CVE-2013-3900
published 2013-12-11CVE-2013-3900: Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to…
PriorityP186high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
44.65%
98.6th percentile
Why is Microsoft republishing a CVE from 2013?
We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013,
Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013. This includes all currently supported versions of Windows 10 and Windows 11. The supporting code for this reg key was incorporated at the time of release for Windows 10 and Windows 11, so no security update is required; however, the reg key must be set. See the Security Updates table for the list of affected software.
Vulnerability Description
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker c
Affected
36 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_version_1507 | — | — |
| microsoft | windows_10_version_1607 | — | — |
| microsoft | windows_10_version_1809 | — | — |
| microsoft | windows_10_version_21h2 | — | — |
| microsoft | windows_10_version_22h2 | — | — |
| microsoft | windows_11_version_21h2 | — | — |
| microsoft | windows_11_version_22h2 | — | — |
| microsoft | windows_11_version_22h3 | — | — |
| microsoft | windows_11_version_23h2 | — | — |
| microsoft | windows_11_version_24h2 | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | — | — |
| microsoft | windows_server_2008_service_pack_2 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012_r2 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2019 | — | — |
| microsoft | windows_server_2022 | — | — |
| microsoft | windows_server_2025 | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for mshta.exe being invoked with a DLL file as its parameter (e.g., appContast.dll or reboot.dll), which is the execution mechanism for the CVE-2013-3900-abusing Zloader payloads. ↗
- →Detect regsvr32.exe loading 9092.dll or zoom.dll from %appdata% subdirectories as a persistence/execution indicator for Zloader. ↗
- →Hunt for DLL sideloading patterns where OFFCLN.EXE (legitimate Microsoft app) loads OCLEAN.DLL from the same directory, followed by access to a Microsoft-signed DLL (DWINTL.DLL) with appended data after the signature section. ↗
- →Hunt for GoogleToolbarNotifier.exe sideloading GTN.dll, which then reads espui.dll — a signed DLL with CVE-2013-3900-abused appended encrypted payload. ↗
- →For 3CX supply chain attack: detect ffmpeg.dll scanning d3dcompiler_47.dll for the 'fe ed fa ce' byte sequence, which marks the start of the appended encrypted shellcode exploiting CVE-2013-3900. ↗
- →Detect 3CXDesktopApp.exe loading ffmpeg.dll, which in turn reads d3dcompiler_47.dll — this three-file chain is the hallmark of the 3CX supply chain attack abusing CVE-2013-3900. ↗
- →Flag PE files (DLLs/EXEs) where the file checksum and signature size fields have been modified and data has been appended beyond the Authenticode signature boundary — the core technique of CVE-2013-3900 exploitation. ↗
- →Monitor for the WScriptSleeper.vbs file written to the %temp% directory as an indicator of the Zloader infection chain. ↗
- ·The EnableCertPaddingCheck registry key fix for CVE-2013-3900 is opt-in and disabled by default on all Windows versions, including Windows 10 and 11. It must be manually set to enforce stricter Authenticode verification. ↗
- ·For Windows 10 and Windows 11, no security update is required to get the EnableCertPaddingCheck support — the code is already present — but the registry key must still be explicitly configured. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck5.5MEDIUM
cisa8.8HIGH
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8cj2-jg77-qj2p: The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo
ghsa_unreviewed·2022-05-03
CVE-2013-3900 [HIGH] CWE-20 GHSA-8cj2-jg77-qj2p: The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windo
The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."
VulnCheck
Microsoft WinVerifyTrust function Remote Code Execution
vulncheck·2013·CVSS 5.5
CVE-2013-3900 [MEDIUM] CWE-20 Microsoft WinVerifyTrust function Remote Code Execution
Microsoft WinVerifyTrust function Remote Code Execution
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
Affected: Microsoft WinVerifyTrust function
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2022-Jan; https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf; https://blogs.vmware.com/security/2022/11/batloader-the-evasi
Microsoft
WinVerifyTrust Signature Validation Vulnerability
vendor_msrc·2022-01-11·CVSS 5.5
CVE-2013-3900 [MEDIUM] CWE-347 WinVerifyTrust Signature Validation Vulnerability
WinVerifyTrust Signature Validation Vulnerability
Description: Why is Microsoft republishing a CVE from 2013?
We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, except for clarifications about how to configure the EnableCertPaddingCheck registry value, the information herein remains unchanged from the original text published on December 10, 2013,
Microsoft does not plan to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. This behavior remains available as an opt-in feature v
CISA
Microsoft WinVerifyTrust function Remote Code Execution
cisa·2022-01-10·CVSS 8.8
CVE-2013-3900 [HIGH] CWE-20 Microsoft WinVerifyTrust function Remote Code Execution
Vulnerability: Microsoft WinVerifyTrust function Remote Code Execution
Affected: Microsoft WinVerifyTrust function
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3900
Remediation Due Date: 2022-07-10
No detection rules found.
No public exploits indexed.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT und gezielte Angriffe
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
# Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro
2024/11/19
Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024.
## Introduction
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. While some vendors suspect that the actor using LODEINFO might be APT10, we don’t have enough evidence to fully support t
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT y ataques dirigidos
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which w
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro 2024/11/19 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we d
Qualys
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
blogs_qualys·2023-05-09
Microsoft and Adobe Patch Tuesday, May 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for May 2023
Adobe Patches for May 2023
Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in different produc
Qualys
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
blogs_qualys·2023-05-09
Microsoft Patch Tuesday, May 2023 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for May 2023
- Adobe Patches for May 2023
- Zero-day Vulnerabilities Patched in May Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
- This Month in Vulnerabilities & Patches
Microsoft has addressed 49 vulnerabilities in its May Patch Tuesday edition. The security advisories cover various vulnerabilities in d
Trendmicro
Information on Attacks Involving 3CX Desktop App
blogs_trendmicro·2023-03-30·CVSS 5.5
[MEDIUM] Information on Attacks Involving 3CX Desktop App
Malware
# Preventing and Detecting Attacks Involving 3CX Desktop App
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
By: Trend Micro Research
2023/03/30
Read time: ( words)
Save to Folio
Updated on:
- April 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in the linked PDF.
- April 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.
- April 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll's abuse of CVE-2013-3900 to make it appear legitimately signed.
- April 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search
Trendmicro
Information on Attacks Involving 3CX Desktop App
blogs_trendmicro·2023-03-30·CVSS 5.5
[MEDIUM] Information on Attacks Involving 3CX Desktop App
Malware
## Preventing and Detecting Attacks Involving 3CX Desktop App
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
By: Trend Micro Research 2023/03/30 Read time: ( words)
Save to Folio
Updated on:
April 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in the linked PDF.
April 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.
April 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll 's abuse of CVE-2013-3900 to make it appear legitimately signed.
April 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search for
Trendmicro
Information on Attacks Involving 3CX Desktop App
blogs_trendmicro·2023-03-30·CVSS 5.5
[MEDIUM] Information on Attacks Involving 3CX Desktop App
Malware
## Preventing and Detecting Attacks Involving 3CX Desktop App
In this blog entry, we provide technical details and analysis on the 3CX attacks as they happen. We also discuss available solutions which security teams can maximize for early detection and mitigate the impact of 3CX attacks.
By: Trend Micro Research Mar 30, 2023 Read time: ( words)
Save to Folio
Updated on:
April 5, 2:39 a.m. EDT: We added Windows, Mac, and network commands to the Trend Micro Vision One™️ guide in the linked PDF.
April 4, 3:29 a.m. EDT: We added Trend Micro XDR filters to the solutions.
April 3, 2:33 a.m. EDT: We added details on d3dcompiler_47.dll 's abuse of CVE-2013-3900 to make it appear legitimately signed.
April 1, 1:50 a.m. EDT: We added a guide on how Vision One can be used to search f
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT y ataques dirigidos
## Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji Feb 16, 2023 Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “ Operation RestyLink ” or “ Enelink ”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and proce
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT & Targeted Attacks
## Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji Feb 16, 2023 Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “ Operation RestyLink ” or “ Enelink ”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and proced
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT & Targeted Attacks
## Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji 2023/02/16 Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “ Operation RestyLink ” or “ Enelink ”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedur
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT und gezielte Angriffe
## Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji Feb 16, 2023 Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “ Operation RestyLink ” or “ Enelink ”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and pro
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT & Targeted Attacks
# Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji
2023/02/16
Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “Operation RestyLink” or “Enelink”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedures (
Trendmicro
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
blogs_trendmicro·2023-02-16
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
APT & attacchi mirati
## Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
We detail the intrusion set Earth Yako, attributed to the campaign Operation RestyLink or EneLink. This analysis was presented in full at the JSAC 2023 in January 2023.
By: Hara Hiroaki, Yuka Higashi, Masaoki Shoji Feb 16, 2023 Read time: ( words)
Save to Folio
In 2021, we observed several targeted attacks against researchers of academic organizations and think tanks in Japan. We have since been tracking this series of attacks and identified the new intrusion set we have named “Earth Yako”. Our research points the attribution to the known campaign “ Operation RestyLink ” or “ Enelink ”.
Upon investigating several incidents, we identified previously unknown malware, tactics, techniques and procedu
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Checkpoint
Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
blogs_checkpoint·2022-01-05
CVE-2020-1599 Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification putting users at risk
## Research by: Golan Cohen
## Introduction
Last seen i
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
## Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097 . This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities ( CVE-2013-5045 and CVE-2013-5046 ), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096 . This one fixes the 0-day vulnerability ( C
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097. This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities (CVE-2013-5045 and CVE-2013-5046), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096. This one fixes the 0-day vulnerability (CVE-2013-3906) that is being exploited in the wild. The vulnerabilit
Zscaler
Zscaler found Multiple Security Vulnerabilities | 12-10-2013
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 12-10-2013
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
CrowdStrike Falcon® Spotlight Fuses Endpoint Data with CISA’s Exploited Vulnerabilities Catalog
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] CrowdStrike Falcon® Spotlight Fuses Endpoint Data with CISA’s Exploited Vulnerabilities Catalog
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
CrowdStrike Falcon® Spotlight Fuses Endpoint Data with CISA’s Exploited Vulnerabilities Catalog
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] CrowdStrike Falcon® Spotlight Fuses Endpoint Data with CISA’s Exploited Vulnerabilities Catalog
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900http://blogs.technet.com/b/srd/archive/2013/12/10/ms13-098-update-to-enhance-the-security-of-authenticode.aspxhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-098https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3900
2013-12-11
Published
2022-01-10
Added to CISA KEV
Exploited in the wild