.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
US CISA (Cybersecurity and Infrastructure Security Agency), FBI (Federal Bureau of Investigation), and NSA (the National Security Agency) issued a joint alert (AA22-011a) today (January 11, 2022), highlighting ongoing malicious cyber operations by Russian state-sponsored Advanced Persistent Threat (APT) actors. This joint advisory aims to assist the cybersecurity community in reducing the risk posed by these threats. In this blog, we share information about the simulation and mitigation of these attacks to help the cybersecurity community.
Vulnerabilities Used by Russian State-Sponsored Cyber Threats
Russian state-sponsored threat actors commonly gain initial access to target networks by effective attack techniques, including spearphishing, brute force, and exploiting public-facing applications. Vulnerabilities known to be exploited for initial access by Russian state-sponsored APT actors include the following:
|
CVE |
Affected Product |
Vulnerability Type |
CVSS Score |
|
Microsoft Exchange |
Remote Code Execution (RCE) |
9.8 Critical
|
|
|
F5 Big-IP |
Remote Code Execution (RCE) |
9.8 Critical |
|
|
VMWare |
OS Command Injection |
9.1 Critical |
|
|
Oracle WebLogic |
Remote Code Execution (RCE) |
9.8 Critical |
|
|
Microsoft Exchange |
Remote Code Execution (RCE) |
8.8 High |
|
|
Zimbra software |
XML External Entity injection (XXE) |
9.8 Critical |
|
|
Kibana |
Code Injection |
10.0 Critical |
|
|
Oracle WebLogic Server |
Remote Code Execution (RCE) |
9.8 Critical |
|
|
Citrix |
Remote Code Execution (RCE) |
9.8 Critical |
|
|
Cisco router |
Exposure of Sensitive Information |
7.5 High |
|
|
Pulse Secure |
Remote Code Execution (RCE) |
9.8 Critical |
|
|
Exim Simple Mail Transfer Protocol |
OS Command Injection |
9.8 Critical |
|
|
FortiGate VPNs |
Path Traversal |
9.8 Critical |
Test your security controls now: Simulate and Prevent Exploits with Picus
Microsoft Exchange RCE Vulnerability (CVE-2021-26855):
Adversaries chain the CVE-2021-26855 vulnerability with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities to compromise the target Exchange server. In addition to Russian state-sponsored threat actors, the HAFNIUM group also uses these Microsoft Exchange Server vulnerabilities.
Example payload:
|
GET /owa/auth/x.js HTTP/1.1 … |
F5 Big-IP RCE Vulnerability (CVE-2020-5902):
Threat actors have exploited this vulnerability in the BIG-IP Traffic Management User Interface (TMUI) to take control of target systems. CVE-2020-5902 vulnerability allows attackers to execute arbitrary system commands and Java codes, create or delete files, and disable services. This vulnerability is also commonly used by ransomware groups.
Example payload:
|
GET /tmui/login.jsp/..%3B/tmui/locallb/workspace/tmshCmd.jsp?command=list%2Bauth%2Buser%2Badmin HTTP/1.1 |
VMWare OS Command Injection Vulnerability (CVE-2020-4006):
Russian state-sponsored APT groups exploit this command injection vulnerability in VMware Access and VMware Identity Manager products that allow threat actors access to protected data and abuse federated authentication. Because the exploit requires password-based access to the web-based management interface of the device, employing a strong and unique password reduces the likelihood of exploitation.
Oracle WebLogic RCE Vulnerability (CVE-2020-14882):
This RCE Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware allows an unauthenticated attacker to compromise Oracle WebLogic Server.
Example payload:
|
POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1 |
Microsoft Exchange RCE Vulnerability (CVE-2020-0688):
Microsoft Exchange Servers continue to be an appealing target for threat actors due to the CVE-2020-0688 remote code execution vulnerability in addition to CVE-2021-26855. A remote attacker can use this vulnerability to gain control of an unpatched system. The exploit payload of this vulnerability is among the stolen exploits from FireEye.
Example payload:
|
GET /ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=/wEytQYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc………pQGD/ytBljKq8XhAgchG HTTP/1.1 |
Zimbra XML External Entity injection (XXE) Vulnerability (CVE-2019-9670):
The CVE-2019-9670 XXE vulnerability in the mailboxd component in Synacor Zimbra Collaboration Suite allows attackers to upload a JSP webshell that can be triggered from the web server to get command execution on the target system. This vulnerability has recently been added to the Known Exploited Vulnerabilities Catalog of US CISA.
Example payload:
|
POST /autodiscover HTTP/1.1 |
Kibana Code Injection Vulnerability (CVE-2019-7609):
The CVE-2019-7609 code injection vulnerability in Kibana’s Timelion visualizer allows an attacker to execute arbitrary commands on the host under the same permissions as the vulnerable Kibana process. This is another vulnerability that has recently been added to the Known Exploited Vulnerabilities Catalog of US CISA.
Oracle WebLogic Server RCE Vulnerability (CVE-2019-2725):
A deserialization vulnerability in Oracle WebLogic Server is exploited by threat actors for unauthenticated remote code execution. This vulnerability was also used in a ransomware campaign of the ransomware group called Sodinokibi, also known as REvil.
Example payload:
|
POST /_async/AsyncResponseService HTTP/1.1 |
Citrix RCE Vulnerability (CVE-2019-19781):
A critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway was exploited for arbitrary code execution. Due to delayed patch release, threat actors exploited the vulnerability for weeks. According to US CISA, once threat actors got a foothold on the victim’s network, their access remained even though the original attack vector was closed.
Example payload:
|
GET /vpn/../vpns/cfg/smb.conf HTTP/1.1 |
Cisco Router Exposure of Sensitive Information Vulnerability (CVE-2019-1653):
More than 9000 Cisco RV320/RV325 routers were vulnerable to remote unauthenticated information disclosure, and when exploited together with CVE-2019-1652, it led to remote code execution with root privileges.
Pulse Secure RCE Vulnerability (CVE-2019-11510):
This arbitrary file reading vulnerability is also exploited by the Sodinokibi ransomware campaign to gain access to private keys and user passwords. When exploited with CVE-2019-11539, this caused attackers to gain remote access inside victims’ private VPN networks.
Example payload:
|
GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1 |
Exim SMTP OS Command Injection Vulnerability (CVE-2019-10149):
According to the NSA, Sandworm, a Russian APT group, exploited this vulnerability in their malware. The vulnerability in the Exim Mail Transfer Agent can be used to gain unauthenticated remote code execution with root privileges via specially crafted email.
FortiGate VPNs Path Traversal Vulnerability (CVE-2018-13379):
According to the FBI and US CISA, this vulnerability was exploited with other vulnerabilities (CVE-2020-12812 and CVE-2019-5591) to gain initial access to critical infrastructure networks by APT groups. Also, this vulnerability is used in the initial access stage of the Cring ransomware campaign.
Example payload:
|
GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1 |
Malware Used by Russian State-Sponsored Cyber Threats
Russian state-sponsored APT actors also use destructive malware to target operational technology (OT) / industrial control systems (ICS) networks, including the following malware targeting critical infrastructure:
|
Malware |
Type |
APT Group |
Known Attacks |
|
BlackEnergy |
Backdoor & Destructive |
Sandworm (Electrum, Voodoo Bear) |
Ukraine’s power grid in December, 2015 |
|
CrashOverride (Industroyer) |
Backdoor & Destructive |
Sandworm (Electrum, Voodoo Bear) |
Ukraine’s power grid on December, 2016 |
|
HatMan (TRITON, TRISIS) |
Backdoor & Destructive |
XENOTIME (TEMP.Veles) |
Saudi Arabian petrochemical plant in 2017 |
|
Havex (Backdoor.Oldrea) |
Remote Access Trojan (RAT) |
Dragonfly (Energetic Bear, TG-4192) |
Energy and petrochemical companies in United States and Europe |
|
KillDisk |
Destructive |
Sandworm (Electrum, Voodoo Bear) |
Ukraine’s power grid in December, 2015 |
|
NotPetya |
Destructive |
Sandworm (Electrum, Voodoo Bear) |
Worldwide attack campaign in 2017, Merck in 2019 |
Some malware families targeting critical infrastructure (e.g., NotPetya) are self-propagating (wormable) and initially infected IT networks, but through either vulnerability exploitation or dynamic credential capture-and-reuse capabilities, spread to industrial networks producing significant impacts.
How Picus Helps Simulate Exploits Used by Russian State-Sponsored APTs
If you know the particular TTPs employed by adversaries in a cyberattack, you can apply the Adversary Emulation Process recommended by MITRE ATT&CK. This process begins with the collection of threat intelligence, the extraction of techniques, the development of tools, and the execution of attack simulations to emulate the adversary. For example, you can use the payloads given above to simulate the exploit of the relevant vulnerability.
The adversary emulation process can be managed by your red team in collaboration with your blue team. Suppose your red team is unavailable or too busy. In that case, the blue team can either do the adversary emulation process independently or use a Breach and Attack Simulation (BAS) product. Breach and Attack Simulation (BAS) is a collection of technologies designed to test cybersecurity systems against realistic attack scenarios to reveal defense gaps and detection shortcomings before an attack or an incident occurs.
Adversary Emulation Process recommended by MITRE ATT&CK
Picus Complete Security Validation Platform includes following threats for vulnerabilities used by threat actors targeting critical infrastructure. Moreover, it contains 1500+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of today.
|
CVE |
Picus Threat Name |
|
CVE-2021-26855 |
Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-1 |
|
CVE-2021-26855 |
Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-2 |
|
CVE-2020-5902 |
F5 BIG-IP Remote Code Execution (RCE) Vulnerability |
|
CVE-2020-5902 |
F5 BIG-IP Local File Inclusion (LFI) Vulnerability |
|
CVE-2020-14882 |
Oracle Weblogic Server Unauthorized Bypass RCE Variant-1 |
|
CVE-2020-14882 |
Oracle Weblogic Server Unauthorized Bypass RCE Variant-2 |
|
CVE-2020-14882 |
Oracle Weblogic Server Unauthorized Bypass RCE Variant-3 |
|
CVE-2020-0688 |
Microsoft Exchange Validation Key Remote Code Execution (RCE) Vulnerability |
|
CVE-2019-9670 |
Zimbra 'Client Upload Servlet' File Upload to Code Execution Vulnerability |
|
CVE-2019-9670 |
Zimbra 'mailboxd' XML External Entity Injection (XXE) Vulnerability |
|
CVE-2019-2725 |
Oracle Weblogic Server 'AsyncResponseService' Deserialization RCE Variant-1 |
|
CVE-2019-19781 |
Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-1 |
|
CVE-2019-19781 |
Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-2 |
|
CVE-2019-11510 |
Pulse Secure SSL VPN Arbitrary File Read Variant-1 |
|
CVE-2019-10149 |
Exim Privilege Escalation .SH File Download Variant-1 |
|
CVE-2018-13379 |
Fortinet FortiGate SSL VPN Arbitrary File Read Variant-1 |
See Picus in Action
We strongly suggest simulating vulnerability exploits to test the effectiveness of your security controls against cyber attacks, determine gaps, and utilize prevention signatures to fill your security gaps using the Picus Security Control Validation Platform.
Just click Start to see and try how you can simulate an example vulnerability exploitation attack (CVE-2021-2685 Microsoft Exchange Server) and obtain prevention signatures using Picus with just a few clicks.
Test your security controls now: Simulate and Prevent Attacks with Picus
How Picus Helps Simulate Malware Used by Russian State-Sponsored APTs
Picus can also simulate all malware used by Russian State-Sponsored APTs with the following threats in its Threat Library. In addition to them, Picus Threat Library includes 7000+ malware attacks.
|
Malware |
Picus Threat Name |
|
BlackEnergy |
BlackEnergy Backdoor Malware .EXE File Download Variant-1 |
|
BlackEnergy |
BlackEnergy Backdoor Malware .EXE File Download Variant-2 |
|
BlackEnergy |
BlackEnergy Malware Attack Scenario |
|
CrashOverride (Industroyer) |
CrashOverride Malware .DLL File Download Variant-1 |
|
CrashOverride (Industroyer) |
CrashOverride Trojan .EXE File Download Variant-1 |
|
CrashOverride (Industroyer) |
CrashOverride Trojan .EXE File Download Variant-2 |
|
CrashOverride (Industroyer) |
CrashOverride Trojan .EXE File Download Variant-3 |
|
HatMan (TRITON, TRISIS) |
HatMan Malware .PYC File Download Variant-1 |
|
HatMan (TRITON, TRISIS) |
HatMan Malware .PYC File Download Variant-2 |
|
HatMan (TRITON, TRISIS) |
HatMan Malware .PYC File Download Variant-3 |
|
HatMan (TRITON, TRISIS) |
HatMan Malware .PYC File Download Variant-4 |
|
HatMan (TRITON, TRISIS) |
HatMan Malware .PYC File Download Variant-5 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-1 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-2 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-3 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-4 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-5 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-6 |
|
Havex (Backdoor.Oldrea) |
Havex Trojan .EXE File Download Variant-7 |
|
KillDisk |
KillDisk Ransomware .EXE File Download Variant-1 |
|
KillDisk |
KillDisk Ransomware .EXE File Download Variant-2 |
|
KillDisk |
KillDisk Ransomware .EXE File Download Variant-3 |
|
KillDisk |
KillDisk Ransomware .EXE File Download Variant-4 |
|
KillDisk |
KillDisk Ransomware .EXE File Download Variant-5 |
|
NotPetya |
Petya Ransomware .EXE File Download Variant-1 |
|
NotPetya |
Petya Ransomware .EXE File Download Variant-2 |
|
NotPetya |
Petya Ransomware (EternalBlue) .DLL File Download Variant-1 |
|
NotPetya |
Petya Ransomware (EternalBlue) .DLL File Download Variant-2 |
|
NotPetya |
Petya Ransomware (EternalBlue) Using Mimikatz Hacktool .EXE File Download Variant-1 |
|
NotPetya |
Petya Ransomware (EternalBlue) Using Mimikatz Hacktool .EXE File Download Variant-2 |
Test your security controls now: Simulate and Prevent Malware with Picus
How Picus Helps Prevent Attacks of Advanced Persistent Threats (APTs)
In addition to Breach and Attack Simulation, Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the following vulnerabilities used by APT groups and other vulnerability exploitation attacks in preventive security controls.
Prevention Signatures for CVE-2021-26855 Microsoft Exchange RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Cisco Firepower NGFW |
57241 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
Cisco Firepower NGFW |
57242 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
Cisco Firepower NGFW |
57244 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
Citrix Web App Firewall |
999311 |
web-misc microsoft exchange server - remote code execution vulnerability via x-anonresource-backend (cve-2021-26855) |
|
Citrix Web App Firewall |
999312 |
web-misc microsoft exchange server - remote code execution vulnerability via x-beresource (cve-2021-26855) |
|
F5 BIG-IP ASM |
200018127 |
Microsoft Exchange X-BEResource SSRF |
|
F5 BIG-IP ASM |
200018128 |
Microsoft Exchange X-AnonResource-Backend SSRF |
|
Forcepoint NGFW |
HTTP_CSH-Microsoft-Exchange-Server-SSRF-Vulnerability-CVE-2021-26855 |
|
|
FortiGate NGFW |
49950 |
email: MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution |
|
Imperva SecureSphere |
CVE-2021-26855: Exchange Server HAFNIUM SSRF - X-BEResource Cookie |
|
|
Imperva SecureSphere |
CVE-2021-26855: Exchange Server HAFNIUM SSRF - X-AnonResource-Backend Cookie |
|
|
McAfee IPS |
0x4528a400 |
HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855) |
|
Snort IPS |
57241 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
Snort IPS |
57242 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
Snort IPS |
57244 |
SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt |
|
TippingPoint TPS |
39101 |
HTTP: Microsoft Exchange Server Side Request Forgery Vulnerability |
Prevention Signatures for CVE-2020-5902 F5 Big-IP RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2020_5902 |
F5 BIG-IP Remote Code Execution (CVE-2020-5902) |
|
Cisco Firepower NGFW |
1599 |
SERVER-WEBAPP Multiple Vendor server file disclosure attempt |
|
Cisco Firepower NGFW |
54462 |
SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt |
|
Citrix Web App Firewall |
999540 |
web-misc f5 big-ip - traffic management user interface rce vulnerability via /tmui (cve-2020-5902) |
|
F5 BIG-IP ASM |
200003909 |
"/etc/passwd" access (Parameter) |
|
F5 BIG-IP ASM |
200007032 |
Directory Traversal attempt '.;' (URI) |
|
F5 BIG-IP ASM |
200007041 |
Tomcat Directory Traversal attempt |
|
F5 BIG-IP ASM |
200010175 |
"/etc/passwd" access (2) (Parameter) |
|
F5 BIG-IP ASM |
200015110 |
BIG-IP TMUI Remote Code Execution |
|
Forcepoint NGFW |
|
HTTP_CRL-F5-Networks-Big-IP-TMUI-Directory-Traversal-CVE-2020-5902 |
|
Forcepoint NGFW |
|
HTTP_CSU-Potential-System-File-Disclosure |
|
FortiGate NGFW |
49330 |
applications3: F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal |
|
FortiWeb Web Application Security |
90501141 |
Known Exploits |
|
Imperva SecureSphere |
|
WEB-MISC /etc/passwd |
|
McAfee IPS |
0x4020af00 |
HTTP: Attempt to Read Password File |
|
ModSecurity |
930110 |
Path Traversal Attack (/../) |
|
ModSecurity |
930120 |
OS File Access Attempt |
|
ModSecurity |
932160 |
Remote Command Execution: Unix Shell Code Found |
|
Palo Alto Networks NGFW |
58623 |
F5 Traffic Management User Interface Remote Code Execution Vulnerability |
|
Snort IPS |
1599 |
SERVER-WEBAPP Multiple Vendor server file disclosure attempt |
|
Snort IPS |
54462 |
SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt |
|
TippingPoint TPS |
361 |
HTTP: Protected File Access (/etc/passwd) |
|
TippingPoint TPS |
38609 |
HTTP: .jsp Directory Traversal Usage |
Prevention Signatures for CVE-2020-14882 Oracle WebLogic RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Citrix Web App Firewall |
999408 |
web-misc oracle weblogic server - authentication bypass vulnerability (cve-2020-14882, cve-2020-14750) |
|
F5 BIG-IP ASM |
200003437 |
Java code injection - java/lang/Runtime (Parameter) |
|
F5 BIG-IP ASM |
200003443 |
Java code injection - Runtime.getRuntime (Parameter) |
|
F5 BIG-IP ASM |
200004152 |
Java Code Injection (java packages) (Params) |
|
F5 BIG-IP ASM |
200004758 |
Java code injection - com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext (Parameter) |
|
F5 BIG-IP ASM |
200004760 |
Java code injection - com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext |
|
F5 BIG-IP ASM |
200004816 |
Java code injection - support.FileSystemXmlApplicationContext (2) (Parameter) |
|
F5 BIG-IP ASM |
200004818 |
Java code injection - support.FileSystemXmlApplicationContext (2) |
|
Forcepoint NGFW |
|
HTTP_CRL-Oracle-WebLogic-Server-CVE-2020-14882 |
|
FortiGate NGFW |
49590 |
web_server: Oracle.WebLogic.Fusion.Middleware.Authentication.Bypass |
|
FortiWeb Web Application Security |
50170001 |
Generic Attacks |
|
FortiWeb Web Application Security |
60140003 |
Generic Attacks(Extended) |
|
FortiWeb Web Application Security |
N/A |
SQL Function Based Boolean Injection |
|
Imperva SecureSphere |
|
CVE-2020-14882: Oracle WebLogic Server RCE |
|
McAfee IPS |
0x45285200 |
HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability |
|
ModSecurity |
930100 |
Path Traversal Attack (/../) |
|
ModSecurity |
930110 |
Path Traversal Attack (/../) |
|
ModSecurity |
944130 |
Suspicious Java class detected |
|
ModSecurity |
944250 |
Remote Command Execution: Suspicious Java method detected |
|
Palo Alto Networks NGFW |
59940 |
Oracle WebLogic Server Remote Code Execution Vulnerability |
|
Snort IPS |
56203 |
SERVER-WEBAPP Oracle WebLogic Server command injection attempt |
|
Snort IPS |
2031185 |
ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882) |
|
TippingPoint TPS |
38380 |
HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability |
Prevention Signatures for CVE-2020-0688 Microsoft Exchange RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Cisco Firepower NGFW |
53347 |
SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt |
|
Cisco Firepower NGFW |
1533821 |
SERVER-WEBAPP Microsoft Exchange Control Panel static viewstate key use attempt |
|
Cisco Firepower NGFW |
1533831 |
SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt |
|
Citrix Web App Firewall |
999653 |
web-misc microsoft exchange server - validation key remote code execution vulnerability (cve-2020-0688) |
|
F5 BIG-IP ASM |
200104092 |
ASP.NET code injection - Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties (Parameter) |
|
Forcepoint NGFW |
HTTP_CRL-Microsoft-Exchange-Validation-Key-Remote-Code-Execution |
|
|
FortiGate NGFW |
48765 |
applications3: MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution |
|
FortiWeb Web Application Security |
90501065 |
Known Exploits |
|
Palo Alto Networks NGFW |
57766 |
Microsoft Exchange Remote Code Execution Vulnerability |
|
Snort IPS |
53347 |
SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt |
|
Snort IPS |
53382 |
SERVER-WEBAPP Microsoft Exchange Control Panel static viewstate key use attempt |
|
Snort IPS |
53383 |
SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt |
|
Snort IPS |
202954 |
ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688) |
Prevention Signatures for CVE-2019-9670 Zimbra XXE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Cisco Firepower NGFW |
45834 |
SERVER-WEBAPP /bin/sh access |
|
Citrix Web App Firewall |
Blocked by 'HTML Cross-Site Scripting' Security Check |
|
|
FortiGate NGFW |
47774 |
applications3: Zimbra.Collaboration.Autodiscover.Servlet.XXE |
|
Palo Alto Networks NGFW |
54794 |
Meterpreter JSP Reverse Shell Detection |
Prevention Signatures for CVE-2019-7609 Kibana Code Injection Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
Kibana Timelion Remote Code Execution (CVE-2019-7609) |
|
|
Cisco Firepower NGFW |
52835 |
SERVER-WEBAPP Kibana Timelion prototype pollution code execution attempt |
|
Citrix Web App Firewall |
999793 |
WEB-MISC Elastic Kibana Prior to 5.6.15 and 6.6.1 - Prototype Pollution Vulnerability Allows Unauthenticated RCE (CVE-2019-7609) |
|
Forcepoint NGFW |
HTTP_CRL-Elastic-Kibana-Timelion-Prototype-Pollution |
|
|
FortiGate NGFW |
48501 |
Elastic.Kibana.Timelion.Code.Injection |
|
McAfee IPS |
0x45272500 |
HTTP: Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609) |
|
Palo Alto Networks NGFW |
56835 |
Kibana Timelion Remote Code Execution Vulnerabilitiy |
|
Snort IPS |
2033452 |
ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE Inbound (CVE-2019-7609) |
Prevention Signatures for CVE-2019-2725 Oracle WebLogic Server RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2019_2725 |
Oracle WebLogic Server Remote Code Execution (CVE-2019-2725) |
|
Cisco Firepower NGFW |
49942 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
Cisco Firepower NGFW |
50019 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
Cisco Firepower NGFW |
50025 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
FortiGate NGFW |
47799 |
web_server: Oracle.WebLogic.Server.wls9_async.Component.Code.Injection |
|
McAfee IPS |
0x45262000 |
HTTP: Oracle WebLogic Server Deserialization Vulnerability (CVE-2019-2725/2729) |
|
ModSecurity |
944100 |
Remote Command Execution: Suspicious Java class detected |
|
ModSecurity |
944110 |
Remote Command Execution: Java process spawn (CVE-2017-9805) |
|
ModSecurity |
944130 |
Suspicious Java class detected |
|
ModSecurity |
944250 |
Remote Command Execution: Suspicious Java method detected |
|
Palo Alto Networks NGFW |
55570 |
Oracle WebLogic wls9-async Remote Code Execution Vulnerability |
|
Snort IPS |
49942 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
Snort IPS |
50019 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
Snort IPS |
50025 |
SERVER-ORACLE Oracle WebLogic Server remote command execution attempt |
|
TippingPoint TPS |
35085 |
HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability |
Prevention Signatures for CVE-2019-19781 Citrix RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2019_19781 |
Citrix Multiple Products Directory Traversal (CVE-2019-19781) |
|
Cisco Firepower NGFW |
52512 |
SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt |
|
Cisco Firepower NGFW |
52603 |
SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt |
|
F5 BIG-IP ASM |
200003139 |
"exec" execution attempt |
|
F5 BIG-IP ASM |
200004161 |
PHP injection attempt (exec) |
|
F5 BIG-IP ASM |
200004998 |
Citrix NetScaler NSC_USER Remote Code Execution |
|
F5 BIG-IP ASM |
200007011 |
Directory Traversal attempt "../" (Header) |
|
F5 BIG-IP ASM |
200007029 |
Directory Traversal attempt "../" (URI) |
|
F5 BIG-IP ASM |
200010036 |
(GHDB) Smb.conf access |
|
F5 BIG-IP ASM |
200101550 |
Directory Traversal attempt (Content) |
|
Forcepoint NGFW |
HTTP_CRL-Citrix-Path-Traversal-CVE-2019-19781 |
|
|
FortiGate NGFW |
48653 |
applications3: Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal |
|
FortiWeb Web Application Security |
90501033 |
Known Exploits |
|
Imperva SecureSphere |
CVE-2019-19781: Citrix ADC/Gateway Remote Code Execution |
|
|
McAfee IPS |
0x40200c00 |
HTTP: CGI Escape Character Directory Traversal Vulnerability |
|
McAfee IPS |
0x4515b100 |
HTTP: CGI Escape Character Directory Traversal II |
|
McAfee IPS |
0x45272800 |
HTTP: Citrix ADC Arbitrary Code Execution Vulnerability (CVE-2019-19781) |
|
ModSecurity |
930100 |
Path Traversal Attack (/../) |
|
ModSecurity |
930110 |
Path Traversal Attack (/../) |
|
Palo Alto Networks NGFW |
57497 |
Citrix Application Delivery Controller And Gateway Directory Traversal Vulnerability |
|
Snort IPS |
52512 |
SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt |
|
Snort IPS |
52603 |
SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt |
|
Snort IPS |
2029206 |
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) |
|
Snort IPS |
2029255 |
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2 |
|
TippingPoint TPS |
36876 |
HTTP: Citrix Application Delivery Controller (ADC) Directory Traversal Vulnerability |
Prevention Signatures for CVE-2019-1653 Cisco Router Exposure of Sensitive Information Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
Cisco RV320 and RV325 Routers Information Disclosure (CVE-2019-1653) |
|
|
Cisco Firepower NGFW |
48949 |
SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt |
|
Cisco Firepower NGFW |
49619 |
SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt |
|
Forcepoint NGFW |
HTTP_CRL-Cisco-RV320-And-RV325-Unauthenticated-Remote-Code-Execution |
|
|
FortiWeb Web Application Security |
90500765 |
Known Exploits |
|
McAfee IPS |
0x4525a200 |
HTTP: Cisco RV320 And RV325 Routers Information Disclosure Vulnerability (CVE-2019-1653) |
|
Palo Alto Networks NGFW |
55025 |
Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability |
|
Palo Alto Networks NGFW |
55821 |
Cisco RV320/RV325 Router Unauthenticated Configuration Export Information Disclosure Vulnerability |
|
Snort IPS |
2033089 |
ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653) |
|
Snort IPS |
2033090 |
ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653) |
|
Snort IPS |
2033091 |
ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653) |
|
Snort IPS |
2033092 |
ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653) |
|
Snort IPS |
2034278 |
ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653) |
Prevention Signatures for CVE-2019-11510 Pulse Secure RCE Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2019_11510 |
Pulse Connect Secure File Disclosure (CVE-2019-11510) |
|
Cisco Firepower NGFW |
51288 |
SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt |
|
Cisco Firepower NGFW |
51289 |
SERVER-WEBAPP Pulse Secure SSL VPN directory traversal attempt |
|
Citrix Web App Firewall |
1122 |
web-misc /etc/passwd |
|
F5 BIG-IP ASM |
200003056 |
"/etc" execution attempt (URI) |
|
F5 BIG-IP ASM |
200007029 |
Directory Traversal attempt "../" (URI) |
|
F5 BIG-IP ASM |
200010468 |
"/etc/passwd" access (URI) |
|
F5 BIG-IP ASM |
200101550 |
Directory Traversal attempt (Content) |
|
Forcepoint NGFW |
HTTP_CSU-Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading |
|
|
Forcepoint NGFW |
HTTP_CSU-Dot-Dot-Slash-Dot-Dot-Slash-Dot-Dot-Directory-Traversal |
|
|
FortiGate NGFW |
48342 |
applications3: Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure |
|
FortiWeb Web Application Security |
50180003 |
Generic Attacks |
|
Imperva SecureSphere |
WEB-MISC /etc/passwd |
|
|
Imperva SecureSphere |
Directory Traversal - 16 |
|
|
McAfee IPS |
0x40200c00 |
HTTP: CGI Escape Character Directory Traversal Vulnerability |
|
McAfee IPS |
0x4020af00 |
HTTP: Attempt to Read Password File |
|
McAfee IPS |
0x40286200 |
HTTP: Possible Sensitive Files I |
|
Palo Alto Networks NGFW |
30844 |
HTTP Directory Traversal Request Attempt |
|
Snort IPS |
51288 |
SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt |
|
Snort IPS |
51289 |
SERVER-WEBAPP Pulse Secure SSL VPN directory traversal attempt |
|
TippingPoint TPS |
36241 |
HTTP: Pulse Secure Guacamole URI Information Disclosure Vulnerability |
Prevention Signatures for CVE-2019-10149 Exim SMTP OS Command Injection Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Forcepoint NGFW |
File_Malware-Blocked |
Prevention Signatures for CVE-2018-13379 FortiGate VPNs Path Traversal Vulnerability
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2018_13379 |
Fortinet FortiOS SSL VPN Directory Traversal (CVE-2018-13379) |
|
Cisco Firepower NGFW |
5137 |
SERVER-WEBAPP Fortinet FortiOS SSL VPN web portal directory traversal attempt |
|
F5 BIG-IP ASM |
200000190 |
Directory Traversal attempt "../../" (Parameter) |
|
F5 BIG-IP ASM |
200007016 |
Directory Traversal attempt "../" (Parameter) |
|
F5 BIG-IP ASM |
200101550 |
Directory Traversal attempt (Content) |
|
Forcepoint NGFW |
HTTP_CRL-Fortinet-FortiOS-Path-Traversal-CVE-2018-13379 |
|
|
Forcepoint NGFW |
HTTP_CSU-Dot-Dot-Slash-Dot-Dot-Slash-Dot-Dot-Directory-Traversal |
|
|
FortiGate NGFW |
48321 |
applications3: FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure |
|
FortiWeb Web Application Security |
50180003 |
Generic Attacks |
|
Imperva SecureSphere |
Directory Traversal - 3 |
|
|
Imperva SecureSphere |
Directory Traversal - 6 |
|
|
Imperva SecureSphere |
Directory Traversal - 555501307 |
|
|
Imperva SecureSphere |
Directory Traversal - 1 |
|
|
Imperva SecureSphere |
Directory Traversal - 8 |
|
|
McAfee IPS |
0x45274900 |
HTTP: FortiOS SSL VPN Arbitrary File Read Vulnerability (CVE-2018-13379) |
|
ModSecurity |
930100 |
Path Traversal Attack (/../) |
|
ModSecurity |
930110 |
Path Traversal Attack (/../) |
|
Palo Alto Networks NGFW |
30844 |
HTTP Directory Traversal Request Attempt |
|
Snort IPS |
5137 |
SERVER-WEBAPP Fortinet FortiOS SSL VPN web portal directory traversal attempt |
|
Snort IPS |
2027883 |
ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379) |
|
TippingPoint TPS |
36087 |
HTTP: Fortinet FortiOS lang Directory Traversal Vulnerability |
