: exploitation_technique references: - https://helpx.adobe.com/security/products/coldfusion/apsb18-14.html - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-28550 comments: This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts. mapping_type: exploitation_technique references: - https://helpx.adobe.com/security/products/acrobat/apsb21-29.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2021-21017 comments: This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts. mapping_type: exploitation_technique references: - https://helpx.adobe.com/security/products/acrobat/apsb21-09.html - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-33739 comments: Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment. mapping_type: exploitation_technique references: - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-33739 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Desktop Window Manager (DWM) Core Library Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-33739 comments: Local escalation of privilege attack. Attacker would most likely gain access through an executable or script on the local computer sent to the user via an email attachment. mapping_type: primary_impact references: - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-33739 - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22205 comments: CVE-2021-22205 is a Remote Code Execution Vulnerability on GitLab Community and Enterprise Editions where threat actors have been reported to actively exploit the security flaw to co-opt unpatched GitLab servers into a botnet and launch distributed denial of service (DDoS) attacks mapping_type: primary_impact references: - https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps - https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22205 comments: 'CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks. ' mapping_type: exploitation_technique references: - https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps - https://www.bleepingcomputer.com/news/security/over-30-000-gitlab-servers-still-unpatched-against-critical-bug/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: 'CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: 'CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability capability_group: xxe capability_id: CVE-2019-13608 comments: 'CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: 'CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: 'CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability capability_group: xxe capability_id: CVE-2019-13608 comments: 'CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware mapping_type: primary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability capability_group: xxe capability_id: CVE-2019-13608 comments: 'CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability capability_group: xxe capability_id: CVE-2019-13608 comments: 'CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. ' mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability capability_group: xxe capability_id: CVE-2019-13608 comments: 'CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information. ' mapping_type: primary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability capability_group: dos capability_id: CVE-2018-0296 comments: CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information. mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/sea-turtle-campaign-focuses-on-dns-hijacking-to-compromise-targets/ - https://research.securitum.com/description-of-cve-2018-0296-error-bypassing-authorization-in-cisco-asa-web-interface/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability capability_group: dos capability_id: CVE-2018-0296 comments: CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information. mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/sea-turtle-campaign-focuses-on-dns-hijacking-to-compromise-targets/ - https://research.securitum.com/description-of-cve-2018-0296-error-bypassing-authorization-in-cisco-asa-web-interface/ - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Cisco HyperFlex HX Data Platform Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-1498 comments: CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device mapping_type: exploitation_technique references: - https://blog.checkpoint.com/2022/10/13/nsa-cisa-fbi-alert-on-top-cves-actively-exploited-by-peoples-republic-of-china-state-sponsored-cyber-actors-check-point-customers-remain-fully-protected/ - https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco HyperFlex HX Data Platform Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-1498 comments: CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device mapping_type: primary_impact references: - https://blog.checkpoint.com/2022/10/13/nsa-cisa-fbi-alert-on-top-cves-actively-exploited-by-peoples-republic-of-china-state-sponsored-cyber-actors-check-point-customers-remain-fully-protected/ - https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/ - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-1497 comments: CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a - https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco HyperFlex HX Installer Virtual Machine Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-1497 comments: CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-279a - https://www.rapid7.com/db/vulnerabilities/cisco-hyperflex-hx-cisco-sa-hyperflex-rce-tjjnrkpr/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-4117 comments: The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation. mapping_type: primary_impact references: - https://blog.morphisec.com/flash-vulnerability-cve-2016-4117 - https://blog.sonicwall.com/en-us/2016/05/recent-flash-zero-day-cve-2016-4117-attacks-spotted-in-the-wild-may-242016/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2016-4117 comments: The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation. mapping_type: exploitation_technique references: - https://blog.morphisec.com/flash-vulnerability-cve-2016-4117 - https://blog.sonicwall.com/en-us/2016/05/recent-flash-zero-day-cve-2016-4117-attacks-spotted-in-the-wild-may-242016/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player and AIR Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2016-0984 comments: 'This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file. This CVE was observed to be exploited by the threat actor known as BlackOasis. The threat actor then installs command and control tools.' mapping_type: primary_impact references: - https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ - https://www.zero-day.cz/database/468/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player and AIR Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2016-0984 comments: 'This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file. This CVE was observed to be exploited by the threat actor known as BlackOasis.' mapping_type: exploitation_technique references: - https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/ - https://www.zero-day.cz/database/468/ - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Adobe Flash Player and AIR Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2016-1010 comments: This vulnerability is exploited via an integer overflow. mapping_type: exploitation_technique references: - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7007/adobe-flash-player-integer-overflow-vulnerability-cve20161010 - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability capability_group: xxe capability_id: CVE-2024-34102 comments: This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data. mapping_type: secondary_impact references: - https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102 - https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability capability_group: xxe capability_id: CVE-2024-34102 comments: This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data. mapping_type: primary_impact references: - https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102 - https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability capability_group: xxe capability_id: CVE-2024-34102 comments: This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data. mapping_type: exploitation_technique references: - https://www.assetnote.io/resources/research/why-nested-deserialization-is-harmful-magento-xxe-cve-2024-34102 - https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2022-24086 comments: This vulnerability can be exploited via a public-facing e-commerce application in order to achieve remote code execution. To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated. mapping_type: exploitation_technique references: - https://www.akamai.com/blog/security-research/new-sophisticated-magento-campaign-xurum-webshell#:~:text=In%20early%202022%2C%20the%20CVE,PHP%20code%20on%20susceptible%20targets. - https://sansec.io/research/magento-2-cve-2022-24086 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2013-0631 comments: This vulnerability is exploited via a public-facing application. The adversary can use this vulnerability to gain access to victim host information. mapping_type: exploitation_technique references: - https://vuldb.com/?id.7234 - attack_object_id: T1592 attack_object_name: Gather Victim Host Information capability_description: Adobe ColdFusion Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2013-0631 comments: This vulnerability is exploited via a public-facing application. The adversary can use this vulnerability to gain access to victim host information. mapping_type: primary_impact references: - https://vuldb.com/?id.7234 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Improper Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-38205 comments: CVE-2023-38205 is a vulnerability that is the result of an incomplete patch of CVE-2023-29298. An adversary remains able to exploit the public-facing application as a result of this vulnerability. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Improper Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-29298 comments: This vulnerability is used by exploited a public-facing application by exploiting a flaw in URL path validation. mapping_type: exploitation_technique references: - https://research.splunk.com/stories/adobe_coldfusion_arbitrary_code_execution_cve-2023-29298_cve-2023-26360/ - attack_object_id: T1217 attack_object_name: Browser Information Discovery capability_description: Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2020-3580 comments: 'CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information. ' mapping_type: secondary_impact references: - https://securityaffairs.com/119442/hacking/cisco-asa-under-attack.html - https://www.bleepingcomputer.com/news/security/cisco-asa-vulnerability-actively-exploited-after-exploit-released/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2020-3580 comments: 'CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information. ' mapping_type: primary_impact references: - https://securityaffairs.com/119442/hacking/cisco-asa-under-attack.html - https://www.bleepingcomputer.com/news/security/cisco-asa-vulnerability-actively-exploited-after-exploit-released/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Cisco ASA and FTD Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2020-3580 comments: 'CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information. ' mapping_type: exploitation_technique references: - https://securityaffairs.com/119442/hacking/cisco-asa-under-attack.html - https://www.bleepingcomputer.com/news/security/cisco-asa-vulnerability-actively-exploited-after-exploit-released/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Cisco ASA and FTD Read-Only Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2020-3452 comments: CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/ - https://www.helpnetsecurity.com/2020/07/27/cve-2020-3452-exploited/ - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Cisco ASA and FTD Read-Only Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2020-3452 comments: CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2020/07/23/cve-2020-3452-cisco-asa-firepower-read-only-path-traversal-vulnerability-what-you-need-to-know/ - https://www.helpnetsecurity.com/2020/07/27/cve-2020-3452-exploited/ - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: BQE BillQuick Web Suite SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2021-42258 comments: CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server mapping_type: secondary_impact references: - https://therecord.media/hackers-use-sql-injection-bug-in-billquick-billing-app-to-deploy-ransomware - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: BQE BillQuick Web Suite SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2021-42258 comments: CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server mapping_type: primary_impact references: - https://therecord.media/hackers-use-sql-injection-bug-in-billquick-billing-app-to-deploy-ransomware - https://www.huntress.com/blog/threat-advisory-hackers-are-exploiting-a-vulnerability-in-popular-billing-software-to-deploy-ransomware - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability capability_group: inject capability_id: CVE-2019-3396 comments: 'CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution. ' mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1090 attack_object_name: Proxy capability_description: Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability capability_group: inject capability_id: CVE-2019-3396 comments: 'CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution. ' mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability capability_group: inject capability_id: CVE-2019-3396 comments: 'CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution. ' mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11580 comments: CVE-2019-11580 is a critical vulnerability affecting Atlassian Crowd and Crowd Data Center that allows attackers remote code execution to send specially crafted requests to install malicious plugins on vulnerable Crowd instances. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a - https://www.radware.com/getmedia/84448a60-25dd-4089-a5ee-70d63ae8e446/Advisory-The-FireEye-Hack-002-2.aspx - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability capability_group: inject capability_id: CVE-2021-26084 comments: CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances mapping_type: secondary_impact references: - https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html - https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability capability_group: inject capability_id: CVE-2021-26084 comments: CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances mapping_type: primary_impact references: - https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html - https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Atlassian Confluence Server and Data Center Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2019-3398 comments: CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/unauthorized-access-of-fireeye-red-team-tools/ - https://www.radware.com/getmedia/84448a60-25dd-4089-a5ee-70d63ae8e446/Advisory-The-FireEye-Hack-002-2.aspx - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Atlassian Confluence Server and Data Center Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2019-3398 comments: CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/unauthorized-access-of-fireeye-red-team-tools/ - https://www.radware.com/getmedia/84448a60-25dd-4089-a5ee-70d63ae8e446/Advisory-The-FireEye-Hack-002-2.aspx - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2010-2861 comments: This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information. mapping_type: secondary_impact references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/coldfusion-admin-compromise-analysis-cve-2010-2861/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2010-2861 comments: This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information. mapping_type: primary_impact references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/coldfusion-admin-compromise-analysis-cve-2010-2861/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2010-2861 comments: This is the exploitation of a public facing server. In-the-wild reporting documents that exploitation of this vulnerability was used to install a webshell on the victim machine, and then captured and exfiltrated client credit card information. mapping_type: exploitation_technique references: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/coldfusion-admin-compromise-analysis-cve-2010-2861/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Directory Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2013-0629 comments: This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories. mapping_type: exploitation_technique references: - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=34403 - https://www.exploit-db.com/exploits/24946 - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-38203 comments: This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells. mapping_type: primary_impact references: - https://threatprotect.qualys.com/2023/07/18/adobe-coldfusion-vulnerabilities-exploited-in-the-attacks-in-dropping-webshell-cve-2023-29298-cve-2023-29300-and-cve-2023-38203/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-38203 comments: This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells. mapping_type: exploitation_technique references: - https://threatprotect.qualys.com/2023/07/18/adobe-coldfusion-vulnerabilities-exploited-in-the-attacks-in-dropping-webshell-cve-2023-29298-cve-2023-29300-and-cve-2023-38203/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-29300 comments: This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells. mapping_type: primary_impact references: - https://teamt5.org/en/posts/alerts-of-exploiting-adobe-cold-fusion-cve-2023-29300/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-29300 comments: This vulnerability can be utilized by exploited a public-facing application. APT groups have used this exploit to deploy webshells. mapping_type: exploitation_technique references: - https://teamt5.org/en/posts/alerts-of-exploiting-adobe-cold-fusion-cve-2023-29300/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-26359 comments: This vulnerability is utilized by exploiting a public-facing server. mapping_type: exploitation_technique references: - https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability capability_group: other capability_id: CVE-2009-1862 comments: This vulnerability is exploited through a user opening a maliciously-crafted pdf file or swf file. mapping_type: exploitation_technique references: - https://www.suse.com/security/cve/CVE-2009-1862.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2023-21608 comments: This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution. mapping_type: exploitation_technique references: - https://hacksys.io/blogs/adobe-reader-resetform-cagg-rce-cve-2023-21608 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2009-4324 comments: This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications. mapping_type: exploitation_technique references: - https://trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/15/adobe-reader-and-acrobat-cve20094324-vulnerability - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Adobe Acrobat and Reader Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2009-4324 comments: This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications. mapping_type: primary_impact references: - https://trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/15/adobe-reader-and-acrobat-cve20094324-vulnerability - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Unspecified Vulnerability capability_group: other capability_id: CVE-2008-0655 comments: This vulnerability is exploited by having a user open a maliciously-crafted pdf file. mapping_type: exploitation_technique references: - https://www.tenable.com/plugins/nessus/30200 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Universal 3D Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2009-3953 comments: This vulnerability is exploited by having a user open a maliciously-crafted pdf file. mapping_type: exploitation_technique references: - https://eromang.zataz.com/2011/02/06/cve-2009-3953-adobe-acrobat-u3d-clodprogressivemeshdeclaration-array-overrun/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Universal 3D Memory Corruption Vulnerability capability_group: memory_mgmt capability_id: CVE-2011-2462 comments: This vulnerability is exploited by having the user open a malicious pdf file to achieve arbitrary code execution. mapping_type: exploitation_technique references: - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/inside-adobe-reader-zero-day-exploit-cve-2011-2462/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Stack-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2010-2883 comments: This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution. mapping_type: exploitation_technique references: - https://www.exploit-db.com/exploits/16619 - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Adobe Acrobat and Reader Sandbox Bypass Vulnerability capability_group: sandbox_bypass capability_id: CVE-2014-0546 comments: This vulnerability allows bypassing sandbox protection and run native code. mapping_type: primary_impact references: - https://securelist.com/cve-2014-0546-used-in-targeted-attacks-adobe-reader-update/65577/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-26369 comments: 'This vulnerability is exploited through a user opening a malicious PDF file. ' mapping_type: exploitation_technique references: - https://www.rapid7.com/db/vulnerabilities/adobe-acrobat-cve-2023-26369/ - https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2023/CVE-2023-26369.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26134 comments: This vulnerability is exploited by placing a payload in the URI of an HTTP request to a public-facing server. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-30190 comments: This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines. mapping_type: primary_impact references: - https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day - https://www.hackthebox.com/blog/cve-2022-30190-follina-explained - https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-30190 comments: This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines. mapping_type: exploitation_technique references: - https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day - https://www.hackthebox.com/blog/cve-2022-30190-follina-explained - https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Reader and Acrobat Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2008-2992 comments: This vulnerability is exploited via a maliciously-crafted pdf file. mapping_type: exploitation_technique references: - https://cxsecurity.com/issue/WLB-2008110008 - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2010-0188 comments: This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine. mapping_type: primary_impact references: - https://www.f-secure.com/v-descs/exploit-w32-cve-2010-0188-b.shtml - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2010-0188 comments: This vulnerability is exploited via drive-by download. Malicious software is this downloaded on the target machine. mapping_type: exploitation_technique references: - https://www.f-secure.com/v-descs/exploit-w32-cve-2010-0188-b.shtml - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Adobe Reader and Acrobat Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2013-0640 comments: This vulnerability is exploited via a maliciously-crafted pdf delivered as an email attachment. mapping_type: exploitation_technique references: - https://www.adobe.com/support/security/advisories/apsa13-02.html - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Adobe Reader Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2013-0641 comments: This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration. mapping_type: secondary_impact references: - https://web.archive.org/web/20150123081503/https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html - https://www.adobe.com/support/security/advisories/apsa13-02.html - https://ubuntu.com/security/CVE-2013-0641 - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Reader Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2013-0641 comments: This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration. mapping_type: primary_impact references: - https://web.archive.org/web/20150123081503/https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html - https://www.adobe.com/support/security/advisories/apsa13-02.html - https://ubuntu.com/security/CVE-2013-0641 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Reader Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2013-0641 comments: This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration. mapping_type: exploitation_technique references: - https://web.archive.org/web/20150123081503/https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html - https://www.adobe.com/support/security/advisories/apsa13-02.html - https://ubuntu.com/security/CVE-2013-0641 - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Adobe Reader and Acrobat Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2013-3346 comments: This vulnerability is exploited via maliciously-crafted javascript. mapping_type: exploitation_technique references: - https://web.archive.org/web/20131208020217/https://www.fireeye.com/blog/technical/cyber-exploits/2013/12/cve-2013-33465065-technical-analysis.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Reader and Acrobat Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2014-0496 comments: This vulnerability is exploited via a maliciously-crafted file. mapping_type: exploitation_technique references: - https://web.archive.org/web/20140731021710/http://www.securitytracker.com/id/1029604 - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2016-7855 comments: This vulnerability is exploited by having users visit a maliciously website. mapping_type: exploitation_technique references: - https://exchange.xforce.ibmcloud.com/vulnerabilities/118281 - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Adobe Flash Player Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2017-11292 comments: This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems. mapping_type: secondary_impact references: - https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2017-11292 comments: This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems. mapping_type: primary_impact references: - https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Adobe Flash Player Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2017-11292 comments: This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems. mapping_type: exploitation_technique references: - https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2017-11292 comments: This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems. mapping_type: exploitation_technique references: - https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2018-15982 comments: This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool. mapping_type: primary_impact references: - https://securityaffairs.com/78712/hacking/cve-2018-15982-flash-zero-day.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2018-15982 comments: This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool. mapping_type: exploitation_technique references: - https://securityaffairs.com/78712/hacking/cve-2018-15982-flash-zero-day.html - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2010-1297 comments: 'This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.' mapping_type: primary_impact references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2010-1297.A - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2010-1297 comments: 'This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.' mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2010-1297.A - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2010-1297 comments: 'This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.' mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2010-1297.A - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2012-5054 comments: This vulnerability can be exploited by a malicioiusly-crafted webpage via drive-by compromise. mapping_type: exploitation_technique references: - https://packetstormsecurity.com/files/116435/Adobe-Flash-Player-Matrix3D-Integer-Overflow-Code-Execution.html - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Dereferenced Pointer Vulnerability capability_group: pointer_deref capability_id: CVE-2014-8439 comments: This vulnerability is exploited with maliciously-crafted code hosted on a webpage via drive-by compromise. mapping_type: exploitation_technique references: - https://exchange.xforce.ibmcloud.com/vulnerabilities/98932 - https://thehackernews.com/2014/11/adobe-flash-player-update.html - https://securityaffairs.com/30552/security/adobe-issued-band-flash-player-update-cve-2014-8439.html - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Adobe Flash Player Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2015-8651 comments: This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine. mapping_type: secondary_impact references: - https://blogs.quickheal.com/anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2015-8651 comments: This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine. mapping_type: primary_impact references: - https://blogs.quickheal.com/anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit/ - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2015-8651 comments: This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits whose goal is frequently to load ransomware onto the target machine. mapping_type: exploitation_technique references: - https://blogs.quickheal.com/anatomy-flash-exploit-cve-2015-8651-integrated-rig-exploit-kit/ - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player ASLR Bypass Vulnerability capability_group: feature_bypass capability_id: CVE-2015-0310 comments: This vulnerability is exploited with maliciously-crafted code hosted on a website via drive-by compromise. It has been seen used in the wild by exploit kits. mapping_type: exploitation_technique references: - https://www.zero-day.cz/database/172/ - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Adobe Flash Player Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2015-3113 comments: "This heap-based buffer overflow vulnerability is exploited by having\ \ a user open a maliciously-crafted file. \n\nIn the wild, this exploitation has\ \ been used in order to establish command and control (over HTTP) with a target\ \ system. The command and control functionality has also been seen to employ\ \ debugging/sandboxing evasion." mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4208/adobe-flash-player-heap-buffer-overflow-vulnerability-cve-2015-3113 - attack_object_id: T1497 attack_object_name: Virtualization/Sandbox Evasion capability_description: Adobe Flash Player Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2015-3113 comments: "This heap-based buffer overflow vulnerability is exploited by having\ \ a user open a maliciously-crafted file. \n\nIn the wild, this exploitation has\ \ been used in order to establish command and control (over HTTP) with a target\ \ system. The command and control functionality has also been seen to employ\ \ debugging/sandboxing evasion." mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4208/adobe-flash-player-heap-buffer-overflow-vulnerability-cve-2015-3113 - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Adobe Flash Player Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2015-3113 comments: "This heap-based buffer overflow vulnerability is exploited by having\ \ a user open a maliciously-crafted file. \n\nIn the wild, this exploitation has\ \ been used in order to establish command and control (over HTTP) with a target\ \ system. The command and control functionality has also been seen to employ\ \ debugging/sandboxing evasion." mapping_type: primary_impact references: - https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4208/adobe-flash-player-heap-buffer-overflow-vulnerability-cve-2015-3113 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2015-3113 comments: "This heap-based buffer overflow vulnerability is exploited by having\ \ a user open a maliciously-crafted file. \n\nIn the wild, this exploitation has\ \ been used in order to establish command and control (over HTTP) with a target\ \ system. The command and control functionality has also been seen to employ\ \ debugging/sandboxing evasion." mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/4208/adobe-flash-player-heap-buffer-overflow-vulnerability-cve-2015-3113 - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2012-2034 comments: This vulnerability is exploited by a maliciously-crafted .swf via drive-by compromise. mapping_type: exploitation_technique references: - https://www.mycert.org.my/portal/advisory?id=MA-315.062012 - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2011-0611 comments: This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3ASWF%2FCVE-2011-0611.I - https://blog.qualys.com/vulnerabilities-threat-research/2011/04/15/placeholder - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2011-0611 comments: This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit%3ASWF%2FCVE-2011-0611.I - https://blog.qualys.com/vulnerabilities-threat-research/2011/04/15/placeholder - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2012-1535 comments: This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2012-1535.A - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2012-1535 comments: This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Exploit:SWF/CVE-2012-1535.A - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2015-3043 comments: This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system via drive-by compromise. mapping_type: exploitation_technique references: [] - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Arbitrary Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2015-7645 comments: This vulnerability is exploited by the user opening a maliciously-crafted .swf file. mapping_type: exploitation_technique references: - https://securityaffairs.com/54120/reports/exploit-kits-top-flaws.html - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Fortinet FortiOS SSL VPN Improper Authentication Vulnerability capability_group: auth_bypass capability_id: CVE-2020-12812 comments: CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Fortinet FortiOS SSL VPN Improper Authentication Vulnerability capability_group: auth_bypass capability_id: CVE-2020-12812 comments: CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Fortinet FortiOS Default Configuration Vulnerability capability_group: default_cfg capability_id: CVE-2019-5591 comments: CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Fortinet FortiOS Default Configuration Vulnerability capability_group: default_cfg capability_id: CVE-2019-5591 comments: CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Fortinet FortiOS Default Configuration Vulnerability capability_group: default_cfg capability_id: CVE-2019-5591 comments: CVE-2019-5591 is a default configuration vulnerability in Fortinet's FortiOS, specifically affecting the FortiGate SSL VPN. This vulnerability allows an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating a Lightweight Directory Access Protocol (LDAP) server. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/alerts/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios-vulnerabilities - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35464 comments: CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/alerts/2021/07/12/critical-forgerock-access-management-vulnerability - https://www.rapid7.com/blog/post/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35464 comments: CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/alerts/2021/07/12/critical-forgerock-access-management-vulnerability - https://www.rapid7.com/blog/post/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/ - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22986 comments: CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. " mapping_type: secondary_impact references: - https://www.cpomagazine.com/cyber-security/massive-cyber-attacks-target-f5-big-ip-critical-vulnerabilities-after-firm-releases-updates/ - https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/ - https://my.f5.com/manage/s/article/K03009991 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22986 comments: CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. " mapping_type: primary_impact references: - https://www.cpomagazine.com/cyber-security/massive-cyber-attacks-target-f5-big-ip-critical-vulnerabilities-after-firm-releases-updates/ - https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/ - https://my.f5.com/manage/s/article/K03009991 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22986 comments: CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. " mapping_type: exploitation_technique references: - https://www.cpomagazine.com/cyber-security/massive-cyber-attacks-target-f5-big-ip-critical-vulnerabilities-after-firm-releases-updates/ - https://arstechnica.com/gadgets/2021/03/to-security-pros-dread-another-critical-server-vulnerability-is-under-exploit/ - https://my.f5.com/manage/s/article/K03009991 - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: "CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management\ \ User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5\ \ disclosed CVE-2020-5902, stating that it allows attackers to, \u201Cexecute\ \ arbitrary system commands, create or delete files, disable services, and/or\ \ execute arbitrary Java code.\u201D - CISA Advisory" mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: "CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management\ \ User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5\ \ disclosed CVE-2020-5902, stating that it allows attackers to, \u201Cexecute\ \ arbitrary system commands, create or delete files, disable services, and/or\ \ execute arbitrary Java code.\u201D - CISA Advisory" mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2020-5902 comments: "CVE-2020-5902\u2014an RCE vulnerability in the BIG-IP Traffic Management\ \ User Interface (TMUI)\u2014to take control of victim systems. On June 30, F5\ \ disclosed CVE-2020-5902, stating that it allows attackers to, \u201Cexecute\ \ arbitrary system commands, create or delete files, disable services, and/or\ \ execute arbitrary Java code.\u201D - CISA Advisory" mapping_type: exploitation_technique references: - chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://www.cisa.gov/sites/default/files/publications/CISA-072420-F5-BIG-IP-Vulnerability-Fact-Sheet_508.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a - attack_object_id: T1106 attack_object_name: Native API capability_description: EyesOfNetwork Use of Hard-Coded Credentials Vulnerability capability_group: hardcoded_creds capability_id: CVE-2020-8657 comments: 'CVE-2020-8657 identifies a security issue in EyesOfNetwork 5.3 that exposes a vulnerability in the API key implementation. ' mapping_type: exploitation_technique references: - https://www.clouddefense.ai/cve/2020/CVE-2020-8657 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Exim Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2018-6789 comments: 'CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener. ' mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - https://news.sophos.com/en-us/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Exim Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2018-6789 comments: 'CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener. ' mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - https://news.sophos.com/en-us/2019/06/07/action-required-exim-mail-servers-need-urgent-patching/ - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22205 comments: 'CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks. ' mapping_type: secondary_impact references: - https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps - https://www.bleepingcomputer.com/news/security/over-30-000-gitlab-servers-still-unpatched-against-critical-bug/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22205 comments: 'CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks. ' mapping_type: secondary_impact references: - https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps - https://www.bleepingcomputer.com/news/security/over-30-000-gitlab-servers-still-unpatched-against-critical-bug/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: GitLab Community and Enterprise Editions Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22205 comments: 'CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks. ' mapping_type: primary_impact references: - https://therecord.media/gitlab-servers-are-being-exploited-in-ddos-attacks-in-excess-of-1-tbps - https://www.bleepingcomputer.com/news/security/over-30-000-gitlab-servers-still-unpatched-against-critical-bug/ - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Drupal Core Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-7600 comments: "CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting\ \ Drupal\u2019s versions 7 and 8. According to reports, successfully exploiting\ \ the vulnerability entails elevating the permission to modify or delete the content\ \ of a Drupal-run site and crypto-jacking campaigns.\n\n" mapping_type: secondary_impact references: - https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/ - https://www.infosecurity-magazine.com/news-features/exploited-state-fix/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Drupal Core Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-7600 comments: "CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting\ \ Drupal\u2019s versions 7 and 8. According to reports, successfully exploiting\ \ the vulnerability entails elevating the permission to modify or delete the content\ \ of a Drupal-run site and crypto-jacking campaigns.\n\n" mapping_type: secondary_impact references: - https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/ - https://www.infosecurity-magazine.com/news-features/exploited-state-fix/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Drupal Core Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-7600 comments: "CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting\ \ Drupal\u2019s versions 7 and 8. According to reports, successfully exploiting\ \ the vulnerability entails elevating the permission to modify or delete the content\ \ of a Drupal-run site and crypto-jacking campaigns.\n\n" mapping_type: primary_impact references: - https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/ - https://www.infosecurity-magazine.com/news-features/exploited-state-fix/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Drupal Core Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2018-7600 comments: "CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting\ \ Drupal\u2019s versions 7 and 8. According to reports, successfully exploiting\ \ the vulnerability entails elevating the permission to modify or delete the content\ \ of a Drupal-run site and crypto-jacking campaigns.\n\n" mapping_type: exploitation_technique references: - https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/ - https://www.infosecurity-magazine.com/news-features/exploited-state-fix/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Multiple DrayTek Vigor Routers Web Management Page Vulnerability capability_group: other capability_id: CVE-2020-8515 comments: CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use. mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ - https://thehackernews.com/2020/03/draytek-network-hacking.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Multiple DrayTek Vigor Routers Web Management Page Vulnerability capability_group: other capability_id: CVE-2020-8515 comments: CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use. mapping_type: primary_impact references: - https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ - https://thehackernews.com/2020/03/draytek-network-hacking.html - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Multiple DrayTek Vigor Routers Web Management Page Vulnerability capability_group: other capability_id: CVE-2020-8515 comments: CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use. mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/ - https://thehackernews.com/2020/03/draytek-network-hacking.html - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: DotNetNuke (DNN) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-9822 comments: CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/-zealot-campaign-uses-nsa-exploits-to-mine-monero-on-windows-and-linux-servers/ - https://media.defense.gov/2019/Jul/16/2002157839/-1/-1/0/CSA-DOTNETNUKE.PDF - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: DotNetNuke (DNN) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-9822 comments: CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/-zealot-campaign-uses-nsa-exploits-to-mine-monero-on-windows-and-linux-servers/ - https://media.defense.gov/2019/Jul/16/2002157839/-1/-1/0/CSA-DOTNETNUKE.PDF - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: DotNetNuke (DNN) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-9822 comments: CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/-zealot-campaign-uses-nsa-exploits-to-mine-monero-on-windows-and-linux-servers/ - https://media.defense.gov/2019/Jul/16/2002157839/-1/-1/0/CSA-DOTNETNUKE.PDF - attack_object_id: T1584.005 attack_object_name: Botnet capability_description: D-Link DNS-320 Device Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2020-25506 comments: 'CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution. ' mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: D-Link DNS-320 Device Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2020-25506 comments: 'CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution. ' mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: D-Link DNS-320 Device Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2020-25506 comments: 'CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution. ' mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - https://thehackernews.com/2021/03/new-mirai-variant-and-zhtrap-botnet.html - attack_object_id: T1584.005 attack_object_name: Botnet capability_description: D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2020-29557 comments: 'CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. ' mapping_type: secondary_impact references: - https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2020-29557 comments: 'CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. ' mapping_type: primary_impact references: - https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: D-Link DIR-825 R1 Devices Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2020-29557 comments: 'CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2021/08/hackers-exploiting-new-auth-bypass-bug.html - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware mapping_type: secondary_impact references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-11634 comments: Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware mapping_type: exploitation_technique references: - https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/ - https://threatpost.com/nefilim-ransomware-ghost-account/163341/ - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2020-8193 comments: CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests. mapping_type: exploitation_technique references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Authorization Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2020-8193 comments: CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests. mapping_type: primary_impact references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8195 comments: CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests. mapping_type: exploitation_technique references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8195 comments: CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests. mapping_type: primary_impact references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8195 comments: CVE-2020-8195 is an information disclosure in Citrix ADC, Gateway, and SD-WAN WANOP Appliance which allows attacker to access sensitive information via crafted requests. mapping_type: primary_impact references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1056 attack_object_name: Input Capture capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8196 comments: "CVE-2020-8196\n is an information disclosure in Citrix ADC, Gateway,\ \ and SD-WAN WANOP Appliance which allows attacker to access sensitive information\ \ via crafted requests." mapping_type: exploitation_technique references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8196 comments: "CVE-2020-8196\n is an information disclosure in Citrix ADC, Gateway,\ \ and SD-WAN WANOP Appliance which allows attacker to access sensitive information\ \ via crafted requests." mapping_type: primary_impact references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix ADC, Gateway, and SD-WAN WANOP Appliance Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2020-8196 comments: "CVE-2020-8196\n is an information disclosure in Citrix ADC, Gateway,\ \ and SD-WAN WANOP Appliance which allows attacker to access sensitive information\ \ via crafted requests." mapping_type: secondary_impact references: - https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF - https://www.bleepingcomputer.com/news/security/nsa-top-25-vulnerabilities-actively-abused-by-chinese-hackers/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability capability_group: priv_mgmt capability_id: CVE-2024-26169 comments: This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group. mapping_type: primary_impact references: - https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw - attack_object_id: T1112 attack_object_name: Modify Registry capability_description: Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability capability_group: priv_mgmt capability_id: CVE-2024-26169 comments: This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group. mapping_type: exploitation_technique references: - https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Microsoft Windows MSHTML Platform Spoofing Vulnerability capability_group: spoofing_vuln capability_id: CVE-2024-38112 comments: This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system. mapping_type: exploitation_technique references: - https://www.darkreading.com/application-security/void-banshee-exploits-second-microsoft-zero-day - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Microsoft Windows MSHTML Platform Spoofing Vulnerability capability_group: spoofing_vuln capability_id: CVE-2024-38112 comments: This vulnerability is exploited through a victim visiting a malicious Web page or to clicking on an unsafe link. After visiting the website or clicking on the link, an adversary would gain the ability to execute arbitrary code on the victim system. mapping_type: exploitation_technique references: - https://www.darkreading.com/application-security/void-banshee-exploits-second-microsoft-zero-day - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Laravel Ignition File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-3129 comments: 'This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code. ' mapping_type: exploitation_technique references: - https://blog.sonicwall.com/en-us/2021/04/laravel-ignition-remote-code-execution-vulnerability/ - https://isc.sans.edu/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758 - https://pentest-tools.com/blog/exploit-rce-vulnerability-laravel-cve-2021-3129 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Laravel Ignition File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-3129 comments: 'This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code. ' mapping_type: primary_impact references: - https://blog.sonicwall.com/en-us/2021/04/laravel-ignition-remote-code-execution-vulnerability/ - https://isc.sans.edu/diary/Laravel+v842+exploit+attempts+for+CVE20213129+debug+mode+Remote+code+execution/27758 - https://pentest-tools.com/blog/exploit-rce-vulnerability-laravel-cve-2021-3129 - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: 'Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability ' capability_group: code_injection capability_id: CVE-2021-44529 comments: 'This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti''s "nobody" user account. ' mapping_type: primary_impact references: - https://github.com/rapid7/metasploit-framework/pull/17449 - https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529 - https://www.sonatype.com/blog/the-curious-case-of-csrf-magic-a-case-study-in-supply-chain-poisoning - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: 'Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability ' capability_group: code_injection capability_id: CVE-2021-44529 comments: 'This vulnerability is exploited after an adversary sends a maliciously crafted cookie to the client endpoint (/client/index.php) to exploit Ivanti systems that utilized a malicious version of the "csrf-magic", which creates a backdoor into an Ivanti system. An unauthorized user can then execute malicious code stored in the cookie via Ivanti''s "nobody" user account. ' mapping_type: exploitation_technique references: - https://github.com/rapid7/metasploit-framework/pull/17449 - https://attackerkb.com/topics/XTKrwlZd7p/cve-2021-44529 - https://www.sonatype.com/blog/the-curious-case-of-csrf-magic-a-case-study-in-supply-chain-poisoning - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: D-Link DIR-605 Router Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2021-40655 comments: 'This vulnerability is exploited when an adversary forges a post request to the / get cfg.php page. The POST request could enable the adversary to obtain username and password information on the router. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-d-link.html - https://www.tenable.com/plugins/nessus/197740 - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Sunhillo SureLine OS Command Injection Vulnerablity capability_group: inject capability_id: CVE-2021-36380 comments: To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. mapping_type: primary_impact references: - https://blog.sonicwall.com/en-us/2023/11/sunhillo-sureline-command-injection-vulnerability/ - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - https://www.recordedfuture.com/vulnerability-database/CVE-2021-36380 - https://www.nccgroup.com/us/research-blog/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Sunhillo SureLine OS Command Injection Vulnerablity capability_group: inject capability_id: CVE-2021-36380 comments: To trigger this vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker inserts a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. mapping_type: exploitation_technique references: - https://blog.sonicwall.com/en-us/2023/11/sunhillo-sureline-command-injection-vulnerability/ - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - https://www.recordedfuture.com/vulnerability-database/CVE-2021-36380 - https://www.nccgroup.com/us/research-blog/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability capability_group: priv_mgmt capability_id: CVE-2024-26169 comments: This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group. mapping_type: exploitation_technique references: - https://www.rescana.com/post/cve-2024-26169-active-exploitation-of-windows-elevation-of-privilege-flaw - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: ' Microsoft DWM Core Library Privilege Escalation Vulnerability' capability_group: priv_escalation capability_id: CVE-2024-30051 comments: This vulnerability is a zero-day exploit that is believed to still be utilized by various adversarial groups leading to limited publicly available exploitation information. The vulnerability is a "heap-based protector flood susceptibility impacting the Windows DWM Core Library" enabling an adversary to gain SYSTEM privileges. mapping_type: primary_impact references: - https://www.ttbinternetsecurity.com/news/microsoft-addresses-exploited-zero-day-in-may-2024-cve-2024-30051-and-cve-2024-30040-resolved - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2024/ - https://securelist.com/cve-2024-30051/112618/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Novi Survey Insecure Deserialization Vulnerability capability_group: untrusted_data capability_id: CVE-2023-29492 comments: CVE-2023-29492 is an insecure deserialization vulnerability. Exploitation of this vulnerability gives remote attackers arbitrary code execution in the context of the service account. mapping_type: exploitation_technique references: - https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspx - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Atlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerability capability_group: access_ctrl capability_id: CVE-2021-26085 comments: This vulnerability allows viewing of restricted resources via a pre-authorization arbitrary file read vulnerability. mapping_type: exploitation_technique references: - https://www.exploit-db.com/exploits/50377 - attack_object_id: T1552.001 attack_object_name: Credentials In Files capability_description: Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability capability_group: hardcoded_creds capability_id: CVE-2022-26138 comments: CVE-2022-26138 is a hard-coded credentials vulnerability in the "Questions for Confluence" app. mapping_type: exploitation_technique references: - https://x.com/cyb3rops/status/1550119301004201984 - https://securitytrails.com/blog/atlassian-confluence-vulnerability-remote-access-hard-coded-pass-cve-2022-26138 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Atlassian Bitbucket Server and Data Center Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2022-36804 comments: This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Atlassian Confluence Data Center and Server Template Injection Vulnerability capability_group: inject capability_id: CVE-2023-22527 comments: CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes. mapping_type: primary_impact references: - https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Atlassian Confluence Data Center and Server Template Injection Vulnerability capability_group: inject capability_id: CVE-2023-22527 comments: CVE-2023-22527 is a template injection vulnerability that allows an unauthenticated adversary to achieve remote code execution. Adversaries have been observed exploiting this vulnerability for cryptomining purposes. mapping_type: exploitation_technique references: - https://www.trendmicro.com/en_us/research/24/h/cve-2023-22527-cryptomining.html - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Atlassian Confluence Data Center and Server Improper Authorization Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22518 comments: 'CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads, ' mapping_type: secondary_impact references: - https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/ - attack_object_id: T1033 attack_object_name: System Owner/User Discovery capability_description: Atlassian Confluence Data Center and Server Improper Authorization Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22518 comments: 'CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery, downloading malicious payloads, ' mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Atlassian Confluence Data Center and Server Improper Authorization Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22518 comments: CVE-2023-22518 is an improper authorization vulnerability. Adversaries have been seen using HTTP POST requests to upload maliciously-crafted zip files to Confluence WebServers to exploit this vulnerability. After exploitation, adversaries were observed doing local system information discovery and downloading malicious payloads. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2023/11/06/etr-rapid7-observed-exploitation-of-atlassian-confluence-cve-2023-22518/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Microsoft Office Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-27059 comments: The vulnerability allows a remote user to execute arbitrary code on the target system due to improper input validation in Microsoft Office. mapping_type: exploitation_technique references: - https://www.cybersecurity-help.cz/vdb/SB2021030942 - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Microsoft Office Publisher Security Feature Bypass Vulnerability capability_group: feature_bypass capability_id: CVE-2023-21715 comments: CVE-2023-21715 is a security feature bypass vulnerability exploitable when a user opens a specially-crafted file bypassing macro policies. mapping_type: exploitation_technique references: - https://www.helpnetsecurity.com/2023/02/14/microsoft-patches-three-exploited-zero-days-cve-2023-21715-cve-2023-23376-cve-2023-21823/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Office Outlook Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-23397 comments: This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems. mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/ - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Microsoft Office Outlook Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-23397 comments: This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/ - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Microsoft Office Outlook Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-23397 comments: This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-23397/ - https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: PaperCut MF/NG Improper Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-27350 comments: CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-05/aa23-131a_malicious_actors_exploit_cve-2023-27350_in_papercut_mf_and_ng_1.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: PaperCut MF/NG Improper Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-27350 comments: CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines. mapping_type: primary_impact references: - https://www.cisa.gov/sites/default/files/2023-05/aa23-131a_malicious_actors_exploit_cve-2023-27350_in_papercut_mf_and_ng_1.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: PaperCut MF/NG Improper Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-27350 comments: CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines. mapping_type: exploitation_technique references: - https://www.cisa.gov/sites/default/files/2023-05/aa23-131a_malicious_actors_exploit_cve-2023-27350_in_papercut_mf_and_ng_1.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho ManageEngine ServiceDesk Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-37415 comments: This vulnerability allows a few REST-API URLs without authentication. mapping_type: exploitation_technique references: - https://digital.nhs.uk/cyber-alerts/2021/cc-3985 - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1560.001 attack_object_name: Archive via Utility capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1070.004 attack_object_name: File Deletion capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1136 attack_object_name: Create Account capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1218 attack_object_name: System Binary Proxy Execution capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1140 attack_object_name: Deobfuscate/Decode Files or Information capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-44077 comments: 'CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.' mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Zoho Desktop Central Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-44515 comments: 'CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials. ' mapping_type: secondary_impact references: - https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild - https://www.ic3.gov/CSA/2021/211220.pdf - attack_object_id: T1069 attack_object_name: Permission Groups Discovery capability_description: Zoho Desktop Central Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-44515 comments: 'CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials. ' mapping_type: secondary_impact references: - https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild - https://www.ic3.gov/CSA/2021/211220.pdf - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Zoho Desktop Central Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-44515 comments: 'CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials. ' mapping_type: secondary_impact references: - https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild - https://www.ic3.gov/CSA/2021/211220.pdf - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Zoho Desktop Central Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-44515 comments: 'CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials. ' mapping_type: primary_impact references: - https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild - https://www.ic3.gov/CSA/2021/211220.pdf - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho Desktop Central Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-44515 comments: 'CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials. ' mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2021-44515-zoho-patches-manageengine-zero-day-exploited-in-the-wild - https://www.ic3.gov/CSA/2021/211220.pdf - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-28810 comments: CVE-2022-28810 is a vulnerability that exists when custom password sync scripts are enabled when an adversary passes commands in the password field that can lead to remote code execution. mapping_type: exploitation_technique references: - https://www.greynoise.io/tagsmas/dec-13 - https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-35405 comments: CVE-2022-35405 is an unauthenticated remote code execution vulnerability as a result of deserialization. mapping_type: exploitation_technique references: - https://web.archive.org/web/20220906183444/https://www.bigous.me/2022/09/06/CVE-2022-35405.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability capability_group: auth_bypass capability_id: CVE-2024-4358 comments: CVE-2024-4358 is an authentication bypass vulnerability. This has been seen to be chained with CVE-2024-1800 in order to achieve remote code execution. mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2024-4358-cve-2024-1800-exploit-code-available-for-critical-exploit-chain - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-40044 comments: Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands. mapping_type: exploitation_technique references: - https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044 - https://www.tenable.com/blog/cve-2023-40044-cve-2023-42657-progress-software-patches-multiple-vulnerabilities-in-ws-ftp - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1136 attack_object_name: Create Account capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: secondary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: primary_impact references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Progress MOVEit Transfer SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-34362 comments: CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts. mapping_type: exploitation_technique references: - https://www.cisa.gov/sites/default/files/2023-07/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_8.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a - attack_object_id: T1601 attack_object_name: Modify System Image capability_description: Fortinet FortiOS Arbitrary File Download capability_group: access_ctrl capability_id: CVE-2021-44168 comments: 'CVE-2021-44168 is an unverified update download vulnerability that can be exploited by adversaries with local access creating specifically crafted download packages. ' mapping_type: primary_impact references: - https://www.fortiguard.com/psirt/FG-IR-21-201 - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Fortinet FortiOS Arbitrary File Download capability_group: access_ctrl capability_id: CVE-2021-44168 comments: 'CVE-2021-44168 is an unverified update download vulnerability that can be exploited by adversaries with local access creating specifically crafted download packages. ' mapping_type: exploitation_technique references: - https://www.fortiguard.com/psirt/FG-IR-21-201 - attack_object_id: T1098.004 attack_object_name: SSH Authorized Keys capability_description: Fortinet Multiple Products Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-40684 comments: 'This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method. ' mapping_type: primary_impact references: - https://www.horizon3.ai/attack-research/attack-blogs/fortinet-iocs-cve-2022-40684 - https://www.horizon3.ai/attack-research/attack-blogs/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet Multiple Products Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-40684 comments: 'This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method. ' mapping_type: exploitation_technique references: - https://www.horizon3.ai/attack-research/attack-blogs/fortinet-iocs-cve-2022-40684 - https://www.horizon3.ai/attack-research/attack-blogs/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684 - attack_object_id: T1049 attack_object_name: System Network Connections Discovery capability_description: Fortinet FortiOS Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2022-41328 comments: 'CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.' mapping_type: secondary_impact references: - https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Fortinet FortiOS Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2022-41328 comments: 'CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.' mapping_type: secondary_impact references: - https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis - attack_object_id: T1037 attack_object_name: Boot or Logon Initialization Scripts capability_description: Fortinet FortiOS Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2022-41328 comments: 'CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.' mapping_type: primary_impact references: - https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Fortinet FortiOS Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2022-41328 comments: 'CVE-2022-41328 is a path traversal vulnerability that allows a privileged attacked to read and write to files on the underlying Linux system via crafted CLI commands. Adversaries have been observed modifying files that establish persistence upon boot. The malicious files provide the adversaries with the capabilities of: data exfiltration, download/write files, remote shell, and discovery of network connections.' mapping_type: exploitation_technique references: - https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-42475 comments: 'CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).' mapping_type: secondary_impact references: - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd - https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw - attack_object_id: T1622 attack_object_name: Debugger Evasion capability_description: Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-42475 comments: 'CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).' mapping_type: secondary_impact references: - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd - https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-42475 comments: 'CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).' mapping_type: primary_impact references: - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd - https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-42475 comments: 'CVE-2022-42475 is a remotely-expoitable heap overflow vulnerability. Adversaries have been observed exploiting this vulnerability to deliver malicious software to the target device. This malicious software has observed anti-debugging and command and control capabilities (over HTTP).' mapping_type: exploitation_technique references: - https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd - https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Fortinet FortiClient EMS SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-48788 comments: This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine. mapping_type: secondary_impact references: - https://redcanary.com/blog/threat-intelligence/cve-2023-48788/ - https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Fortinet FortiClient EMS SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-48788 comments: This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine. mapping_type: primary_impact references: - https://redcanary.com/blog/threat-intelligence/cve-2023-48788/ - https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet FortiClient EMS SQL Injection Vulnerability capability_group: sql_injection capability_id: CVE-2023-48788 comments: This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine. mapping_type: exploitation_technique references: - https://redcanary.com/blog/threat-intelligence/cve-2023-48788/ - https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788 - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Fortinet FortiOS Out-of-Bound Write Vulnerability capability_group: oob capability_id: CVE-2024-21762 comments: This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write. mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability - https://github.com/h4x0r-dz/CVE-2024-21762 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet FortiOS Out-of-Bound Write Vulnerability capability_group: oob capability_id: CVE-2024-21762 comments: This vulnerability allows adversaries to execute arbitrary code via specially crafted http requests that trigger an out of bounds write. mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability - https://github.com/h4x0r-dz/CVE-2024-21762 - attack_object_id: T1136 attack_object_name: Create Account capability_description: Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-27997 comments: 'This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files ' mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/ - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-27997 comments: 'This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files ' mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-27997 comments: 'This buffer overflow vulnerability allows adversaries to remotely execute arbitrary code via specially crafted requests. Adversaries have been observed adding accounts to config files ' mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2023/06/12/etr-cve-2023-27997-critical-fortinet-fortigate-remote-code-execution-vulnerability/ - attack_object_id: T1055 attack_object_name: Process Injection capability_description: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2023-6548 comments: This vulnerability allows for authenticated (low-privilege) remote code execution via code injection. mapping_type: exploitation_technique references: - https://digital.nhs.uk/cyber-alerts/2024/cc-4525 - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2023-3519 comments: This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a - https://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2023-3519 comments: This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a - https://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2023-3519 comments: This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a - https://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2023-3519 comments: This vulnerability allows for unauthenticated remote code execution. This can be exploited via an HTTP GET request that triggers a stack buffer overflow. Adversaries have been observed to use this exploitation to drop a webshell on a target machine and subsequently discover, collect, and exfiltrate active directory data. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a - https://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-6549 comments: This buffer overflow vulnerability can be exploited to cause a denial of service. mapping_type: primary_impact references: - https://arcticwolf.com/resources/blog/cve-2023-6548-cve-2023-6549-dos-and-rce-vulnerabilities-exploited-in-citrix-netscaler-adc-and-netscaler-gateway/ - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-6549 comments: This buffer overflow vulnerability can be exploited to cause a denial of service. mapping_type: exploitation_technique references: - https://arcticwolf.com/resources/blog/cve-2023-6548-cve-2023-6549-dos-and-rce-vulnerabilities-exploited-in-citrix-netscaler-adc-and-netscaler-gateway/ - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-4966 comments: This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens. mapping_type: secondary_impact references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-4966 comments: This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens. mapping_type: primary_impact references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-4966 comments: 'This is a buffer overflow vulnerability that results in unauthorized disclosure of memory, including session tokens. ' mapping_type: exploitation_technique references: - https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 - https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed - attack_object_id: T1542.005 attack_object_name: TFTP Boot capability_description: Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-6742 comments: "CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability\ \ in Cisco products related to a buffer overflow condition in the SNMP subsystem.\ \ \nReported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance,\ \ enumerate router interfaces and deploy custom malware known as \"Jaguar Tooth\"\ , as detailed in the NCSC\u2019s Jaguar Tooth malware analysis report. This malware\ \ obtains further device information which is then exfiltrated over trivial file\ \ transfer protocol (TFTP) and enables unauthenticated access via a backdoor." mapping_type: secondary_impact references: - https://digital.nhs.uk/cyber-alerts/2023/cc-4303 - https://cyble.com/blog/cisco-routers-exploited-by-russian-state-sponsored-attackers/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-6742 comments: "CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability\ \ in Cisco products related to a buffer overflow condition in the SNMP subsystem.\ \ \nReported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance,\ \ enumerate router interfaces and deploy custom malware known as \"Jaguar Tooth\"\ , as detailed in the NCSC\u2019s Jaguar Tooth malware analysis report. This malware\ \ obtains further device information which is then exfiltrated over trivial file\ \ transfer protocol (TFTP) and enables unauthenticated access via a backdoor." mapping_type: primary_impact references: - https://digital.nhs.uk/cyber-alerts/2023/cc-4303 - https://cyble.com/blog/cisco-routers-exploited-by-russian-state-sponsored-attackers/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-6742 comments: "CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability\ \ in Cisco products related to a buffer overflow condition in the SNMP subsystem.\ \ \nReported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance,\ \ enumerate router interfaces and deploy custom malware known as \"Jaguar Tooth\"\ , as detailed in the NCSC\u2019s Jaguar Tooth malware analysis report. This malware\ \ obtains further device information which is then exfiltrated over trivial file\ \ transfer protocol (TFTP) and enables unauthenticated access via a backdoor." mapping_type: exploitation_technique references: - https://digital.nhs.uk/cyber-alerts/2023/cc-4303 - https://cyble.com/blog/cisco-routers-exploited-by-russian-state-sponsored-attackers/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Red Hat Polkit Out-of-Bounds Read and Write Vulnerability capability_group: oob capability_id: CVE-2021-4034 comments: The Polkit/Pwnkit vulnerability (CVE-2021-4034) is a critical vulnerability impacting every major Linux distribution. Its attack vector allows privilege escalation and can even give the attacker root access. mapping_type: exploitation_technique references: - https://www.crowdstrike.com/en-us/blog/hunting-pwnkit-local-privilege-escalation-in-linux/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a - attack_object_id: T1090 attack_object_name: Proxy capability_description: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22986 comments: The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. mapping_type: primary_impact references: - https://github.com/Al1ex/CVE-2021-22986 - https://www.jpcert.or.jp/english/at/2021/at210014.html - https://my.f5.com/manage/s/article/K03009991 - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit capability_group: unrestricted_upload capability_id: CVE-2021-27860 comments: 'CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. ' mapping_type: primary_impact references: - https://www.itnews.com.au/news/volt-typhoon-attacks-attributed-to-china-596209 - https://www.ic3.gov/CSA/2021/211117-2.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2023-2868 comments: CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions. mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/ - https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/ - https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2023-2868 comments: CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions. mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/ - https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/ - https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2023-2868 comments: CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions. mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/ - https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/ - https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/ - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Cisco IOS and IOS XE Software SNMP Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2017-6742 comments: "CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability\ \ in Cisco products related to a buffer overflow condition in the SNMP subsystem.\ \ \nReported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance,\ \ enumerate router interfaces and deploy custom malware known as \"Jaguar Tooth\"\ , as detailed in the NCSC\u2019s Jaguar Tooth malware analysis report. This malware\ \ obtains further device information which is then exfiltrated over trivial file\ \ transfer protocol (TFTP) and enables unauthenticated access via a backdoor." mapping_type: secondary_impact references: - https://digital.nhs.uk/cyber-alerts/2023/cc-4303 - https://cyble.com/blog/cisco-routers-exploited-by-russian-state-sponsored-attackers/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22986 comments: The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. mapping_type: exploitation_technique references: - https://github.com/Al1ex/CVE-2021-22986 - https://www.jpcert.or.jp/english/at/2021/at210014.html - https://my.f5.com/manage/s/article/K03009991 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: FatPipe WARP, IPVPN, and MPVPN Configuration Upload exploit capability_group: unrestricted_upload capability_id: CVE-2021-27860 comments: 'CVE-2021-27860 is a vulnerability in the web management interface in FatPipe software. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. ' mapping_type: exploitation_technique references: - https://www.itnews.com.au/news/volt-typhoon-attacks-attributed-to-china-596209 - https://www.ic3.gov/CSA/2021/211117-2.pdf - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Barracuda Networks ESG Appliance Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2023-2868 comments: CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions. mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/barracuda-esg-zero-day-attacks-linked-to-suspected-chinese-hackers/ - https://www.securityweek.com/chinese-hackers-deliver-malware-to-barracuda-email-security-appliances-via-new-zero-day/ - https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/ - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Apache Log4j2 Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2021-45046 comments: 'CVE 2021-45046 is a Log4J-related vulnerability that has been seen to be used in cryptomining and ransomware operations. ' mapping_type: secondary_impact references: - https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/ - https://therecord.media/local-governments-allegedly-targeted-with-iranian-drokbk-malware-through-log4j-vulnerability - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: "CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019\ s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched\ \ Active Directory domain controllers and obtain domain administrator access. " mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/ - https://therecord.media/cisa-cuba-ransomware-group-has-stolen-60-million-from-at-least-100-organizations - https://www.cisa.gov/news-events/alerts/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon-vulnerability#:~:text=The%20Cybersecurity%20and%20Infrastructure%20Security - and%20obtain%20domain%20administrator%20access. - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: "CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019\ s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched\ \ Active Directory domain controllers and obtain domain administrator access.\ \ CVE-2020-1472 has been reported to be exploited by Ransomware groups for initial\ \ access. " mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/ - https://therecord.media/cisa-cuba-ransomware-group-has-stolen-60-million-from-at-least-100-organizations - https://www.cisa.gov/news-events/alerts/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon-vulnerability#:~:text=The%20Cybersecurity%20and%20Infrastructure%20Security - and%20obtain%20domain%20administrator%20access. - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: "CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019\ s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched\ \ Active Directory domain controllers and obtain domain administrator access. " mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/ - https://therecord.media/cisa-cuba-ransomware-group-has-stolen-60-million-from-at-least-100-organizations - https://www.cisa.gov/news-events/alerts/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon-vulnerability#:~:text=The%20Cybersecurity%20and%20Infrastructure%20Security - and%20obtain%20domain%20administrator%20access. - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Microsoft Remote Desktop Services Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0708 comments: CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems. mapping_type: secondary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a - https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/ - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Microsoft Remote Desktop Services Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0708 comments: CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems. mapping_type: primary_impact references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a - https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Sitecore XP Remote Command Execution Vulnerability capability_group: command_execution capability_id: CVE-2021-42237 comments: 'CVE 2021-42237related to a remote code execution vulnerability through insecure deserialization. ' mapping_type: primary_impact references: - https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3181261/nsa-cisa-fbi-reveal-top-cves-exploited-by-chinese-state-sponsored-actors/ - https://www.cyber.gov.au/acsc/view-all-content/alerts/active-exploitation-vulnerable-sitecore-experience-platform-content-management-systems - https://www.bleepingcomputer.com/news/security/sitecore-xp-rce-flaw-patched-last-month-now-actively-exploited/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache Log4j2 Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2021-45046 comments: 'CVE 2021-45046 is a Log4J-related vulnerability that could enable enables an attacker to cause Remote Code Execution or other effects in certain non-default configurations. This specific vulnerability has been reported to have been leveraged in cryptomining and ransomware operations. ' mapping_type: primary_impact references: - https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/ - https://therecord.media/local-governments-allegedly-targeted-with-iranian-drokbk-malware-through-log4j-vulnerability - https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Netlogon Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2020-1472 comments: "CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019\ s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched\ \ Active Directory domain controllers and obtain domain administrator access. " mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/ - https://therecord.media/cisa-cuba-ransomware-group-has-stolen-60-million-from-at-least-100-organizations - https://msrc.microsoft.com/blog/2020/10/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/ - https://www.cisa.gov/news-events/alerts/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon-vulnerability#:~:text=The%20Cybersecurity%20and%20Infrastructure%20Security,and%20obtain%20domain%20administrator%20access. - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Remote Desktop Services Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2019-0708 comments: CVE-2019-0708, also known as BlueKeep, is a remote code execution vulnerability present in the Windows Remote Desktop Services. Blue Keep can enable remote unauthenticated attackers to run arbitrary code, or conduct denial of service attacks, as well as potentially take control of vulnerable systems. mapping_type: exploitation_technique references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a - https://www.bleepingcomputer.com/news/security/bluekeep-scanner-discovered-in-watchbog-cryptomining-malware/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco NX-OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-20399 comments: 'This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges. ' mapping_type: primary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco NX-OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-20399 comments: 'This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges. ' mapping_type: exploitation_technique references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-cmd-injection-xD9OhyOP - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-20109 comments: 'This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups. ' mapping_type: primary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx - https://www.darkreading.com/vulnerabilities-threats/new-cisco-ios-zero-day-delivers-a-double-punch - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-20109 comments: 'This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups. ' mapping_type: primary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx - https://www.darkreading.com/vulnerabilities-threats/new-cisco-ios-zero-day-delivers-a-double-punch - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco IOS and IOS XE Group Encrypted Transport VPN Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-20109 comments: 'This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups. ' mapping_type: exploitation_technique references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx - https://www.darkreading.com/vulnerabilities-threats/new-cisco-ios-zero-day-delivers-a-double-punch - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability capability_group: priv_mgmt capability_id: CVE-2023-20269 comments: This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials. mapping_type: primary_impact references: - https://www.kroll.com/en/insights/publications/cyber/akira-ransomware-deep-dive - https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Cisco Adaptive Security Appliance and Firepower Threat Defense Unauthorized Access Vulnerability capability_group: priv_mgmt capability_id: CVE-2023-20269 comments: This vulnerability is exploited by an unauthenticated, remote attacker by specifying a default connection profile/tunnel group, enabling a brute-force attack to identify valid credentials and establish a clienteles SSL VPN session using those valid credentials. mapping_type: exploitation_technique references: - https://www.kroll.com/en/insights/publications/cyber/akira-ransomware-deep-dive - https://blogs.cisco.com/security/akira-ransomware-targeting-vpns-without-multi-factor-authentication - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco ASA and FTD Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2024-20359 comments: 'This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices. ' mapping_type: primary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco ASA and FTD Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2024-20359 comments: 'This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices. ' mapping_type: exploitation_technique references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2 - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: Cisco ASA and FTD Denial of Service Vulnerability capability_group: dos capability_id: CVE-2024-20353 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device''s web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices. ' mapping_type: secondary_impact references: - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ - https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response - attack_object_id: T1653 attack_object_name: Power Settings capability_description: Cisco ASA and FTD Denial of Service Vulnerability capability_group: dos capability_id: CVE-2024-20353 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device''s web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices. ' mapping_type: primary_impact references: - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ - https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco ASA and FTD Denial of Service Vulnerability capability_group: dos capability_id: CVE-2024-20353 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker by sending a crafted HTTP request to a vulnerable device''s web server. This exploitation is possible due to incomplete error checking when parsing HTTP headers. If successfully exploited, it can cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. In early 2024, the Cisco Product Security Incident Response Team (PSIRT) identified an attack campaign named ArcaneDoor, which targeted these vulnerabilities to implant malware, execute commands, and potentially exfiltrate data from compromised devices. ' mapping_type: exploitation_technique references: - https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ - https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20699 comments: "This vulnerability is exploited by a remote, unauthenticated attacker\ \ by \"sending a specially crafted HTTP request to a vulnerable device that is\ \ acting as an SSL VPN Gateway.\u201D This can be performed due to insufficient\ \ boundary checks when processing specific HTTP requests. If exploited, this could\ \ grant root privileges to the attacker. " mapping_type: primary_impact references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://www.zerodayinitiative.com/advisories/ZDI-22-414/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20699 comments: "This vulnerability is exploited by a remote, unauthenticated attacker\ \ by \"sending a specially crafted HTTP request to a vulnerable device that is\ \ acting as an SSL VPN Gateway.\u201D This can be performed due to insufficient\ \ boundary checks when processing specific HTTP requests. If exploited, this could\ \ grant root privileges to the attacker. " mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://www.zerodayinitiative.com/advisories/ZDI-22-414/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20700 comments: 'This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system. ' mapping_type: primary_impact references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20700 comments: 'This vulnerability is exploited by a remote attacker who sends specific commands to a Cisco router that does not have sufficient authorization enforcement mechanisms in place. This could allow the remote attacker to gain root privileges and execute arbitrary commands on the system. ' mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20701 comments: 'This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges. ' mapping_type: primary_impact references: - https://www.zerodayinitiative.com/advisories/ZDI-22-412/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20701 comments: 'This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges. ' mapping_type: exploitation_technique references: - https://www.zerodayinitiative.com/advisories/ZDI-22-412/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20708 comments: 'This vulnerability is exploited by bypassing user authentication mechanisms via a lack of proper validation of a user-supplied string before executing a system call. This could grant adversaries root access to execute arbitrary code. ' mapping_type: primary_impact references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - https://www.zerodayinitiative.com/advisories/ZDI-22-417/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20708 comments: 'This vulnerability is exploited by bypassing user authentication mechanisms via a lack of proper validation of a user-supplied string before executing a system call. This could grant adversaries root access to execute arbitrary code. ' mapping_type: exploitation_technique references: - https://www.tenable.com/blog/cve-2022-20699-cve-2022-20700-cve-2022-20708-critical-flaws-in-cisco-small-business-rv-series - https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - https://www.zerodayinitiative.com/advisories/ZDI-22-417/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: VMware vCenter Server File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-22005 comments: This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers. mapping_type: primary_impact references: - https://arcticwolf.com/resources/blog/critical-vulnerability-in-vmware-vcenter-server-cve-2021-22005/ - https://securityaffairs.com/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware vCenter Server File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-22005 comments: This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers. mapping_type: exploitation_technique references: - https://arcticwolf.com/resources/blog/critical-vulnerability-in-vmware-vcenter-server-cve-2021-22005/ - https://securityaffairs.com/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html - attack_object_id: T1090.001 attack_object_name: Internal Proxy capability_description: VMware vCenter Server Improper Access Control capability_group: access_ctrl capability_id: CVE-2021-22017 comments: The vulnerability in Rhttproxy within VMware's vCenter Server arises from an improper implementation of URI normalization. Attackers with network access to port 443 on the vCenter Server exploit this flaw by sending specially crafted requests, allowing them to bypass the proxy mechanism. This exploitation grants unauthorized access to internal endpoints, potentially exposing sensitive information. mapping_type: primary_impact references: - https://www.securityweek.com/vmware-confirms-wild-exploitation-vcenter-server-vulnerability/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware vCenter Server Improper Access Control capability_group: access_ctrl capability_id: CVE-2021-22017 comments: The vulnerability in Rhttproxy within VMware's vCenter Server arises from an improper implementation of URI normalization. Attackers with network access to port 443 on the vCenter Server exploit this flaw by sending specially crafted requests, allowing them to bypass the proxy mechanism. This exploitation grants unauthorized access to internal endpoints, potentially exposing sensitive information. mapping_type: exploitation_technique references: - https://www.securityweek.com/vmware-confirms-wild-exploitation-vcenter-server-vulnerability/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco IOS XR Open Port Vulnerability capability_group: other capability_id: CVE-2022-20821 comments: 'This vulnerability is exploited by an unauthenticated, remote user who can access the Redis instance via port 6379 due to a health check RPM issue in IOS XR software. A successful exploitation of this vulnerability could allow an attacker the ability to write to the Redis in-memory database, write arbitrary files to the file system, or retrieve information about the Redis database. This vulnerability has been identified as being exploited in the wild, but specific details have not been released. ' mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/zero-days-exploited-2022/ - https://www.darkreading.com/cyberattacks-data-breaches/attackers-probing-zero-day-vulns-edge-infrastructure - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2022-20703 comments: 'This Digital Signature Verification Bypass vulnerability is exploited by an unauthenticated, local attacker. The attacker exploits an improper verification of software images that could allow the attacker to install and boot malicious images or execute unsigned binaries. ' mapping_type: exploitation_technique references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-smb-mult-vuln-KA9PK6D - https://www.zerodayinitiative.com/advisories/ZDI-22-408/ - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2021-21973 comments: This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services. mapping_type: primary_impact references: - https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2021-21973 comments: This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services. mapping_type: exploitation_technique references: - https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html - attack_object_id: T1588.001 attack_object_name: Malware capability_description: VMware vCenter Server Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-34048 comments: 'This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers. ' mapping_type: secondary_impact references: - https://www.vicarius.io/vsociety/posts/understanding-cve-2023-34048-a-zero-day-out-of-bound-write-in-vcenter-server - https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: VMware vCenter Server Out-of-Bounds Write Vulnerability capability_group: oob capability_id: CVE-2023-34048 comments: 'This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers. ' mapping_type: primary_impact references: - https://www.vicarius.io/vsociety/posts/understanding-cve-2023-34048-a-zero-day-out-of-bound-write-in-vcenter-server - https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/ - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: 'VMware vCenter Server Incorrect Default File Permissions Vulnerability ' capability_group: default_cfg capability_id: CVE-2022-22948 comments: 'This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter''s internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges. ' mapping_type: secondary_impact references: - https://pentera.io/blog/information-disclosure-in-vmware-vcenter/ - https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/ - attack_object_id: T1212 attack_object_name: Exploitation for Credential Access capability_description: 'VMware vCenter Server Incorrect Default File Permissions Vulnerability ' capability_group: default_cfg capability_id: CVE-2022-22948 comments: 'This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter''s internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges. ' mapping_type: primary_impact references: - https://pentera.io/blog/information-disclosure-in-vmware-vcenter/ - https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: 'VMware vCenter Server Incorrect Default File Permissions Vulnerability ' capability_group: default_cfg capability_id: CVE-2022-22948 comments: 'This vulnerability is exploited by an adversary who has gained access to a valid account on the vCenter Server. The adversary can gain access to unencrypted Postgres credentials on the server, which grants the adversary access to the vCenter''s internal database where the vpxuser account passphrase is stored. Adversaries can leverage this information to decrypt the vpxuser password, which will grant them root privileges. ' mapping_type: exploitation_technique references: - https://pentera.io/blog/information-disclosure-in-vmware-vcenter/ - https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/ - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: VMware ESXi Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2024-37085 comments: This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments. mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: VMware ESXi Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2024-37085 comments: This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments. mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: VMware ESXi Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2024-37085 comments: This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments. mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-22900 comments: This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure. mapping_type: primary_impact references: - https://www.clouddefense.ai/cve/2021/CVE-2021-22900 - https://forums.ivanti.com/s/article/SA44784?language=en_US - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability capability_group: unrestricted_upload capability_id: CVE-2021-22900 comments: This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure. mapping_type: exploitation_technique references: - https://www.clouddefense.ai/cve/2021/CVE-2021-22900 - https://forums.ivanti.com/s/article/SA44784?language=en_US - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: Ivanti Pulse Connect Secure Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-22899 comments: This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature. mapping_type: primary_impact references: - https://www.clouddefense.ai/cve/2021/CVE-2021-22899 - https://forums.ivanti.com/s/article/SA44784?language=en_US - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Ivanti Pulse Connect Secure Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2021-22899 comments: This vulnerability is exploited through a command injection weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution on the target system via the Windows Resource Profiles Feature. mapping_type: exploitation_technique references: - https://www.clouddefense.ai/cve/2021/CVE-2021-22899 - https://forums.ivanti.com/s/article/SA44784?language=en_US - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Pulse Connect Secure Collaboration Suite Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2021-22894 comments: This vulnerability is exploited through a buffer overflow weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution with root privileges on the Pulse Connect Secure gateway by manipulating input buffers. mapping_type: primary_impact references: - https://vuldb.com/?id.175985 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Ivanti Pulse Connect Secure Collaboration Suite Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2021-22894 comments: This vulnerability is exploited through a buffer overflow weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution with root privileges on the Pulse Connect Secure gateway by manipulating input buffers. mapping_type: exploitation_technique references: - https://vuldb.com/?id.175985 - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Ivanti Pulse Connect Secure Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-22893 comments: This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Pulse Connect Secure Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-22893 comments: This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments. mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Pulse Connect Secure Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2021-22893 comments: This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day/ - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-46805 comments: 'This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks. ' mapping_type: secondary_impact references: - https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/ - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-46805 comments: 'This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks. ' mapping_type: secondary_impact references: - https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/ - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-46805 comments: 'This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks. ' mapping_type: primary_impact references: - https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/ - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-46805 comments: 'This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks. ' mapping_type: exploitation_technique references: - https://www.helpnetsecurity.com/2024/01/11/cve-2023-46805-cve-2024-21887/ - https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Connect Secure and Policy Secure Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-21887 comments: This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation - https://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Connect Secure and Policy Secure Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-21887 comments: This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation - https://packetstormsecurity.com/files/176668/Ivanti-Connect-Secure-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36851 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on SRX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `webauth_operation.php` endpoint, which does not require authentication. This manipulation allows attackers to cause limited impact to the file system integrity, potentially enabling further exploitation. mapping_type: primary_impact references: - https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.cybersecuritydive.com/news/5-juniper-cves-exploited/699813/&ved=2ahUKEwjztJ6cq-6JAxXnEVkFHRZXIeUQxfQBKAB6BAgLEAE&usg=AOvVaw0yLNfRerjcSUGMt-VpnEKd - https://securityaffairs.com/154128/security/cisa-juniper-flaws-known-exploited-vulnerabilities-catalog.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36851 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on SRX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `webauth_operation.php` endpoint, which does not require authentication. This manipulation allows attackers to cause limited impact to the file system integrity, potentially enabling further exploitation. mapping_type: exploitation_technique references: - https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://www.cybersecuritydive.com/news/5-juniper-cves-exploited/699813/&ved=2ahUKEwjztJ6cq-6JAxXnEVkFHRZXIeUQxfQBKAB6BAgLEAE&usg=AOvVaw0yLNfRerjcSUGMt-VpnEKd - https://securityaffairs.com/154128/security/cisa-juniper-flaws-known-exploited-vulnerabilities-catalog.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36847 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on EX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `installAppPackage.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system and enabling attackers to chain this vulnerability with others, potentially leading to further exploitation. mapping_type: primary_impact references: - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36847 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on EX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `installAppPackage.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system and enabling attackers to chain this vulnerability with others, potentially leading to further exploitation. mapping_type: exploitation_technique references: - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36846 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `user.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files, enabling attackers to chain this vulnerability with others, potentially leading to unauthenticated remote code execution. mapping_type: primary_impact references: - https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-36846 comments: This vulnerability is exploited through a Missing Authentication for Critical Function weakness. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `user.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files, enabling attackers to chain this vulnerability with others, potentially leading to unauthenticated remote code execution. mapping_type: exploitation_technique references: - https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability capability_group: other capability_id: CVE-2023-36845 comments: This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges. mapping_type: primary_impact references: - https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/ - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/ - https://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability capability_group: other capability_id: CVE-2023-36845 comments: This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges. mapping_type: exploitation_technique references: - https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/ - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/ - https://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2024-21893 comments: This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2024-21893 comments: This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities. mapping_type: secondary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2024-21893 comments: This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities. mapping_type: primary_impact references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability capability_group: ssrf capability_id: CVE-2024-21893 comments: This vulnerability is exploited through a Server-Side Request Forgery (SSRF) weakness in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted request to the /dana-ws/saml.ws endpoint, which can be accessed without authentication. This manipulation allows attackers to interact with internal services, potentially enabling further exploitation by chaining with other vulnerabilities. mapping_type: exploitation_technique references: - https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-exploitation-persistence - attack_object_id: T1136 attack_object_name: Create Account capability_description: Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-35078 comments: This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/ - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/ - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-35078 comments: This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/ - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-35078 comments: This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. This enables them to extract personally identifiable information (PII) and perform administrative actions, such as creating new accounts and making configuration changes. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2023/07/26/etr-cve-2023-35078-critical-api-access-vulnerability-ivanti-in-endpoint-manager-mobile/ - https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-35081 comments: 'This vulnerability is exploited through a path traversal flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging authenticated administrative access to remotely write arbitrary files onto the server. This enables them to deploy additional payloads, potentially granting further access and compromising the system. ' mapping_type: primary_impact references: - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/ - https://www.thestack.technology/ivanti-patches-cve-2023-35081/ - https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-35081 comments: This vulnerability is exploited through a path traversal flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging authenticated administrative access to remotely write arbitrary files onto the server. This enables them to deploy additional payloads, potentially granting further access and compromising the system. This vulnerability is often used in conjunction with CVE-2023-35078 (along with others) that provides unauthenticated access, enhancing the attack's capabilities. It has been actively exploited, impacting victims by leveraging both vulnerabilities together. mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/threat-brief-cve-2023-35078/ - https://www.thestack.technology/ivanti-patches-cve-2023-35081/ - https://forums.ivanti.com/s/article/CVE-2023-35081-Arbitrary-File-Write?language=en_US - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Fortra GoAnywhere MFT Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-0669 comments: 'This vulnerability is exploited through a cross-site request forgery (CSRF) flaw in GoAnywhere''s license installation process. Attackers initiate this vulnerability by leveraging the absence of CSRF protection, allowing them to execute remote code without authentication. This enables them to compromise targeted systems, facilitating ransomware attacks and unauthorized access. This vulnerability has been actively exploited, leading to ransomware attacks by the Clop group. ' mapping_type: secondary_impact references: - https://www.darkreading.com/endpoint-security/massive-goanywhere-rce-exploit - https://www.darkreading.com/cyberattacks-data-breaches/fortra-discloses-critical-auth-bypass-vuln-in-goanywhere-mft - https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis - https://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Fortra GoAnywhere MFT Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-0669 comments: 'This vulnerability is exploited through a cross-site request forgery (CSRF) flaw in GoAnywhere''s license installation process. Attackers initiate this vulnerability by leveraging the absence of CSRF protection, allowing them to execute remote code without authentication. This enables them to compromise targeted systems, facilitating ransomware attacks and unauthorized access. This vulnerability has been actively exploited, leading to ransomware attacks by the Clop group. ' mapping_type: primary_impact references: - https://www.darkreading.com/endpoint-security/massive-goanywhere-rce-exploit - https://www.darkreading.com/cyberattacks-data-breaches/fortra-discloses-critical-auth-bypass-vuln-in-goanywhere-mft - https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis - https://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortra GoAnywhere MFT Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-0669 comments: 'This vulnerability is exploited through a cross-site request forgery (CSRF) flaw in GoAnywhere''s license installation process. Attackers initiate this vulnerability by leveraging the absence of CSRF protection, allowing them to execute remote code without authentication. This enables them to compromise targeted systems, facilitating ransomware attacks and unauthorized access. This vulnerability has been actively exploited, leading to ransomware attacks by the Clop group. ' mapping_type: exploitation_technique references: - https://www.darkreading.com/endpoint-security/massive-goanywhere-rce-exploit - https://www.darkreading.com/cyberattacks-data-breaches/fortra-discloses-critical-auth-bypass-vuln-in-goanywhere-mft - https://attackerkb.com/topics/mg883Nbeva/cve-2023-0669/rapid7-analysis - https://packetstormsecurity.com/files/171789/Goanywhere-Encryption-Helper-7.1.1-Remote-Code-Execution.html - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: HTTP/2 Rapid Reset Attack Vulnerability capability_group: other capability_id: CVE-2023-44487 comments: This vulnerability is exploited through a 'Rapid Reset' flaw in HTTP/2 endpoints. Attackers initiate this vulnerability by sending a crafted sequence of HTTP requests using HEADERS followed by RST_STREAM frames. This allows them to generate substantial traffic on targeted servers, significantly increasing CPU usage and leading to resource exhaustion without authentication. mapping_type: primary_impact references: - https://socradar.io/rapid-reset-ddos-attacks-rise-october-2023-patch-tuesday-has-arrived-cve-2023-36563-cve-2023-41763-cve-2023-44487/ - https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: HTTP/2 Rapid Reset Attack Vulnerability capability_group: other capability_id: CVE-2023-44487 comments: This vulnerability is exploited through a 'Rapid Reset' flaw in HTTP/2 endpoints. Attackers initiate this vulnerability by sending a crafted sequence of HTTP requests using HEADERS followed by RST_STREAM frames. This allows them to generate substantial traffic on targeted servers, significantly increasing CPU usage and leading to resource exhaustion without authentication. mapping_type: exploitation_technique references: - https://socradar.io/rapid-reset-ddos-attacks-rise-october-2023-patch-tuesday-has-arrived-cve-2023-36563-cve-2023-41763-cve-2023-44487/ - https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack - https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Juniper Junos OS EX Series PHP External Variable Modification Vulnerability capability_group: other capability_id: CVE-2023-36844 comments: This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication. mapping_type: primary_impact references: - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ - https://www.twingate.com/blog/tips/cve-2023-36844 - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Juniper Junos OS EX Series PHP External Variable Modification Vulnerability capability_group: other capability_id: CVE-2023-36844 comments: This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication. mapping_type: exploitation_technique references: - https://socradar.io/rapid-reset-ddos-attacks-rise-october-2023-patch-tuesday-has-arrived-cve-2023-36563-cve-2023-41763-cve-2023-44487/ - https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ - https://www.twingate.com/blog/tips/cve-2023-36844 - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: ownCloud graphapi Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2023-49103 comments: This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys. mapping_type: primary_impact references: - https://arcticwolf.com/resources/blog/cve-2023-49103-cve-2023-49104-and-cve-2023-49105-multiple-critical-vulnerabilities-in-owncloud/ - https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: ownCloud graphapi Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2023-49103 comments: This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys. mapping_type: primary_impact references: - https://arcticwolf.com/resources/blog/cve-2023-49103-cve-2023-49104-and-cve-2023-49105-multiple-critical-vulnerabilities-in-owncloud/ - https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: ownCloud graphapi Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2023-49103 comments: This vulnerability is exploited through an unauthenticated information disclosure flaw in the Graph API extension of ownCloud. Attackers first used this vulnerability to gain initial access by targeting the /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php endpoint, which allowed them to leak sensitive information via the PHP function phpinfo. By modifying the requested URI to bypass Apache web server rewrite rules, attackers could access environment variables containing secrets, such as usernames, passwords, and license keys. mapping_type: exploitation_technique references: - https://arcticwolf.com/resources/blog/cve-2023-49103-cve-2023-49104-and-cve-2023-49105-multiple-critical-vulnerabilities-in-owncloud/ - https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/ - attack_object_id: T1136 attack_object_name: Create Account capability_description: Cisco IOS XE Web UI Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-20198 comments: 'This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password. ' mapping_type: primary_impact references: - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ - https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Cisco IOS XE Web UI Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-20198 comments: 'This vulnerability is exploited through improper access control in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to gain initial access by issuing a privilege level 15 command, which allowed them to create a local user account with a password. ' mapping_type: exploitation_technique references: - https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/ - https://www.rapid7.com/blog/post/2023/10/17/etr-cve-2023-20198-active-exploitation-of-cisco-ios-xe-zero-day-vulnerability/ - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Atlassian Confluence Data Center and Server Broken Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22515 comments: "This vulnerability is exploited through improper input validation in\ \ Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP\ \ parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability\ \ enables the creation of unauthorized Confluence administrator accounts and the\ \ upload of malicious plugins, granting attackers the ability to modify Java objects\ \ at runtime and execute arbitrary code. A nation-state actor known as Storm-0062\ \ has been attributed to exploiting this vulnerability in the wild. \n\n" mapping_type: secondary_impact references: - https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html - https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Atlassian Confluence Data Center and Server Broken Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22515 comments: "This vulnerability is exploited through improper input validation in\ \ Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP\ \ parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability\ \ enables the creation of unauthorized Confluence administrator accounts and the\ \ upload of malicious plugins, granting attackers the ability to modify Java objects\ \ at runtime and execute arbitrary code. A nation-state actor known as Storm-0062\ \ has been attributed to exploiting this vulnerability in the wild. \n\n" mapping_type: secondary_impact references: - https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html - https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Atlassian Confluence Data Center and Server Broken Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22515 comments: "This vulnerability is exploited through improper input validation in\ \ Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP\ \ parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability\ \ enables the creation of unauthorized Confluence administrator accounts and the\ \ upload of malicious plugins, granting attackers the ability to modify Java objects\ \ at runtime and execute arbitrary code. A nation-state actor known as Storm-0062\ \ has been attributed to exploiting this vulnerability in the wild. \n\n" mapping_type: primary_impact references: - https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html - https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1136 attack_object_name: Create Account capability_description: Atlassian Confluence Data Center and Server Broken Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22515 comments: "This vulnerability is exploited through improper input validation in\ \ Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP\ \ parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability\ \ enables the creation of unauthorized Confluence administrator accounts and the\ \ upload of malicious plugins, granting attackers the ability to modify Java objects\ \ at runtime and execute arbitrary code. A nation-state actor known as Storm-0062\ \ has been attributed to exploiting this vulnerability in the wild. \n\n" mapping_type: primary_impact references: - https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html - https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Atlassian Confluence Data Center and Server Broken Access Control Vulnerability capability_group: access_ctrl capability_id: CVE-2023-22515 comments: "This vulnerability is exploited through improper input validation in\ \ Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP\ \ parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability\ \ enables the creation of unauthorized Confluence administrator accounts and the\ \ upload of malicious plugins, granting attackers the ability to modify Java objects\ \ at runtime and execute arbitrary code. A nation-state actor known as Storm-0062\ \ has been attributed to exploiting this vulnerability in the wild. \n\n" mapping_type: exploitation_technique references: - https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html - https://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Cisco IOS XE Web UI Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-20273 comments: 'This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write malicious implants that enable them to execute arbitrary commands to the file system This CVE was exploited after the adversary exploited CVE-2023-20198.' mapping_type: secondary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.bleepingcomputer.com/news/security/cisco-discloses-new-ios-xe-zero-day-exploited-to-deploy-malware-implant/ - https://www.darkreading.com/application-security/cisco-zero-day-bug-patches-in-days - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Cisco IOS XE Web UI Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-20273 comments: 'This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write malicious implants that enable them to execute arbitrary commands to the file system This CVE was exploited after the adversary exploited CVE-2023-20198.' mapping_type: primary_impact references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.bleepingcomputer.com/news/security/cisco-discloses-new-ios-xe-zero-day-exploited-to-deploy-malware-implant/ - https://www.darkreading.com/application-security/cisco-zero-day-bug-patches-in-days - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Cisco IOS XE Web UI Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-20273 comments: 'This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write an implant to the file system, further compromising the device. This CVE was exploited after the adversary exploited CVE-2023-20198.' mapping_type: exploitation_technique references: - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z - https://www.bleepingcomputer.com/news/security/cisco-discloses-new-ios-xe-zero-day-exploited-to-deploy-malware-implant/ - https://www.darkreading.com/application-security/cisco-zero-day-bug-patches-in-days - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: JetBrains TeamCity Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-42793 comments: This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files. mapping_type: primary_impact references: - http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html - https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: JetBrains TeamCity Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-42793 comments: This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files. mapping_type: exploitation_technique references: - http://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html - https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: PHP-CGI OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-4577 comments: CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. mapping_type: primary_impact references: - https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: PHP-CGI OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2024-4577 comments: CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. mapping_type: exploitation_technique references: - https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Google Chromium Visuals Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2024-4671 comments: CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page. mapping_type: primary_impact references: - https://security-tracker.debian.org/tracker/CVE-2024-4671 - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Google Chromium Visuals Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2024-4671 comments: CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page. mapping_type: exploitation_technique references: - https://security-tracker.debian.org/tracker/CVE-2024-4671 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Google Chromium V8 Out-of-Bounds Memory Write Vulnerability capability_group: oob capability_id: CVE-2024-4761 comments: 'CVE-2024-4761 is an out of bounds write vulnerability that allows a remote attacker to perform an out of bounds memory write via a crafted HTML page. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2024/05/new-chrome-zero-day-vulnerability-cve.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: ServiceNow Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2024-4879 comments: CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit. mapping_type: primary_impact references: - https://help.bitsighttech.com/hc/en-us/articles/25374585979031-ServiceNow-Vulnerability-Chain-CVE-2024-4879-CVE-2024-5217-CVE-2024-5178-August-2-2024 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: ServiceNow Improper Input Validation Vulnerability capability_group: input_validation capability_id: CVE-2024-4879 comments: CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit. mapping_type: exploitation_technique references: - https://help.bitsighttech.com/hc/en-us/articles/25374585979031-ServiceNow-Vulnerability-Chain-CVE-2024-4879-CVE-2024-5217-CVE-2024-5178-August-2-2024 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Google Chromium V8 Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2024-4947 comments: "CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript\ \ engine.\n\nAdversaries have been observed exploiting this vulnerability by hosting\ \ a web-based game on a site that triggered the vulnerability and executed arbitrary\ \ code. \n\nAdversaries promoted the game on social media and through emails." mapping_type: primary_impact references: - https://socradar.io/lazarus-exploits-google-chrome-zero-day-to-steal-cryptocurrency-in-detankzone-campaign-cve-2024-4947/ - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Google Chromium V8 Type Confusion Vulnerability capability_group: type_confusion capability_id: CVE-2024-4947 comments: "CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript\ \ engine.\n\nAdversaries have been observed exploiting this vulnerability by hosting\ \ a web-based game on a site that triggered the vulnerability and executed arbitrary\ \ code. \n\nAdversaries promoted the game on social media and through emails." mapping_type: exploitation_technique references: - https://socradar.io/lazarus-exploits-google-chrome-zero-day-to-steal-cryptocurrency-in-detankzone-campaign-cve-2024-4947/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability capability_group: other capability_id: CVE-2024-4978 comments: CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2. mapping_type: secondary_impact references: - https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability capability_group: other capability_id: CVE-2024-4978 comments: CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2. mapping_type: secondary_impact references: - https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability capability_group: other capability_id: CVE-2024-4978 comments: CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ - attack_object_id: T1195.002 attack_object_name: Compromise Software Supply Chain capability_description: Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability capability_group: other capability_id: CVE-2024-4978 comments: CVE-2024-4978 is a vulnerability where compromised software is signed and hosted on the legitimate software distribution website. Adversaries have been observed to use this backdoored software to install additional tools on target machines. The adversary-installed software establishing persistent communications with a command-and-control (C2) server using Windows sockets and WinHTTP requests. Once successfully connected, it transmits data about the compromised host, including hostname, operating system details, processor architecture, program working directory and the user name to the C2. mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justice-av-solutions-viewer-software-used-in-apparent-supply-chain-attack/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: ServiceNow Incomplete List of Disallowed Inputs Vulnerability capability_group: input_validation capability_id: CVE-2024-5217 comments: CVE-2024-5217 is an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the Now Platform due to incomplete input validation in a GlideExpression Script. mapping_type: exploitation_technique references: - https://arcticwolf.com/resources/blog/cve-2024-4879-cve-2024-5178-cve-2024-5217/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: SolarView Compact Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2022-29303 comments: "CVE-2022-29303 is a command injection vulnerability within a PHP component\ \ in the product's web server. \nReports indicate that the vulnerability have\ \ been exploited by operators of Mirai botnet malware. " mapping_type: secondary_impact references: - https://vulncheck.com/blog/solarview-exploitation - https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: SolarView Compact Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2022-29303 comments: "CVE-2022-29303 is a command injection vulnerability within a PHP component\ \ in the product's web server. \nReports indicate that the vulnerability have\ \ been exploited by operators of Mirai botnet malware. " mapping_type: primary_impact references: - https://vulncheck.com/blog/solarview-exploitation - https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: TP-Link Archer AX-21 Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-1389 comments: "CVE-2023-1389 is a command injection vulnerability in one of the API\ \ components within the TP-Link Archer router\u2019s web management interface.\ \ Public reports have reported that multiple botnet malware under the Mirai variants,\ \ including Condi, are targeting these vulnerable devices. \n" mapping_type: secondary_impact references: - https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html - https://cybersecuritynews.com/hackers-exploiting-tp-link/ - https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: TP-Link Archer AX-21 Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-1389 comments: "CVE-2023-1389 is a command injection vulnerability in one of the API\ \ components within the TP-Link Archer router\u2019s web management interface.\ \ Public reports have reported that multiple botnet malware under the Mirai variants,\ \ including Condi, are targeting these vulnerable devices. \n" mapping_type: secondary_impact references: - https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html - https://cybersecuritynews.com/hackers-exploiting-tp-link/ - https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: TP-Link Archer AX-21 Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-1389 comments: "CVE-2023-1389 is a command injection vulnerability in one of the API\ \ components within the TP-Link Archer router\u2019s web management interface.\ \ Public reports have reported that multiple botnet malware under the Mirai variants,\ \ including Condi, are targeting these vulnerable devices. \n" mapping_type: secondary_impact references: - https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html - https://cybersecuritynews.com/hackers-exploiting-tp-link/ - https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: TP-Link Archer AX-21 Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-1389 comments: "CVE-2023-1389 is a command injection vulnerability in one of the API\ \ components within the TP-Link Archer router\u2019s web management interface.\ \ Public reports have reported that multiple botnet malware under the Mirai variants,\ \ including Condi, are targeting these vulnerable devices. \n" mapping_type: primary_impact references: - https://thehackernews.com/2023/06/new-condi-malware-hijacking-tp-link-wi.html - https://cybersecuritynews.com/hackers-exploiting-tp-link/ - https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ - attack_object_id: T1106 attack_object_name: Native API capability_description: TP-Link Archer AX-21 Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-1389 comments: "CVE-2023-1389 is a command injection vulnerability in one of the API\ \ components within the TP-Link Archer router\u2019s web management interface.\ \ Public reports have reported that multiple botnet malware under the Mirai variants,\ \ including Condi, are targeting these vulnerable devices. \n" mapping_type: exploitation_technique references: - https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread - https://cybersecuritynews.com/hackers-exploiting-tp-link/ - https://www.bleepingcomputer.com/news/security/multiple-botnets-exploiting-one-year-old-tp-link-flaw-to-hack-routers/ - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: secondary_impact references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: secondary_impact references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: secondary_impact references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1087.001 attack_object_name: Local Account capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: secondary_impact references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: primary_impact references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability capability_group: auth_missing capability_id: CVE-2023-27532 comments: 'CVE-2023-27532 is a vulnerability in their backup & replication servers exposed online which allows unauthenticated users to request encrypted credentials. Public reporting has indicated that various ransomware groups have exploited vulnerability to gain access and crash the backup infrastructure hosts, extract stored encrypted credentials, and deploy additional tools. ' mapping_type: exploitation_technique references: - https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ - https://www.securityweek.com/year-old-veeam-vulnerability-exploited-in-fresh-ransomware-attacks/ - https://www.group-ib.com/blog/estate-ransomware/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Ignite Realtime Openfire Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-32315 comments: 'CVE-2023-32315 is a path traversal bug in Openfire''s administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell. ' mapping_type: secondary_impact references: - https://thehackernews.com/2023/08/thousands-of-unpatched-openfire-xmpp.html - https://www.bleepingcomputer.com/news/security/over-3-000-openfire-servers-vulnerable-to-takover-attacks/ - https://surevine.com/resource-centre/openfire-cve-2023-32315-what-we-know - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Ignite Realtime Openfire Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-32315 comments: 'CVE-2023-32315 is a path traversal bug in Openfire''s administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell. ' mapping_type: secondary_impact references: - https://thehackernews.com/2023/08/thousands-of-unpatched-openfire-xmpp.html - https://www.bleepingcomputer.com/news/security/over-3-000-openfire-servers-vulnerable-to-takover-attacks/ - https://surevine.com/resource-centre/openfire-cve-2023-32315-what-we-know - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Ignite Realtime Openfire Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-32315 comments: 'CVE-2023-32315 is a path traversal bug in Openfire''s administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell. ' mapping_type: primary_impact references: - https://thehackernews.com/2023/08/thousands-of-unpatched-openfire-xmpp.html - https://www.bleepingcomputer.com/news/security/over-3-000-openfire-servers-vulnerable-to-takover-attacks/ - https://surevine.com/resource-centre/openfire-cve-2023-32315-what-we-know - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Ignite Realtime Openfire Path Traversal Vulnerability capability_group: dir_traversal capability_id: CVE-2023-32315 comments: 'CVE-2023-32315 is a path traversal bug in Openfire''s administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/08/thousands-of-unpatched-openfire-xmpp.html - https://www.bleepingcomputer.com/news/security/over-3-000-openfire-servers-vulnerable-to-takover-attacks/ - https://surevine.com/resource-centre/openfire-cve-2023-32315-what-we-know - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1112 attack_object_name: Modify Registry capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1053 attack_object_name: Scheduled Task/Job capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: secondary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1505 attack_object_name: Server Software Component capability_description: SolarView Compact Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2022-29303 comments: "CVE-2022-29303 is a command injection vulnerability within a PHP component\ \ in the product's web server. \nReports indicate that the vulnerability have\ \ been exploited by operators of Mirai botnet malware. " mapping_type: exploitation_technique references: - https://vulncheck.com/blog/solarview-exploitation - https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: primary_impact references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1204 attack_object_name: User Execution capability_description: RARLAB WinRAR Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-38831 comments: 'CVE-2023-38831 is a vulnerability within the crafred archive process of WinRAR that occurs when a user attempts to open a seemingly legitimate document within a compromised archive, the vulnerability allows the attacker to execute arbitrary code on the system via a specially prepared archive. There have been public reports on the FROZENLAKE spear-phishing campaign, FROZENBARENTS, and ISLANDDREAMS leveraging this vulnerability. ' mapping_type: exploitation_technique references: - https://cybersecuritynews.com/hacktivist-group-exploit-winrar-vulnerability/ - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/ - https://thehackernews.com/2024/09/hacktivists-exploits-winrar.html - https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability capability_group: other capability_id: CVE-2024-23692 comments: "CVE-2024-23692 is a OS command injection vulnerability within the HTTP\ \ File Server (HFS) process for Rejetto. It has been reported to be exploited\ \ by threat actors to deploy cryptomining malware, install backdoors, Remote Access\ \ Trojans (RATs), and other malware like \u201CGoThief\u201D to exfiltrate sensitive\ \ data. " mapping_type: secondary_impact references: - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ - https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html - https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/ - https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/ - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability capability_group: other capability_id: CVE-2024-23692 comments: "CVE-2024-23692 is a OS command injection vulnerability within the HTTP\ \ File Server (HFS) process for Rejetto. It has been reported to be exploited\ \ by threat actors to deploy cryptomining malware, install backdoors, Remote Access\ \ Trojans (RATs), and other malware like \u201CGoThief\u201D to exfiltrate sensitive\ \ data. " mapping_type: secondary_impact references: - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ - https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html - https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/ - https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability capability_group: other capability_id: CVE-2024-23692 comments: "CVE-2024-23692 is a OS command injection vulnerability within the HTTP\ \ File Server (HFS) process for Rejetto. It has been reported to be exploited\ \ by threat actors to deploy cryptomining malware, install backdoors, Remote Access\ \ Trojans (RATs), and other malware like \u201CGoThief\u201D to exfiltrate sensitive\ \ data. " mapping_type: secondary_impact references: - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ - https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html - https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/ - https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/ - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability capability_group: other capability_id: CVE-2024-23692 comments: "CVE-2024-23692 is a OS command injection vulnerability within the HTTP\ \ File Server (HFS) process for Rejetto. It has been reported to be exploited\ \ by threat actors to deploy cryptomining malware, install backdoors, Remote Access\ \ Trojans (RATs), and other malware like \u201CGoThief\u201D to exfiltrate sensitive\ \ data. " mapping_type: primary_impact references: - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ - https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html - https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/ - https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/ - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: FXC AE1021, AE1021PE OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-49897 comments: 'CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: secondary_impact references: - https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: FXC AE1021, AE1021PE OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-49897 comments: 'CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: primary_impact references: - https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: FXC AE1021, AE1021PE OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-49897 comments: 'CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: exploitation_technique references: - https://www.akamai.com/blog/security-research/zero-day-vulnerability-spreading-mirai-patched - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: QNAP VioStor NVR OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-47565 comments: 'CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: secondary_impact references: - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - https://www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: QNAP VioStor NVR OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-47565 comments: 'CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: primary_impact references: - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - https://www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched - attack_object_id: T1221 attack_object_name: Template Injection capability_description: Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability capability_group: other capability_id: CVE-2024-23692 comments: "CVE-2024-23692 is a OS command injection vulnerability within the HTTP\ \ File Server (HFS) process for Rejetto. It has been reported to be exploited\ \ by threat actors to deploy cryptomining malware, install backdoors, Remote Access\ \ Trojans (RATs), and other malware like \u201CGoThief\u201D to exfiltrate sensitive\ \ data. " mapping_type: exploitation_technique references: - https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/ - https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html - https://www.bleepingcomputer.com/news/security/hackers-attack-hfs-servers-to-drop-malware-and-monero-miners/ - https://socradar.io/critical-http-file-server-vulnerability-cve-2024-23692-actively-exploited-to-deploy-cryptomining-malware-rats-stealers/ - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: QNAP VioStor NVR OS Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-47565 comments: 'CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.html - https://www.akamai.com/blog/security-research/new-rce-botnet-spreads-mirai-via-zero-days - https://www.akamai.com/blog/security-research/qnap-viostor-zero-day-vulnerability-spreading-mirai-patched - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Check Point Quantum Security Gateways Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2024-24919 comments: 'CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point''s Quantum Security Gateway products. It''s been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. ' mapping_type: secondary_impact references: - https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://censys.com/cve-2024-24919/ - https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ - attack_object_id: T1003.008 attack_object_name: /etc/passwd and /etc/shadow capability_description: Check Point Quantum Security Gateways Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2024-24919 comments: 'CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point''s Quantum Security Gateway products. It''s been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. ' mapping_type: secondary_impact references: - https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://censys.com/cve-2024-24919/ - https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Check Point Quantum Security Gateways Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2024-24919 comments: 'CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point''s Quantum Security Gateway products. It''s been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. ' mapping_type: secondary_impact references: - https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://censys.com/cve-2024-24919/ - https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Check Point Quantum Security Gateways Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2024-24919 comments: 'CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point''s Quantum Security Gateway products. It''s been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. ' mapping_type: primary_impact references: - https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://censys.com/cve-2024-24919/ - https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Check Point Quantum Security Gateways Information Disclosure Vulnerability capability_group: access_ctrl capability_id: CVE-2024-24919 comments: 'CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point''s Quantum Security Gateway products. It''s been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates. ' mapping_type: exploitation_technique references: - https://www.greynoise.io/blog/whats-going-on-with-checkpoint-cve-2024-24919 - https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ - https://censys.com/cve-2024-24919/ - https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/ - attack_object_id: T1608.001 attack_object_name: Upload Malware capability_description: Apache RocketMQ Command Execution Vulnerability capability_group: command_execution capability_id: CVE-2023-33246 comments: This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. mapping_type: secondary_impact references: - https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce - https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 - https://arcticwolf.com/resources/blog/cve-2023-33246/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Apache RocketMQ Command Execution Vulnerability capability_group: command_execution capability_id: CVE-2023-33246 comments: This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. mapping_type: primary_impact references: - https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce - https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 - https://arcticwolf.com/resources/blog/cve-2023-33246/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache RocketMQ Command Execution Vulnerability capability_group: command_execution capability_id: CVE-2023-33246 comments: This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware. mapping_type: exploitation_technique references: - https://www.fortiguard.com/outbreak-alert/apache-rocketmq-rce - https://www.fortiguard.com/threat-signal-report/5203/active-exploitation-of-apache-rocketmq-updateconfig-command-execution-vulnerability-cve-2023-33246 - https://arcticwolf.com/resources/blog/cve-2023-33246/ - attack_object_id: T1053.005 attack_object_name: Scheduled Task capability_description: Apache ActiveMQ Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-46604 comments: 'This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems. ' mapping_type: secondary_impact references: - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ - https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html - attack_object_id: T1059.004 attack_object_name: Unix Shell capability_description: Apache ActiveMQ Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-46604 comments: 'This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems. ' mapping_type: primary_impact references: - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ - https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache ActiveMQ Deserialization of Untrusted Data Vulnerability capability_group: untrusted_data capability_id: CVE-2023-46604 comments: 'This vulnerability is exploited by a remote attacker who manipulates serialized class types in the OpenWire protocol to run arbitrary shell commands. This allows the adversary to execute remote code, leading to the download and installation of malware, such as the Kinsing malware and cryptocurrency miners, on Linux systems. Additionally, attackers have attempted to deploy ransomware, attributed to the HelloKitty ransomware family, on target systems. ' mapping_type: exploitation_technique references: - https://attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604/rapid7-analysis?referrer=etrblog - https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/ - https://www.trendmicro.com/en_us/research/23/k/cve-2023-46604-exploited-by-kinsing.html - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Apache Superset Insecure Default Initialization of Resource Vulnerability capability_group: resource_mgmt capability_id: CVE-2023-27524 comments: 'This vulnerability is exploited by a remote attacker who forges a session cookie leveraging user_id or _user_id set to 1 in order to log in as an administrator. A successful exploitation could allow the adversary to gain authenticated access and gain access to unauthorized resources. ' mapping_type: primary_impact references: - https://www.horizon3.ai/attack-research/disclosures/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution - https://thehackernews.com/2024/01/cisa-flags-6-vulnerabilities-apple.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Apache Superset Insecure Default Initialization of Resource Vulnerability capability_group: resource_mgmt capability_id: CVE-2023-27524 comments: 'This vulnerability is exploited by a remote attacker who forges a session cookie leveraging user_id or _user_id set to 1 in order to log in as an administrator. A successful exploitation could allow the adversary to gain authenticated access and gain access to unauthorized resources. ' mapping_type: exploitation_technique references: - https://www.horizon3.ai/attack-research/disclosures/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution - https://thehackernews.com/2024/01/cisa-flags-6-vulnerabilities-apple.html - attack_object_id: T1498 attack_object_name: Network Denial of Service capability_description: Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability capability_group: dos capability_id: CVE-2022-0028 comments: 'CVE-2022-0028 is a reflected amplification Distributed-Denial-of-Service (DDoS) vulnerability with Palo Alto''s PAN-OS firewall software. Public reports have announced the attempted exploit of this vulnerability to produce DDOS attack. ' mapping_type: primary_impact references: - https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider - https://security.paloaltonetworks.com/CVE-2022-0028 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Palo Alto Networks PAN-OS Reflected Amplification Denial-of-Service Vulnerability capability_group: dos capability_id: CVE-2022-0028 comments: 'CVE-2022-0028 is a reflected amplification Distributed-Denial-of-Service (DDoS) vulnerability with Palo Alto''s PAN-OS firewall software. Public reports have announced the attempted exploit of this vulnerability to produce DDOS attack. ' mapping_type: exploitation_technique references: - https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-ddos-attack-on-service-provider - https://security.paloaltonetworks.com/CVE-2022-0028 - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: secondary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: secondary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: secondary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1136 attack_object_name: Create Account capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: secondary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: secondary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs.\n\nBased on the\ \ described exploitation of CVE-2023-28252 and the associated attack activities,\ \ the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could\ \ be linked to this CVE:" mapping_type: primary_impact references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28252 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain full SYSTEM level privileges. \n\nThis CVE has been leveraged in the wild\ \ by Storm-0506 involved deploying Black Basta ransomware, initiated through a\ \ Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to\ \ gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz\ \ for credential theft and lateral movement, eventually creating an \"ESX Admins\"\ \ group to encrypt the ESXi file system and disrupt hosted VMs." mapping_type: exploitation_technique references: - https://www.kaspersky.com/blog/nokoyawa-zero-day-exploit/47788/ - https://cybersecuritynews.com/ransomware-gangs-vmware-esxi-bypass-flaw/ - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2023/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-patches-97-cves-including-zero-day-wormable-bugs - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Advanced Local Procedure Call (ALPC) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-21674 comments: "This vulnerability is exploited by an authenticated adversary. It is\ \ identified as requiring local access via Microsoft; however, other reports have\ \ identified remote, authenticated adversaries can exploit this vulnerability.\ \ A successful exploitation would grant an attacker SYSTEM level privileges. \n\ \nThis vulnerability has been exploited in the wild; however, technical details\ \ of how this was leveraged in an attack has not been publicly shared. " mapping_type: primary_impact references: - https://securityonline.info/cisa-adds-cve-2023-21674-vulnerability-to-exploited-catalog/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Advanced Local Procedure Call (ALPC) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-21674 comments: "This vulnerability is exploited by an authenticated adversary. It is\ \ identified as requiring local access via Microsoft; however, other reports have\ \ identified remote, authenticated adversaries can exploit this vulnerability.\ \ A successful exploitation would grant an attacker SYSTEM level privileges. \n\ \nThis vulnerability has been exploited in the wild; however, technical details\ \ of how this was leveraged in an attack has not been publicly shared. " mapping_type: exploitation_technique references: - https://securityonline.info/cisa-adds-cve-2023-21674-vulnerability-to-exploited-catalog/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28229 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain limited SYSTEM level privileges. \n\nThis vulnerability has been exploited\ \ in the wild; however, no technical information has been published related to\ \ the exploitation. Microsoft has identified that successful exploitation of this\ \ vulnerability requires an attacker to win a race condition." mapping_type: primary_impact references: - https://www.picussecurity.com/resource/blog/cisa-reveals-the-top-15-most-exploited-vulnerabilities-of-2023 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2023-28229 comments: "This vulnerability is exploited by an adversary that has gained local\ \ access to the victim system. If successfully exploited, the adversary would\ \ gain limited SYSTEM level privileges. \n\nThis vulnerability has been exploited\ \ in the wild; however, no technical information has been published related to\ \ the exploitation. Microsoft has identified that successful exploitation of this\ \ vulnerability requires an attacker to win a race condition." mapping_type: exploitation_technique references: - https://www.picussecurity.com/resource/blog/cisa-reveals-the-top-15-most-exploited-vulnerabilities-of-2023 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows User Profile Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-26904 comments: "This vulnerability is exploited by an adversary who has already gained\ \ local access to the victim system. To exploit this vulnerability, the adversary\ \ needs to already have access to the system and must also \"win a race condition\"\ . If successfully exploited, the adversary would gain elevated privileges on the\ \ victim system. \n\nThis vulnerability has been identified as exploited in the\ \ wild; however, technical exploitation details have not been publicly shared. " mapping_type: primary_impact references: - https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904/vuln-details - https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html - https://www.covertswarm.com/post/multiple-windows-zero-days-cve-2022-24521-cve-2022-26904-and-cve-2022-26809 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows User Profile Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-26904 comments: "This vulnerability is exploited by an adversary who has already gained\ \ local access to the victim system. To exploit this vulnerability, the adversary\ \ needs to already have access to the system and must also \"win a race condition\"\ . If successfully exploited, the adversary would gain elevated privileges on the\ \ victim system. \n\nThis vulnerability has been identified as exploited in the\ \ wild; however, technical exploitation details have not been publicly shared. " mapping_type: exploitation_technique references: - https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904/vuln-details - https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html - https://www.covertswarm.com/post/multiple-windows-zero-days-cve-2022-24521-cve-2022-26904-and-cve-2022-26809 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26904 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows User Profile Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21919 comments: "This vulnerability is exploited by an adversary who has already gained\ \ local access to the victim system. The adversary gains access to the vulnerability\ \ either by social engineering, a separate exploit, or malware. Exploiting this\ \ vulnerability grants the adversary elevated privileges on the victim system.\ \ \n\nThis vulnerability has been identified as being exploited in the wild; however,\ \ technical details of how the vulnerability has been leveraged by a hacker or\ \ APT have not been publicly released. " mapping_type: primary_impact references: - https://www.tripwire.com/state-of-security/vert-threat-alert-january-2022-patch-tuesday-analysis - https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919/vuln-details - https://www.tenable.com/blog/microsofts-january-2022-patch-tuesday-addresses-97-cves-cve-2022-21907 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows User Profile Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21919 comments: "This vulnerability is exploited by an adversary who has already gained\ \ local access to the victim system. The adversary gains access to the vulnerability\ \ either by social engineering, a separate exploit, or malware. Exploiting this\ \ vulnerability grants the adversary elevated privileges on the victim system.\ \ \n\nThis vulnerability has been identified as being exploited in the wild; however,\ \ technical details of how the vulnerability has been leveraged by a hacker or\ \ APT have not been publicly released. " mapping_type: exploitation_technique references: - https://www.tripwire.com/state-of-security/vert-threat-alert-january-2022-patch-tuesday-analysis - https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919/vuln-details - https://www.tenable.com/blog/microsofts-january-2022-patch-tuesday-addresses-97-cves-cve-2022-21907 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 - attack_object_id: T1136.001 attack_object_name: Local Account capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21999 comments: 'This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.' mapping_type: secondary_impact references: - https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/ - https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21999_spoolfool_privesc/ - https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999 - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21999 comments: 'This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.' mapping_type: secondary_impact references: - https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/ - https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21999_spoolfool_privesc/ - https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21999 comments: 'This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.' mapping_type: secondary_impact references: - https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/ - https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21999_spoolfool_privesc/ - https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21999 comments: 'This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.' mapping_type: primary_impact references: - https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/ - https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21999_spoolfool_privesc/ - https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-21999 comments: 'This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.' mapping_type: exploitation_technique references: - https://www.logpoint.com/en/blog/a-spools-gold-cve-2022-21999-yet-another-windows-print-spooler-privilege-escalation-2/ - https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21999_spoolfool_privesc/ - https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21999 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22718 comments: "This vulnerability is leveraged by an adversary who has already gained\ \ local access to the victim system. The adversary exploits this vulnerability\ \ to elevate their privileges on the system via the Print Spooler, which could\ \ give the adversary the ability to distribute and install malicious programs\ \ on victims\u2019 computers that can steal stored data\n\nThis vulnerability\ \ has been actively exploited by cybercriminals to gain unauthorized access to\ \ corporate networks and resources. Details about who is exploiting this vulnerability\ \ and their exact movements have not been publicly shared. " mapping_type: primary_impact references: - https://usa.kaspersky.com/about/press-releases/cybercriminals-are-increasingly-exploiting-vulnerabilities-in-windows-print-spooler?srsltid=AfmBOoq1s3DrojS1SeshPfrSC_RHDXs5gU1JTjmttEer2DljjUQfx_c0 - https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-exploiting-windows-print-spooler-bug/ - https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/ - https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22718 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22718 comments: "This vulnerability is leveraged by an adversary who has already gained\ \ local access to the victim system. The adversary exploits this vulnerability\ \ to elevate their privileges on the system via the Print Spooler, which could\ \ give the adversary the ability to distribute and install malicious programs\ \ on victims\u2019 computers that can steal stored data\n\nThis vulnerability\ \ has been actively exploited by cybercriminals to gain unauthorized access to\ \ corporate networks and resources. Details about who is exploiting this vulnerability\ \ and their exact movements have not been publicly shared. " mapping_type: exploitation_technique references: - https://usa.kaspersky.com/about/press-releases/cybercriminals-are-increasingly-exploiting-vulnerabilities-in-windows-print-spooler?srsltid=AfmBOoq1s3DrojS1SeshPfrSC_RHDXs5gU1JTjmttEer2DljjUQfx_c0 - https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-exploiting-windows-print-spooler-bug/ - https://gridinsoft.com/blogs/vulnerability-in-windows-print-spooler-in-real-attacks/ - https://thehackernews.com/2022/04/hackers-exploiting-recently-reported.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22718 - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41073 comments: 'This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.' mapping_type: secondary_impact references: - https://securelist.com/windows-vulnerabilities/112232/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41073 comments: 'This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.' mapping_type: primary_impact references: - https://securelist.com/windows-vulnerabilities/112232/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Print Spooler Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41073 comments: 'This vulnerability is exploited by an attacker who has obtained access to manipulate the Print Spooler service on the target system. The vulnerability lies in the Print Spooler, specifically involving XML manipulation and path traversal to a writable path containing a modified version of the `prntvpt.dll` file. This vulnerability has been exploited by threat actors to load unauthorized code on Windows systems. Attackers leveraged this flaw to execute arbitrary code, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the path traversal vulnerability to load a malicious DLL by manipulating the Print Spooler service. Once the vulnerability is exploited, attackers can bypass impersonation controls to load untrusted resources, thereby executing arbitrary code with elevated privileges.' mapping_type: exploitation_technique references: - https://securelist.com/windows-vulnerabilities/112232/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-37969 comments: 'This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.' mapping_type: secondary_impact references: - https://securityaffairs.com/137119/hacking/cve-2022-37969-details.html - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part2-exploit-analysis - https://krebsonsecurity.com/2022/09/wormable-flaw-0days-lead-sept-2022-patch-tuesday/ - https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2022-patch-tuesday-fixes-zero-day-used-in-attacks-63-flaws/ - https://www.forbes.com/sites/daveywinder/2022/09/14/new-microsoft-windows-zero-day-attack-confirmed-update-now/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-37969 comments: 'This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.' mapping_type: primary_impact references: - https://securityaffairs.com/137119/hacking/cve-2022-37969-details.html - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part2-exploit-analysis - https://krebsonsecurity.com/2022/09/wormable-flaw-0days-lead-sept-2022-patch-tuesday/ - https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2022-patch-tuesday-fixes-zero-day-used-in-attacks-63-flaws/ - https://www.forbes.com/sites/daveywinder/2022/09/14/new-microsoft-windows-zero-day-attack-confirmed-update-now/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Common Log File System (CLFS) Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-37969 comments: 'This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.' mapping_type: exploitation_technique references: - https://securityaffairs.com/137119/hacking/cve-2022-37969-details.html - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part2-exploit-analysis - https://krebsonsecurity.com/2022/09/wormable-flaw-0days-lead-sept-2022-patch-tuesday/ - https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2022-patch-tuesday-fixes-zero-day-used-in-attacks-63-flaws/ - https://www.forbes.com/sites/daveywinder/2022/09/14/new-microsoft-windows-zero-day-attack-confirmed-update-now/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41033 comments: 'CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.' mapping_type: primary_impact references: - https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-days-exchange-server-exploit-chain-remains-unpatched - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-october-2022/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033 - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Microsoft Windows COM+ Event System Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41033 comments: 'CVE-2022-41033 is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows COM+ Event System Service, due to improper handling of privilege escalation scenarios. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves pairing the elevation of privilege vulnerability with other code-execution exploits, often through social engineering tactics such as enticing a user to open a malicious attachment or visit a harmful website. Once the vulnerability is exploited, attackers can manipulate system privileges to perform arbitrary actions with SYSTEM-level permissions. This allows them to achieve their objectives, such as installing programs, viewing or changing data, and creating new accounts with full user rights.' mapping_type: exploitation_technique references: - https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-days-exchange-server-exploit-chain-remains-unpatched - https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-october-2022/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41125 comments: 'This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.' mapping_type: secondary_impact references: - https://www.thestack.technology/cve-2022-41125-microsoft-november-patch-tuesday/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41125 comments: 'This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.' mapping_type: primary_impact references: - https://www.thestack.technology/cve-2022-41125-microsoft-november-patch-tuesday/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-41125 comments: 'This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.' mapping_type: exploitation_technique references: - https://www.thestack.technology/cve-2022-41125-microsoft-november-patch-tuesday/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22047 comments: 'This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - https://securelist.com/windows-vulnerabilities/112232/ - https://www.forbes.com/sites/daveywinder/2022/07/28/microsoft-confirms-windows-users-targeted-by-0day-hack-attack/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 - attack_object_id: T1547.001 attack_object_name: Registry Run Keys / Startup Folder capability_description: Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22047 comments: 'This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - https://securelist.com/windows-vulnerabilities/112232/ - https://www.forbes.com/sites/daveywinder/2022/07/28/microsoft-confirms-windows-users-targeted-by-0day-hack-attack/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22047 comments: 'This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system''s user.' mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - https://securelist.com/windows-vulnerabilities/112232/ - https://www.forbes.com/sites/daveywinder/2022/07/28/microsoft-confirms-windows-users-targeted-by-0day-hack-attack/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Client Server Runtime Subsystem (CSRSS) Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-22047 comments: 'This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system''s user.' mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - https://securelist.com/windows-vulnerabilities/112232/ - https://www.forbes.com/sites/daveywinder/2022/07/28/microsoft-confirms-windows-users-targeted-by-0day-hack-attack/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows CLFS Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-24521 comments: 'This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.' mapping_type: secondary_impact references: - https://hivepro.com/wp-content/uploads/2022/08/Zero-day-vulnerability-leveraged-to-deploy-Cuba-Ransomware_TA2022169.pdf?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided) - https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-24521.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 - https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ - https://securelist.com/windows-clfs-exploits-ransomware-cve-2022-24521/111580/ - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows CLFS Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-24521 comments: 'This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.' mapping_type: primary_impact references: - https://hivepro.com/wp-content/uploads/2022/08/Zero-day-vulnerability-leveraged-to-deploy-Cuba-Ransomware_TA2022169.pdf?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided) - https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-24521.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 - https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ - https://securelist.com/windows-clfs-exploits-ransomware-cve-2022-24521/111580/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows CLFS Driver Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2022-24521 comments: 'This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.' mapping_type: exploitation_technique references: - https://hivepro.com/wp-content/uploads/2022/08/Zero-day-vulnerability-leveraged-to-deploy-Cuba-Ransomware_TA2022169.pdf?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided) - https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-24521.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24521 - https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ - https://securelist.com/windows-clfs-exploits-ransomware-cve-2022-24521/111580/ - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows SAM Local Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-36934 comments: 'This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights. ' mapping_type: primary_impact references: - https://www.sentinelone.com/blog/hivenightmare-protecting-windows-10-security-account-manager-against-cve-2021-36934/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows SAM Local Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-36934 comments: 'This vulnerability is exploited by a local or remote adversary who already has access to the system. The vulnerability enables the attacker to elevate their privileges due to over permissive ACLs on system file and elevate their privileges to SYSTEM level. By exploiting this vulnerability an attacker could gain the ability to run arbitrary code, install programs, view/modify/delete data, or create new user accounts with full rights. ' mapping_type: exploitation_technique references: - https://www.sentinelone.com/blog/hivenightmare-protecting-windows-10-security-account-manager-against-cve-2021-36934/ - attack_object_id: T1573.001 attack_object_name: Symmetric Cryptography capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1016 attack_object_name: System Network Configuration Discovery capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1059.003 attack_object_name: Windows Command Shell capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: secondary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: primary_impact references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1566 attack_object_name: Phishing capability_description: Microsoft Windows Win32k Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-40449 comments: 'This vulnerability is exploited by an attacker who has obtained administrative console access on the target system. The vulnerability lies in the Win32k driver, specifically in the NtGdiResetDC function, due to improper handling of user-mode callbacks. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows servers. Attackers leveraged this flaw to execute arbitrary kernel commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in espionage campaigns. It involves triggering a use-after-free condition by executing the ResetDC function a second time for the same handle during a callback. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary kernel function calls with controlled parameters. This allows them to achieve their objectives, such as reading and writing kernel memory, with the same permissions as the compromised system''s user.' mapping_type: exploitation_technique references: - https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/ - https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update-includes-fix-for-0-day-flaw-in-win32-driver - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-40449 - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Microsoft Windows Installer Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-41379 comments: 'The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released. ' mapping_type: primary_impact references: - https://threatpost.com/attackers-target-windows-installer-bug/176558/ - https://intel471.com/blog/installerfiletakeover-exploit-cve-2021-41379 - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-41379 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Windows Installer Privilege Escalation Vulnerability capability_group: priv_escalation capability_id: CVE-2021-41379 comments: 'The vulnerability in Microsoft Windows allows local attackers to escalate privileges by exploiting a flaw in the Windows Installer service. By creating a junction, attackers can delete targeted files or directories, potentially executing arbitrary code with SYSTEM privileges. However, attackers must already have access and the ability to execute low-privileged code on the target system to exploit this vulnerability. This vulnerability has been identified as exploited in the wild; however, specific details on how the vulnerability was exploited have not been publicly released. ' mapping_type: exploitation_technique references: - https://threatpost.com/attackers-target-windows-installer-bug/176558/ - https://intel471.com/blog/installerfiletakeover-exploit-cve-2021-41379 - https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ - https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2021-41379 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: JetBrains TeamCity Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2024-27198 comments: "This authentication bypass vulnerability is exploited by an unauthenticated,\ \ remote adversary via an alternative path issue in the web component allowing\ \ attackers to perform admin actions and achieve remote code execution. To exploit\ \ this vulnerability, attackers need to generate an unauthenticated 404 HTTP response,\ \ pass the HTTP query string \u201C?jsp=/app/rest/server\u201D, and append \u201C\ ;.jsp\u201D to the HTTP path parameter." mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ - https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: JetBrains TeamCity Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2024-27198 comments: "This authentication bypass vulnerability is exploited by an unauthenticated,\ \ remote adversary via an alternative path issue in the web component allowing\ \ attackers to perform admin actions and achieve remote code execution. To exploit\ \ this vulnerability, attackers need to generate an unauthenticated 404 HTTP response,\ \ pass the HTTP query string \u201C?jsp=/app/rest/server\u201D, and append \u201C\ ;.jsp\u201D to the HTTP path parameter." mapping_type: exploitation_technique references: - https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/ - https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Zabbix Frontend Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-23131 comments: 'This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers. ' mapping_type: secondary_impact references: - https://www.sonarsource.com/blog/zabbix-case-study-of-unsafe-session-storage/ - https://therecord.media/cisa-zabbix-servers-under-attack-with-recently-disclosed-vulnerability - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-vulnerabilities-in-zabbix-servers/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Zabbix Frontend Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-23131 comments: 'This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers. ' mapping_type: secondary_impact references: - https://www.sonarsource.com/blog/zabbix-case-study-of-unsafe-session-storage/ - https://therecord.media/cisa-zabbix-servers-under-attack-with-recently-disclosed-vulnerability - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-vulnerabilities-in-zabbix-servers/ - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Zabbix Frontend Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-23131 comments: 'This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers. ' mapping_type: primary_impact references: - https://www.sonarsource.com/blog/zabbix-case-study-of-unsafe-session-storage/ - https://therecord.media/cisa-zabbix-servers-under-attack-with-recently-disclosed-vulnerability - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-vulnerabilities-in-zabbix-servers/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Zabbix Frontend Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-23131 comments: 'This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers. ' mapping_type: exploitation_technique references: - https://www.sonarsource.com/blog/zabbix-case-study-of-unsafe-session-storage/ - https://therecord.media/cisa-zabbix-servers-under-attack-with-recently-disclosed-vulnerability - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-vulnerabilities-in-zabbix-servers/ - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: secondary_impact references: - https://thehackernews.com/2024/11/fbi-seeks-public-help-to-identify.html - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: secondary_impact references: - https://thehackernews.com/2024/11/fbi-seeks-public-help-to-identify.html - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: secondary_impact references: - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: secondary_impact references: - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: primary_impact references: - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Sophos Firewall Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2022-1040 comments: "This authentication bypass vulnerability is exploited by remote attackers\ \ via the User Portal and Webadmin components. This vulnerability allows an attacker\ \ to execute arbitrary code on the victim machine. \n\nIt was actively exploited\ \ by Chinese state-sponsored APT groups, including \"Drifting Cloud,\" to target\ \ organizations and governments across South Asia, particularly in Afghanistan,\ \ Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this\ \ vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying\ \ DNS responses, and intercept user credentials and session cookies from content\ \ management systems.\n\nThis vulnerability was exploited by Chinese state-sponsored\ \ threat actors as part of a broader campaign named \"Pacific Rim.\" This campaign\ \ involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon,\ \ targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes\ \ the form of a shared object (\"libsophos.so\"), has been found to be delivered\ \ following the exploitation of this vulnerability. The use of the rootkit was\ \ observed between March and April 2022 on a government device and a technology\ \ partner, and again in May 2022 on a machine in a military hospital based in\ \ Asia.\n\nThis vulnerability was also exploited by at least two advanced persistent\ \ threat (APT) groups in a highly targeted attack campaign. The attackers used\ \ the vulnerability to place malicious files into a fixed filesystem location\ \ on affected devices, leveraging a combination of authentication bypass and command\ \ injection to execute arbitrary commands as root.\n\nThe attack involved deploying\ \ various malware families, including GoMet and Gh0st RAT, to maintain persistent\ \ access and exfiltrate sensitive data. The attackers demonstrated significant\ \ knowledge of the device firmware, using custom ELF binaries and runtime packers\ \ like VMProtect to complicate analysis. They manipulated internal commands to\ \ move and manipulate files, execute processes, and exfiltrate data. The campaign\ \ targeted network security devices, employing a two-stage attack to drop remote\ \ access tools and execute commands remotely." mapping_type: exploitation_technique references: - https://thehackernews.com/2024/11/fbi-seeks-public-help-to-identify.html - https://therecord.media/chinese-apt-groups-targeting-india-pakistan-and-more-with-sophos-firewall-vulnerability - https://securityaffairs.com/132377/apt/chinese-driftingcloud-apt-exploited-sophos-firewall-zero-day-before-it-was-fixed.html - attack_object_id: T1041 attack_object_name: Exfiltration Over C2 Channel capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-5631 comments: "This vulnerability is exploited by an adversary via a malicious e-mail\ \ containing a crafted SVG document. When a user views the e-mail, the remote\ \ attacker can load arbitrary JavaScript code on the victim's machine. \n\nIn\ \ recent campaign Winter Vivern group exploited this vulnerability. The attack\ \ chains typically start with a phishing mail sent containing a Base64-encoded\ \ payload embedded in the HTML source code. The payload gets decoded and injects\ \ a remote javascript, checkupdate.js, in current user session.\n\nThe checkupdate.js\ \ script serves as a loader, enabling the execution of a final JavaScript payload\ \ which is designed to exfiltrate email messages. The attackers weaponized this\ \ XSS flaw to carry out their malicious activities, ultimately allowing them to\ \ harvest email messages from their victims' accounts to a C2 server. The attack\ \ chain requires minimal user interaction, the attack gets executed only in viewing\ \ the malicious email in a web browser." mapping_type: secondary_impact references: - https://www.hivepro.com/wp-content/uploads/2023/10/Winter-Vivern-Capitalizes-on-Zero-Day-Flaw-in-Roundcube_TA2023436.pdf - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-5631 comments: "This vulnerability is exploited by an adversary via a malicious e-mail\ \ containing a crafted SVG document. When a user views the e-mail, the remote\ \ attacker can load arbitrary JavaScript code on the victim's machine. \n\nIn\ \ recent campaign Winter Vivern group exploited this vulnerability. The attack\ \ chains typically start with a phishing mail sent containing a Base64-encoded\ \ payload embedded in the HTML source code. The payload gets decoded and injects\ \ a remote javascript, checkupdate.js, in current user session.\n\nThe checkupdate.js\ \ script serves as a loader, enabling the execution of a final JavaScript payload\ \ which is designed to exfiltrate email messages. The attackers weaponized this\ \ XSS flaw to carry out their malicious activities, ultimately allowing them to\ \ harvest email messages from their victims' accounts to a C2 server. The attack\ \ chain requires minimal user interaction, the attack gets executed only in viewing\ \ the malicious email in a web browser." mapping_type: primary_impact references: - https://www.hivepro.com/wp-content/uploads/2023/10/Winter-Vivern-Capitalizes-on-Zero-Day-Flaw-in-Roundcube_TA2023436.pdf - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-5631 comments: "This vulnerability is exploited by an adversary via a malicious e-mail\ \ containing a crafted SVG document. When a user views the e-mail, the remote\ \ attacker can load arbitrary JavaScript code on the victim's machine. \n\nIn\ \ recent campaign Winter Vivern group exploited this vulnerability. The attack\ \ chains typically start with a phishing mail sent containing a Base64-encoded\ \ payload embedded in the HTML source code. The payload gets decoded and injects\ \ a remote javascript, checkupdate.js, in current user session.\n\nThe checkupdate.js\ \ script serves as a loader, enabling the execution of a final JavaScript payload\ \ which is designed to exfiltrate email messages. The attackers weaponized this\ \ XSS flaw to carry out their malicious activities, ultimately allowing them to\ \ harvest email messages from their victims' accounts to a C2 server. The attack\ \ chain requires minimal user interaction, the attack gets executed only in viewing\ \ the malicious email in a web browser." mapping_type: exploitation_technique references: - https://www.hivepro.com/wp-content/uploads/2023/10/Winter-Vivern-Capitalizes-on-Zero-Day-Flaw-in-Roundcube_TA2023436.pdf - attack_object_id: T1082 attack_object_name: System Information Discovery capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-43770 comments: "This vulnerability is exploited by an adversary via malicious links embedded\ \ in trustworthy websites to infiltrate victim systems. Successful exploitation\ \ grants the adversary the ability to execute arbitrary code on the impacted system.\ \ \n\nThe Russia-aligned hacking group TAG-70 has been attributed to exploiting\ \ this vulnerability. TAG-70 has used this vulnerability in an espionage campaign\ \ targeting European government and military agencies, as well as Iranian embassies\ \ in Russia, aiming to gather intelligence on European political and military\ \ activities. The campaign, active from early to mid-October 2023, is part of\ \ a broader pattern of Russian state-aligned cyber-espionage targeting email services." mapping_type: secondary_impact references: - https://therecord.media/russia-aligned-hackers-target-european-and-iranian-embassies-cyber-espionage - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-43770 comments: "This vulnerability is exploited by an adversary via malicious links embedded\ \ in trustworthy websites to infiltrate victim systems. Successful exploitation\ \ grants the adversary the ability to execute arbitrary code on the impacted system.\ \ \n\nThe Russia-aligned hacking group TAG-70 has been attributed to exploiting\ \ this vulnerability. TAG-70 has used this vulnerability in an espionage campaign\ \ targeting European government and military agencies, as well as Iranian embassies\ \ in Russia, aiming to gather intelligence on European political and military\ \ activities. The campaign, active from early to mid-October 2023, is part of\ \ a broader pattern of Russian state-aligned cyber-espionage targeting email services." mapping_type: primary_impact references: - https://therecord.media/russia-aligned-hackers-target-european-and-iranian-embassies-cyber-espionage - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2023-43770 comments: "This vulnerability is exploited by an adversary via malicious links embedded\ \ in trustworthy websites to infiltrate victim systems. Successful exploitation\ \ grants the adversary the ability to execute arbitrary code on the impacted system.\ \ \n\nThe Russia-aligned hacking group TAG-70 has been attributed to exploiting\ \ this vulnerability. TAG-70 has used this vulnerability in an espionage campaign\ \ targeting European government and military agencies, as well as Iranian embassies\ \ in Russia, aiming to gather intelligence on European political and military\ \ activities. The campaign, active from early to mid-October 2023, is part of\ \ a broader pattern of Russian state-aligned cyber-espionage targeting email services." mapping_type: exploitation_technique references: - https://hivepro.com/wp-content/uploads/2024/02/Roundcube-Webmail-Faces-Unrelenting-Exploitation_TA2024073.pdf?utm_sr=google&utm_cmd=organic&utm_ccn=(not%20set)&utm_ctr=(not%20provided) - https://therecord.media/russia-aligned-hackers-target-european-and-iranian-embassies-cyber-espionage - attack_object_id: T1185 attack_object_name: Browser Session Hijacking capability_description: Zimbra Webmail Cross-Site Scripting Vulnerability capability_group: xss capability_id: CVE-2022-24682 comments: 'This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user''s Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user''s Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.' mapping_type: secondary_impact references: - https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: Zimbra Webmail Cross-Site Scripting Vulnerability capability_group: xss capability_id: CVE-2022-24682 comments: 'This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user''s Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user''s Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.' mapping_type: primary_impact references: - https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Zimbra Webmail Cross-Site Scripting Vulnerability capability_group: xss capability_id: CVE-2022-24682 comments: 'This vulnerability is exploited by an attacker via spear-phishing emails containing malicious links to inject arbitrary HTML and JavaScript into the document by placing executable JavaScript inside element attributes. This results in unescaped markup, enabling the attacker to execute JavaScript in the context of a user''s Zimbra session, leading to potential data theft and other malicious activities. This vulnerability was identified by Volexity in December 2021 during a series of targeted spear-phishing campaigns conducted by a threat actor tracked as TEMP_Heretic. The campaigns aimed to exploit this zero-day vulnerability, allowing attackers to execute arbitrary JavaScript in the context of a user''s Zimbra session. The attack involved two phases: an initial reconnaissance phase using emails with embedded remote images to track if targets opened the messages, and a second phase with spear-phishing emails containing malicious links. If a target clicked on these links while logged into the Zimbra webmail client, the attacker could exploit the vulnerability to steal email data and attachments.' mapping_type: exploitation_technique references: - https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2022-39197 comments: 'This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence. ' mapping_type: primary_impact references: - https://www.infosecurity-magazine.com/news/rce-vulnerability-in-cobalt-strike/ - https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure - https://cybersecuritynews.com/c2-frameworks-rce-vulnerabilities/ - https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortra Cobalt Strike Teamserver Cross-Site Scripting (XSS) Vulnerability capability_group: xss capability_id: CVE-2022-39197 comments: 'This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence. ' mapping_type: exploitation_technique references: - https://www.infosecurity-magazine.com/news/rce-vulnerability-in-cobalt-strike/ - https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure - https://cybersecuritynews.com/c2-frameworks-rce-vulnerabilities/ - https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-41179 comments: 'This vulnerability is exploited by a remote attacker who has obtained administrative console access on the target system. Successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. This vulnerability has been exploited in the wild. ' mapping_type: primary_impact references: - https://www.jpcert.or.jp/english/at/2023/at230021.html - https://socradar.io/mastodon-vulnerabilities-and-critical-zero-day-in-trendmicros-apex-one-fixed-cve-2023-41179-cve-2023-42451-cve-2023-42452/ - https://thehackernews.com/2023/09/trend-micro-releases-urgent-fix-for.html - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Trend Micro Apex One and Worry-Free Business Security Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-41179 comments: 'This vulnerability is exploited by a remote attacker who has obtained administrative console access on the target system. Successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. This vulnerability has been exploited in the wild. ' mapping_type: exploitation_technique references: - https://www.jpcert.or.jp/english/at/2023/at230021.html - https://socradar.io/mastodon-vulnerabilities-and-critical-zero-day-in-trendmicros-apex-one-fixed-cve-2023-41179-cve-2023-42451-cve-2023-42452/ - https://thehackernews.com/2023/09/trend-micro-releases-urgent-fix-for.html - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Spreadsheet::ParseExcel Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-7101 comments: "This vulnerability is exploited by a remote attacker by passing unvalidated\ \ input from a file into a string-type \"eval\". Specifically, the issue stems\ \ from the evaluation of Number format strings (not to be confused with printf-style\ \ format strings) within the Excel parsing logic. After successful exploitation,\ \ the attacker gains the ability to perform remote code execution. This vulnerability\ \ has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel\ \ to compromise appliances. In collaboration with cybersecurity firm Mandiant,\ \ Barracuda assesses that the threat actor behind the attacks is UNC4841, who\ \ leveraged the flaw to deploy \u2018SeaSpy\u2019 and \u2018Saltwater\u2019 malware." mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/barracuda-fixes-new-esg-zero-day-exploited-by-chinese-hackers/ - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-bugs-in-chrome-and-excel-parsing-library/ - https://socradar.io/latest-zero-day-vulnerabilities-unc4841-targets-barracuda-esg-with-cve-2023-7102-apache-ofbiz-authentication-bypass-cve-2023-51467/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Spreadsheet::ParseExcel Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-7101 comments: "This vulnerability is exploited by a remote attacker by passing unvalidated\ \ input from a file into a string-type \"eval\". Specifically, the issue stems\ \ from the evaluation of Number format strings (not to be confused with printf-style\ \ format strings) within the Excel parsing logic. After successful exploitation,\ \ the attacker gains the ability to perform remote code execution. This vulnerability\ \ has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel\ \ to compromise appliances. In collaboration with cybersecurity firm Mandiant,\ \ Barracuda assesses that the threat actor behind the attacks is UNC4841, who\ \ leveraged the flaw to deploy \u2018SeaSpy\u2019 and \u2018Saltwater\u2019 malware." mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/barracuda-fixes-new-esg-zero-day-exploited-by-chinese-hackers/ - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-bugs-in-chrome-and-excel-parsing-library/ - https://socradar.io/latest-zero-day-vulnerabilities-unc4841-targets-barracuda-esg-with-cve-2023-7102-apache-ofbiz-authentication-bypass-cve-2023-51467/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Spreadsheet::ParseExcel Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-7101 comments: "This vulnerability is exploited by a remote attacker by passing unvalidated\ \ input from a file into a string-type \"eval\". Specifically, the issue stems\ \ from the evaluation of Number format strings (not to be confused with printf-style\ \ format strings) within the Excel parsing logic. After successful exploitation,\ \ the attacker gains the ability to perform remote code execution. This vulnerability\ \ has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel\ \ to compromise appliances. In collaboration with cybersecurity firm Mandiant,\ \ Barracuda assesses that the threat actor behind the attacks is UNC4841, who\ \ leveraged the flaw to deploy \u2018SeaSpy\u2019 and \u2018Saltwater\u2019 malware." mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/barracuda-fixes-new-esg-zero-day-exploited-by-chinese-hackers/ - https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-bugs-in-chrome-and-excel-parsing-library/ - https://socradar.io/latest-zero-day-vulnerabilities-unc4841-targets-barracuda-esg-with-cve-2023-7102-apache-ofbiz-authentication-bypass-cve-2023-51467/ - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1021.001 attack_object_name: Remote Desktop Protocol capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1083 attack_object_name: File and Directory Discovery capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1562.001 attack_object_name: Disable or Modify Tools capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1070.004 attack_object_name: File Deletion capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: secondary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: primary_impact references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Multiple SugarCRM Products Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-22952 comments: "This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated\ \ attacker via a crafted request can inject custom PHP code through the EmailTemplates\ \ because of missing input validation. \n\nThis vulnerability has been exploited\ \ by threat actors to gain initial access to AWS accounts by injecting custom\ \ PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations\ \ to expand their access, obtaining long-term AWS access keys from compromised\ \ EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services\ \ such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations\ \ and Cost and Usage services. The attackers moved laterally by creating RDS snapshots\ \ and new EC2 instances, modifying security groups, and attempting to escalate\ \ privileges by logging in as the Root user. They also employed defense evasion\ \ techniques, including deploying resources in non-standard regions and intermittently\ \ stopping EC2 instances to avoid detection and minimize costs.\n\nThe exploit\ \ in question is actively being used to compromise hosts by installing a PHP-based\ \ web shell. It involves an authentication bypass against the \"/index.php\" endpoint\ \ of the targeted service. Once bypassed, the attacker obtains a cookie and sends\ \ a secondary POST request to \"/cache/images/sweet.phar\" to upload a small PNG-encoded\ \ file containing PHP code. This file acts as a web shell, allowing the execution\ \ of commands specified in the base64-encoded query argument \"c\". For example,\ \ a request like 'POST /cache/images/sweet.phar?c=\"L2Jpbi9pZA==\"' would execute\ \ the command \"/bin/id\" with the same permissions as the web service's user." mapping_type: exploitation_technique references: - https://censys.com/tracking-a-sugarcrm-zero-day/ - https://attackerkb.com/topics/E486ui94II/cve-2023-22952 - https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Teclib GLPI Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-35914 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker via /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2, which allows PHP code injection. in the wild exploitation details have not been publicly released for this vulnerability' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/03/cisas-kev-catalog-updated-with-3-new.html - https://vulncheck.com/blog/glpi-exploitation - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33928 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Teclib GLPI Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-35914 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker via /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2, which allows PHP code injection. in the wild exploitation details have not been publicly released for this vulnerability' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/03/cisas-kev-catalog-updated-with-3-new.html - https://vulncheck.com/blog/glpi-exploitation - https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33928 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Spring Framework JDK 9+ Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-22965 comments: This remote code execution (RCE) vulnerability affects Spring MVC or Spring WebFlux applications running on JDK 9+ when deployed on Tomcat as a WAR file. This vulnerability can be exploited by a remote attacker via data binding, allowing malicious actors to execute arbitrary code. Specifically, it has been used to deploy and execute the Mirai botnet malware. The exploit involves downloading a Mirai sample to the "/tmp" directory and changing its permissions to make it executable using "chmod." The malware is then executed, enabling further malicious activities. The vulnerability does not affect applications deployed as Spring Boot executable jars. Observations of this exploit began in early April 2022, with malware variants available for different CPU architectures. mapping_type: primary_impact references: - https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Spring Framework JDK 9+ Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-22965 comments: This remote code execution (RCE) vulnerability affects Spring MVC or Spring WebFlux applications running on JDK 9+ when deployed on Tomcat as a WAR file. This vulnerability can be exploited by a remote attacker via data binding, allowing malicious actors to execute arbitrary code. Specifically, it has been used to deploy and execute the Mirai botnet malware. The exploit involves downloading a Mirai sample to the "/tmp" directory and changing its permissions to make it executable using "chmod." The malware is then executed, enabling further malicious activities. The vulnerability does not affect applications deployed as Spring Boot executable jars. Observations of this exploit began in early April 2022, with malware variants available for different CPU architectures. mapping_type: exploitation_technique references: - https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-42948 comments: This vulnerability is exploited by a remote, unauthenticated attacker. The vulnerability is caused by improper escaping of HTML tags in Swing components. This flaw allows the attacker to inject crafted HTML code, enabling them to execute code within the Cobalt Strike UI. Exploitation can occur through a graphical file explorer menu, allowing attackers to perform unauthorized operations on the administrative interface. mapping_type: primary_impact references: - https://thesecmaster.com/blog/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-42948 comments: This vulnerability is exploited by a remote, unauthenticated attacker. The vulnerability is caused by improper escaping of HTML tags in Swing components. This flaw allows the attacker to inject crafted HTML code, enabling them to execute code within the Cobalt Strike UI. Exploitation can occur through a graphical file explorer menu, allowing attackers to perform unauthorized operations on the administrative interface. mapping_type: exploitation_technique references: - https://thesecmaster.com/blog/how-to-fix-cve-2022-42948-a-critical-rce-vulnerability-in-cobalt-strike - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: XStream Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-39144 comments: 'The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to the deserialization of untrusted data in XStream versions up to 1.4.18. A remote attacker can exploit this by sending a specially crafted XStream marshalled payload to an endpoint in VMware NSX Manager, which uses the vulnerable xstream-1.4.18.jar package. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system, allowing execution of commands with root privileges. ' mapping_type: primary_impact references: - https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: XStream Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-39144 comments: 'The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to the deserialization of untrusted data in XStream versions up to 1.4.18. A remote attacker can exploit this by sending a specially crafted XStream marshalled payload to an endpoint in VMware NSX Manager, which uses the vulnerable xstream-1.4.18.jar package. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system, allowing execution of commands with root privileges. ' mapping_type: exploitation_technique references: - https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html - attack_object_id: T1499 attack_object_name: Endpoint Denial of Service capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: secondary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: primary_impact references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Realtek Jungle SDK Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-35394 comments: 'The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.' mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: ExifTool Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22204 comments: The vulnerability is exploited by a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to improper input validation when parsing DjVu files in ExifTool. A remote attacker can pass a specially crafted file to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. mapping_type: primary_impact references: - https://www.cybersecurity-help.cz/vdb/SB2021050302 - https://feedly.com/cve/CVE-2021-22204 - https://cwe.mitre.org/data/definitions/94.html - https://www.infosec4tc.com/cve-2021-22205-gitlab-unauthenticated-remote-code-execution-in-the-wild/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: ExifTool Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-22204 comments: The vulnerability is exploited by a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to improper input validation when parsing DjVu files in ExifTool. A remote attacker can pass a specially crafted file to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. mapping_type: exploitation_technique references: - https://www.cybersecurity-help.cz/vdb/SB2021050302 - https://feedly.com/cve/CVE-2021-22204 - https://cwe.mitre.org/data/definitions/94.html - https://www.infosec4tc.com/cve-2021-22205-gitlab-unauthenticated-remote-code-execution-in-the-wild/ - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26500 comments: 'This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.' mapping_type: secondary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26500 comments: 'This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.' mapping_type: secondary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26500 comments: 'This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.' mapping_type: primary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26500 comments: 'This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.' mapping_type: exploitation_technique references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26500 comments: 'This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.' mapping_type: exploitation_technique references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26501 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.' mapping_type: secondary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html - https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication - https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/ - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26501 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.' mapping_type: secondary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html - https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication - https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26501 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.' mapping_type: primary_impact references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html - https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication - https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Veeam Backup & Replication Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26501 comments: 'This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.' mapping_type: exploitation_technique references: - https://www.kroll.com/en/insights/publications/cyber/avoslocker-ransomware-update - https://thehackernews.com/2022/12/cisa-alert-veeam-backup-and-replication.html - https://www.cloudsek.com/threatintelligence/multiple-rce-vulnerabilities-affecting-veeam-backup-replication - https://www.rapid7.com/db/vulnerabilities/veeam-backup-and-replication-cve-2022-26501/ - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: secondary_impact references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: secondary_impact references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: secondary_impact references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: secondary_impact references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: primary_impact references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: D-Link Multiple Routers Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-45382 comments: "This remote command execution vulnerability is exploited by an unauthenticated,\ \ remote adversary via the DDNS function in ncc2 binary file. Adversaries have\ \ leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode\ \ and IZ1H9 to cause a distributed denial of service attack. \n\nIn the IZ1H9\ \ attack, once the attackers took advantage of the vulnerability, they injected\ \ the IZ1H9 payload into the device. This program included instructions to download\ \ another script from a specific web address. When this script ran, it erased\ \ records to cover up the malicious actions and then downloaded additional software\ \ designed for different types of devices. The script also changed the device's\ \ settings to block certain network connections, making it more difficult to remove\ \ the malware. After these steps, the infected device connected to a control server,\ \ waiting for instructions on which type of denial-of-service attack to carry\ \ out, such as disrupting services using various internet protocols.\n\nIn the\ \ Beastmode attack, exploiting the vulnerability led to the download and execution\ \ of a script called \"ddns.sh.\" This script then fetched the Beastmode program,\ \ which was saved and run with specific settings. These settings allowed the infected\ \ device to join a subgroup within the larger botnet, helping the attackers manage\ \ and assess the effectiveness of their exploits. Once devices were compromised\ \ by Beastmode, the botnet could be used to launch various types of denial-of-service\ \ attacks, similar to those seen in other Mirai-based botnets." mapping_type: exploitation_technique references: - https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign - https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos-power-with-new-router-exploits/ - https://www.malwarebytes.com/blog/news/2022/04/cisa-advises-d-link-users-to-take-vulnerable-routers-offline - https://thehackernews.com/2022/04/beastmode-ddos-botnet-exploiting-new.html - https://www.bleepingcomputer.com/news/security/mirai-ddos-malware-variant-expands-targets-with-13-router-exploits/ - attack_object_id: T1499.002 attack_object_name: Service Exhaustion Flood capability_description: D-Link DIR-820L Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26258 comments: 'This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack. ' mapping_type: secondary_impact references: - https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html - https://unit42.paloaltonetworks.com/moobot-d-link-devices/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: D-Link DIR-820L Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26258 comments: 'This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack. ' mapping_type: primary_impact references: - https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html - https://unit42.paloaltonetworks.com/moobot-d-link-devices/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: D-Link DIR-820L Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-26258 comments: 'This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2022/09/mirai-variant-moobot-botnet-exploiting.html - https://unit42.paloaltonetworks.com/moobot-d-link-devices/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-34713 comments: This vulnerability is exploited when a user is tricked by an adversary to open a maliciously crafted file either via an email or malicious website. Once the user opens the file, an adversary gains the ability to execute arbitrary code the next time the victim restarts their computer and logs in. mapping_type: primary_impact references: - https://www.makeuseof.com/microsoft-patches-dogwalk-zero-day/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-34713 comments: 'This vulnerability is exploited when a user is tricked by an adversary to open a maliciously crafted file. Once the user opens the file, an adversary gains the ability to execute arbitrary code the next time the victim restarts their computer and logs in. ' mapping_type: secondary_impact references: - https://www.makeuseof.com/microsoft-patches-dogwalk-zero-day/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713 - attack_object_id: T1566 attack_object_name: Phishing capability_description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-34713 comments: This vulnerability is exploited when a user is tricked by an adversary to open a maliciously crafted file either via an email or malicious website. Once the user opens the file, an adversary gains the ability to execute arbitrary code the next time the victim restarts their computer and logs in. mapping_type: exploitation_technique references: - https://www.makeuseof.com/microsoft-patches-dogwalk-zero-day/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713 - attack_object_id: T1005 attack_object_name: Data from Local System capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1489 attack_object_name: Service Stop capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1490 attack_object_name: Inhibit System Recovery capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1553.005 attack_object_name: Mark-of-the-Web Bypass capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: secondary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: primary_impact references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1566 attack_object_name: Phishing capability_description: Microsoft Windows Search Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2023-36884 comments: 'This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft''s Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.' mapping_type: exploitation_technique references: - https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/ - https://cybersecuritynews.com/romcom-office-0-day-ransomware/#google_vignette - https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Microsoft Windows Scripting Languages Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41128 comments: This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation. mapping_type: secondary_impact references: - https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128 - attack_object_id: T1203 attack_object_name: Exploitation for Client Execution capability_description: Microsoft Windows Scripting Languages Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41128 comments: This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation. mapping_type: primary_impact references: - https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128 - attack_object_id: T1566 attack_object_name: Phishing capability_description: Microsoft Windows Scripting Languages Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41128 comments: This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation. mapping_type: exploitation_technique references: - https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128 - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-42321 comments: 'This vulnerability is exploited by an adversary who has gained authentication to the Exchange Server and exploited validation issues in command-let arguments. This gives the adversary access to perform remote code execution on the server. ' mapping_type: primary_impact references: - https://techcommunity.microsoft.com/blog/exchange/released-november-2021-exchange-server-security-updates/2933169 - https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/ - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-42321 comments: 'This vulnerability is exploited by an adversary who has gained authentication to the Exchange Server and exploited validation issues in command-let arguments. This gives the adversary access to perform remote code execution on the server. ' mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-exchange-rce-bug-patch-now/ - https://techcommunity.microsoft.com/blog/exchange/released-november-2021-exchange-server-security-updates/2933169 - https://threatpost.com/microsoft-nov-patch-tuesday-fixes-six-zero-days-55-bugs/176143/ - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: secondary_impact references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: secondary_impact references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: secondary_impact references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: secondary_impact references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: primary_impact references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: exploitation_technique references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Microsoft Exchange Server Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-41082 comments: 'This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration. ' mapping_type: exploitation_technique references: - https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit - https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ - https://www.kb.cert.org/vuls/id/915563 - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: VMware Tools Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-20867 comments: This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer. mapping_type: secondary_impact references: - https://www.bleepingcomputer.com/news/security/chinese-hackers-used-vmware-esxi-zero-day-to-backdoor-vms/ - https://www.darkreading.com/endpoint-security/chinese-spies-exploited-critical-vmware-bug-2-years - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: VMware Tools Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-20867 comments: This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer. mapping_type: primary_impact references: - https://www.bleepingcomputer.com/news/security/chinese-hackers-used-vmware-esxi-zero-day-to-backdoor-vms/ - https://www.darkreading.com/endpoint-security/chinese-spies-exploited-critical-vmware-bug-2-years - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: VMware Tools Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-20867 comments: This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer. mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/chinese-hackers-used-vmware-esxi-zero-day-to-backdoor-vms/ - https://www.darkreading.com/endpoint-security/chinese-spies-exploited-critical-vmware-bug-2-years - attack_object_id: T1505.003 attack_object_name: Web Shell capability_description: VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-22963 comments: In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework. mapping_type: secondary_impact references: - https://isc.sans.edu/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504 - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ - https://www.microsoft.com/en-us/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://www.sentinelone.com/blog/cve-2022-22963/ - attack_object_id: T1059.007 attack_object_name: JavaScript capability_description: VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-22963 comments: In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework. mapping_type: primary_impact references: - https://isc.sans.edu/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504 - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ - https://www.microsoft.com/en-us/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://www.sentinelone.com/blog/cve-2022-22963/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-22963 comments: In certain versions of Spring Cloud Function, a vulnerability allows remote code execution through a specially crafted Spring Expression Language (SpEL) routing expression. This vulnerability, known as "Spring4Shell," can be exploited by sending crafted queries to a server running the Spring Core framework. Hackers are actively exploiting this flaw to execute malicious Java code on vulnerable servers. Initial exploit attempts were observed targeting a honeypot on port 9001. The exploit modifies logging configurations to create a webshell by writing code to a log file, which is then executed via a browser. Although there is scanning activity for vulnerable hosts, the exploitation is less widespread compared to Log4Shell, as it requires specific conditions beyond just using the framework. mapping_type: exploitation_technique references: - https://isc.sans.edu/diary/Spring+Vulnerability+Update+Exploitation+Attempts+CVE202222965/28504 - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ - https://www.microsoft.com/en-us/security/blog/2022/04/04/springshell-rce-vulnerability-guidance-for-protecting-against-and-detecting-cve-2022-22965/ - https://www.sentinelone.com/blog/cve-2022-22963/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Vmware Aria Operations for Networks Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-20887 comments: 'This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared. ' mapping_type: primary_impact references: - https://thehackernews.com/2023/06/alert-hackers-exploiting-critical.html - https://blog.qualys.com/qualys-insights/2023/09/26/qualys-survey-of-top-10-exploited-vulnerabilities-in-2023 - https://its.ny.gov/2023-067 - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Vmware Aria Operations for Networks Command Injection Vulnerability capability_group: command_injection capability_id: CVE-2023-20887 comments: 'This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared. ' mapping_type: exploitation_technique references: - https://thehackernews.com/2023/06/alert-hackers-exploiting-critical.html - https://blog.qualys.com/qualys-insights/2023/09/26/qualys-survey-of-top-10-exploited-vulnerabilities-in-2023 - https://its.ny.gov/2023-067 - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1571 attack_object_name: Non-Standard Port capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1071.001 attack_object_name: Web Protocols capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1018 attack_object_name: Remote System Discovery capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: secondary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: primary_impact references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Ivanti Sentry Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2023-38035 comments: "This vulnerability was exploited by unauthenticated actors who accessed\ \ the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging\ \ an authentication bypass flaw to achieve remote code execution. This flaw allows\ \ attackers to access sensitive APIs, enabling them to change configurations,\ \ execute system commands, or write files onto the system. \n\nThis vulnerability\ \ was part of a campaign involving cryptocurrency mining and internal network\ \ reconnaissance. The exploitation allowed attackers to deploy malicious tools\ \ and conduct unauthorized activities within the network, ultimately compromising\ \ system integrity and security.The exploitation facilitated unauthorized access\ \ to the Ivanti Sentry server, allowing the execution of OS commands as a system\ \ administrator using \"sudo.\" Observations revealed that suspicious SSL connections\ \ over port 8433 led to HTTP GET requests, indicating the abuse of command-line\ \ utilities like wget and cURL. " mapping_type: exploitation_technique references: - https://darktrace.com/fr/blog/entry-via-sentry-analyzing-the-exploitation-of-a-critical-vulnerability-in-ivanti-sentry - https://thehackernews.com/2023/08/ivanti-warns-of-critical-zero-day-flaw.html - https://www.mnemonic.io/resources/blog/threat-advisory-remote-code-execution-vulnerability-in-ivanti-sentry/ - https://forums.ivanti.com/s/article/CVE-2023-38035-API-Authentication-Bypass-on-Sentry-Administrator-Interface?language=en_US - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: VMware Spring Cloud Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2022-22947 comments: "This vulnerability is exploited by a remote attacker via a code injection\ \ attack to gain perform arbitrary remote code execution. CISA has linked this\ \ vulnerability to adversary campaigns performed by Andariel to perform cyber\ \ espionage via ransomware operations. \n" mapping_type: secondary_impact references: - https://portswigger.net/daily-swig/api-security-broken-access-controls-injection-attacks-plague-the-enterprise-security-landscape-in-2022 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: VMware Spring Cloud Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2022-22947 comments: "This vulnerability is exploited by a remote attacker via a code injection\ \ attack to gain perform arbitrary remote code execution. CISA has linked this\ \ vulnerability to adversary campaigns performed by Andariel to perform cyber\ \ espionage via ransomware operations. \n" mapping_type: primary_impact references: - https://portswigger.net/daily-swig/api-security-broken-access-controls-injection-attacks-plague-the-enterprise-security-landscape-in-2022 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware Spring Cloud Gateway Code Injection Vulnerability capability_group: code_injection capability_id: CVE-2022-22947 comments: "This vulnerability is exploited by a remote attacker via a code injection\ \ attack to gain perform arbitrary remote code execution. CISA has linked this\ \ vulnerability to adversary campaigns performed by Andariel to perform cyber\ \ espionage via ransomware operations. \n" mapping_type: exploitation_technique references: - https://portswigger.net/daily-swig/api-security-broken-access-controls-injection-attacks-plague-the-enterprise-security-landscape-in-2022 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Google Chromium libvpx Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-5217 comments: This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware. mapping_type: primary_impact references: - https://techcrunch.com/2023/09/28/google-patches-zero-day-exploited-by-commercial-spyware-vendor/ - https://securityaffairs.com/151625/hacking/google-fifth-chrome-zero-day-2023.html - https://thehackernews.com/2023/09/update-chrome-now-google-releases-patch.html - https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2023-5217/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Google Chromium libvpx Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-5217 comments: This vulnerability was exploited by a remote attacker using a crafted HTML page to trigger a heap buffer overflow in the vp8 encoding of libvpx, leading to heap corruption. This flaw was part of a spyware campaign. The exploitation allowed for program crashes or arbitrary code execution, ultimately resulting in the installation of spyware. mapping_type: exploitation_technique references: - https://techcrunch.com/2023/09/28/google-patches-zero-day-exploited-by-commercial-spyware-vendor/ - https://securityaffairs.com/151625/hacking/google-fifth-chrome-zero-day-2023.html - https://thehackernews.com/2023/09/update-chrome-now-google-releases-patch.html - https://www.rapid7.com/db/vulnerabilities/google-chrome-cve-2023-5217/ - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Google Chromium Network Service Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2022-3038 comments: This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT. mapping_type: primary_impact references: - https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/ - https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Google Chromium Network Service Use-After-Free Vulnerability capability_group: use_after_free capability_id: CVE-2022-3038 comments: This vulnerability has been exploited by a remote attacker to perform a sandbox escape via a crafted HTML page that allowed the attacker to exploit a heap corruption. This vulnerability was chained together with other CVEs during a spyware campaign performed by a customer or partner of a Spanish spyware company known as Variston IT. mapping_type: exploitation_technique references: - https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/ - https://thehackernews.com/2023/09/new-libwebp-vulnerability-under-active.html - attack_object_id: T1574 attack_object_name: Hijack Execution Flow capability_description: Google Chromium WebRTC Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-7024 comments: This heap buffer overflow vulnerability is exploited by a remote attacker via a crafted HTML page. This vulnerability has been leveraged by the NSO group to enable remote code execution within a browser's WebRTC component to install the spyware Pegasus on victim endpoints. mapping_type: primary_impact references: - https://thehackernews.com/2024/02/global-coalition-and-tech-giants-unite.html - https://www.darkreading.com/cloud-security/google-eighth-zero-day-patch-2023-chrome - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Google Chromium WebRTC Heap Buffer Overflow Vulnerability capability_group: buffer_overflow capability_id: CVE-2023-7024 comments: This heap buffer overflow vulnerability is exploited by a remote attacker via a crafted HTML page. This vulnerability has been leveraged by the NSO group to enable remote code execution within a browser's WebRTC component to install the spyware Pegasus on victim endpoints. mapping_type: exploitation_technique references: - https://thehackernews.com/2024/02/global-coalition-and-tech-giants-unite.html - https://www.darkreading.com/cloud-security/google-eighth-zero-day-patch-2023-chrome - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: WSO2 Multiple Products Unrestrictive Upload of File Vulnerability capability_group: unrestricted_upload capability_id: CVE-2022-29464 comments: CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency. mapping_type: secondary_impact references: - https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html - https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/ - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: WSO2 Multiple Products Unrestrictive Upload of File Vulnerability capability_group: unrestricted_upload capability_id: CVE-2022-29464 comments: CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency. mapping_type: primary_impact references: - https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: WSO2 Multiple Products Unrestrictive Upload of File Vulnerability capability_group: unrestricted_upload capability_id: CVE-2022-29464 comments: CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency. mapping_type: exploitation_technique references: - https://www.trendmicro.com/en_us/research/22/e/patch-your-wso2-cve-2022-29464-exploited-to-install-linux-compatible-cobalt-strike-beacons-other-malware.html - https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/ - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Grafana Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-39226 comments: "This authentication bypass vulnerability is exploited by both unauthenticated\ \ and authenticated adversaries via the snapshot feature in Grafana. Attackers\ \ have leveraged this vulnerability to access and manipulate snapshot data, potentially\ \ leading to unauthorized data exposure and loss. Exploitation techniques have\ \ not been publicly published. \n\nIn exploitation scenarios, adversaries can\ \ view snapshots with the lowest database key by accessing specific paths, such\ \ as /dashboard/snapshot/:key or /api/snapshots/:key. If the \"public_mode\" configuration\ \ is set to true, unauthenticated users can also delete these snapshots using\ \ the path /api/snapshots-delete/:deleteKey. This capability allows attackers\ \ to enumerate and delete snapshot data, resulting in complete data loss." mapping_type: primary_impact references: - https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/#:~:text=Additionally%2C%20we%20provide%20insight%20into - well%20as%20through%20Cortex%20XDR.&text=Updated%20Sept. - that%20were%20listed%20in%20error. - https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Grafana Authentication Bypass Vulnerability capability_group: auth_bypass capability_id: CVE-2021-39226 comments: "This authentication bypass vulnerability is exploited by both unauthenticated\ \ and authenticated adversaries via the snapshot feature in Grafana. Attackers\ \ have leveraged this vulnerability to access and manipulate snapshot data, potentially\ \ leading to unauthorized data exposure and loss. Exploitation techniques have\ \ not been publicly published. \n\nIn exploitation scenarios, adversaries can\ \ view snapshots with the lowest database key by accessing specific paths, such\ \ as /dashboard/snapshot/:key or /api/snapshots/:key. If the \"public_mode\" configuration\ \ is set to true, unauthenticated users can also delete these snapshots using\ \ the path /api/snapshots-delete/:deleteKey. This capability allows attackers\ \ to enumerate and delete snapshot data, resulting in complete data loss." mapping_type: exploitation_technique references: - https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/#:~:text=Additionally%2C%20we%20provide%20insight%20into,well%20as%20through%20Cortex%20XDR.&text=Updated%20Sept.,that%20were%20listed%20in%20error. - https://grafana.com/blog/2021/10/05/grafana-7.5.11-and-8.1.6-released-with-critical-security-fix/ - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-31166 comments: "This memory corruption vulnerability is exploited by a remote, unauthenticated\ \ attacker via crafted HTTP packets to a server that uses http.sys to process\ \ packets. Adversaries may leverage this vulnerability to execute malicious code\ \ on the OS kernel. This vulnerability has a proof of concept validating that\ \ it can be wormable. However, exploitations in the wild linking to this type\ \ of impact have not been published. \n\nThe North Korean state-backed hacker\ \ group known as the Lazarus Group has been attributed to leveraging this vulnerability\ \ in their attacks to gain initial access to Windows IIS servers. Once initial\ \ access is gained, they have exploited the vulnerable system to perform data\ \ theft, disrupt services, propagate malware, or conduct espionage or surveillance.\ \ \n\n**team review - AttackerKB links Command and Scripting to this vulnerability,\ \ but I have not found any threat reports linking this impact to an actual attack.\ \ The only \"in the wild\" report I found was by SecureBlink linking it to the\ \ Lazarus Group to gain initial access. Unsure what primary impact we can link\ \ to here. " mapping_type: primary_impact references: - https://www.secureblink.com/cyber-security-news/lazarus-hacking-group-exploiting-vulnerable-windows-iis-web-servers - https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis - https://therecord.media/poc-released-for-wormable-windows-iis-bug - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2021-31166 comments: "This memory corruption vulnerability is exploited by a remote, unauthenticated\ \ attacker via crafted HTTP packets to a server that uses http.sys to process\ \ packets. Adversaries may leverage this vulnerability to execute malicious code\ \ on the OS kernel. This vulnerability has a proof of concept validating that\ \ it can be wormable. However, exploitations in the wild linking to this type\ \ of impact have not been published. \n\nThe North Korean state-backed hacker\ \ group known as the Lazarus Group has been attributed to leveraging this vulnerability\ \ in their attacks to gain initial access to Windows IIS servers. Once initial\ \ access is gained, they have exploited the vulnerable system to perform data\ \ theft, disrupt services, propagate malware, or conduct espionage or surveillance.\ \ \n\n**team review - AttackerKB links Command and Scripting to this vulnerability,\ \ but I have not found any threat reports linking this impact to an actual attack.\ \ The only \"in the wild\" report I found was by SecureBlink linking it to the\ \ Lazarus Group to gain initial access. Unsure what primary impact we can link\ \ to here. " mapping_type: exploitation_technique references: - https://www.secureblink.com/cyber-security-news/lazarus-hacking-group-exploiting-vulnerable-windows-iis-web-servers - https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis - https://therecord.media/poc-released-for-wormable-windows-iis-bug - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Windows Runtime Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-21971 comments: 'This vulnerability is exploited when an authenticated user is convinced by an attacker to download and open a specially crafted file from a website, which grants the attacker access to the victim''s computer. No articles have been released to the public showing that this vulnerability has been executed in the wild or provides any information on how an exploitation is carried out. ' mapping_type: primary_impact references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971 - https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-details-disclosed-hacker-conferences/ - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Microsoft Windows Runtime Remote Code Execution Vulnerability capability_group: code_execution capability_id: CVE-2022-21971 comments: 'This vulnerability is exploited when an authenticated user is convinced by an attacker to download and open a specially crafted file from a website, which grants the attacker access to the victim''s computer. No articles have been released to the public showing that this vulnerability has been executed in the wild or provides any information on how an exploitation is carried out. ' mapping_type: exploitation_technique references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971 - https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-details-disclosed-hacker-conferences/ - attack_object_id: T1190 attack_object_name: Exploit Public-Facing Application capability_description: VMware Server Side Request Forgery in vRealize Operations Manager API capability_group: ssrf capability_id: CVE-2021-21975 comments: This Server-Side Request Forgery (SSRF) vulnerability is exploited by an attacker with network access to the VMware server. This vulnerability enables the attacker to exploit an unauthenticated endpoint to send crafted requests to internal or external systems. By doing so, the attacker can potentially steal administrative credentials. Once these credentials are compromised, the attacker could gain maximum privileges within the application, enabling them to alter configurations and intercept sensitive data. This exploitation could lead to unauthorized access and manipulation of the application. mapping_type: exploitation_technique references: - https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975/rapid7-analysis - https://www.darkreading.com/vulnerabilities-threats/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Google Chromium Mojo Insufficient Data Validation Vulnerability capability_group: input_validation capability_id: CVE-2022-3075 comments: "This data validation vulnerability is exploited by a remote attacker\ \ who compromised the renderer process via a crafted HTML page to potentially\ \ perform a sandbox escape. \n\nExploitation in the wild techniques have not been\ \ published by Google. " mapping_type: exploitation_technique references: - https://thehackernews.com/2022/09/google-release-urgent-chrome-update-to.html - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Google Chrome Skia Integer Overflow Vulnerability capability_group: int_overflow capability_id: CVE-2023-2136 comments: "This integer overflow vulnerability is exploited by a remote attacker\ \ who has already compromised the renderer process of Google Chrome. Exploiting\ \ this vulnerability might lead to incorrect rendering, memory corruption, and\ \ arbitrary code execution that could grant the adversary unauthorized access\ \ to the system. \n\nExploitation in the wild techniques have not been publicly\ \ released to reduce further abuse. " mapping_type: exploitation_technique references: - https://www.bleepingcomputer.com/news/security/google-patches-another-actively-exploited-chrome-zero-day/ - https://thehackernews.com/2023/04/google-chrome-hit-by-second-zero-day.html - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2012-0754 comments: This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine. mapping_type: exploitation_technique references: - https://threatpost.com/attackers-target-cve-2012-0754-adobe-flash-bug-030512/76286/ - attack_object_id: T1105 attack_object_name: Ingress Tool Transfer capability_description: Adobe Flash Player Memory Corruption Vulnerability capability_group: memory_corruption capability_id: CVE-2012-0754 comments: This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine. mapping_type: primary_impact references: - https://threatpost.com/attackers-target-cve-2012-0754-adobe-flash-bug-030512/76286/ metadata: attack_version: '15.1' author: null capability_groups: access_ctrl: Improper Access Control auth_bypass: Authentication Bypass auth_missing: Missing Authentication buffer_overflow: Buffer Overflow code_execution: Code Execution code_injection: Code Injection command_execution: Command Execution command_injection: Command Injection default_cfg: Default Configuration dir_traversal: Directory Traversal (Relative and Absolute) dos: Denial of Service feature_bypass: Security Feature Bypass hardcoded_creds: Hard-coded Credentials inject: Other Injection input_validation: Input Validation int_overflow: Integer Overflow memory_corruption: Memory Corruption memory_mgmt: Memory Management oob: Out-of-Bounds (Read and Write) other: Other pointer_deref: Pointer Dereference pointer_vuln: Other Pointer Vulnerability priv_escalation: Privilege Escalation priv_mgmt: Improper Privilege Management race_condition: Race Condition resource_mgmt: Resource Management sandbox_bypass: Sandbox Bypass or Escape spoofing_vuln: Spoofing Vulnerability sql_injection: SQL Injection ssrf: Server-Side Request Forgery (SSRF) type_confusion: Type Confusion unrestricted_upload: Unrestricted File Upload untrusted_data: Deserialization of Untrusted Data use_after_free: Use After Free xss: Cross-site Scripting (XSS) xxe: XML External Entity (XXE) contact: null creation_date: 09/10/2024 last_update: 02/11/2025 mapping_framework: kev mapping_framework_version: 02/13/2025 mapping_types: exploitation_technique: description: '' name: exploitation_technique primary_impact: description: '' name: primary_impact secondary_impact: description: '' name: secondary_impact uncategorized: description: '' name: uncategorized mapping_version: '' organization: null technology_domain: enterprise