Exploit secure remote access: To gain access to networks, Chinese threat actors utilize seven different vulnerabilities, many of which also provide credentials that can be used to spread further on the network.
Checks for CVE-2019-1040 vulnerability over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. https://github.com/fox-it/cve-2019-1040-scanner Exploit public-facing servers: Attackers use these vulnerabilities to bypass authentication in web servers, email servers, or DNS to remotely execute commands on the internal network.For compromised web servers, attackers can utilize them in watering-hole attacks to target future visitors.
– A server-side template injection vulnerability is present in the Widget Connector in Atlassian Confluence servers that allows remote attackers to perform remote code execution and path traversal. https://github.com/jas502n/CVE-2019-3396
– Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, permitting remote code execution. This vulnerability was used in GandCrab ransomware attacks in the past. https://github.com/jas502n/CVE-2019-11580
– A vulnerability in Telerik 19 UI for ASP.NET AJAX can lead to remote code execution. It was seen used by a hacker group named ‘Blue Mockingbird’ to install Monero miners on vulnerable servers but could be used to spread laterally as well. https://github.com/noperator/CVE-2019-18935