CVE-2014-0322
published 2014-02-14CVE-2014-0322: Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-25
Exploited in the wild
EPSS
85.24%
99.7th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Snort SID 36426
sigma↗
Snort SID 364267
sigma↗
Snort SID 36346
sigma↗
Snort SID 36347
sigma↗
Snort SID 36348
bytes↗
0xDEADBEEF41414141
- →Exploit uses Flash (.swf) to set up heap memory layout in the IE process, then triggers the UAF bug via an ExternalInterface call from ActionScript to a JavaScript/VBScript function. Detection should look for SWF files making ExternalInterface calls coinciding with IE UAF conditions. ↗
- →Exploit ActionScript contains unused variables 'org' (string value 'vector') and 'found' (Boolean) left over from CVE-2013-3163 template reuse — presence of both in decompiled ActionScript is a strong indicator of this exploit family. ↗
- →The Timer object in the exploit ActionScript is set to repeat every 1 second for exactly 4,096 seconds — this specific timer configuration is a shared fingerprint across the CVE-2013-3163/CVE-2014-0322/CVE-2014-1776 exploit family. ↗
- →ROP chain is triggered by overwriting a Sound object's vtable and calling toString() — monitor for vtable overwrites on Sound objects in Flash within IE processes. ↗
- →Shellcode calls NtSetContextThread to overwrite debug registers and disable EMET's EAF feature — monitor for NtSetContextThread calls from browser/Flash processes modifying debug registers (DR0–DR7). ↗
- →Shellcode checks for presence of EMET.dll in the IE process before choosing execution path — presence of EMET.dll load check in shellcode is a behavioral indicator. ↗
- →The exploit heap spray uses a 0x18180-element vector, each element 0x3FE bytes in size — this specific spray pattern can be detected in memory or via behavioral analysis. ↗
- →Group 72 (Axiom) C2 domain naming pattern: domains are named after the intended victim organization, following patterns like companyname.attackerdomain.com or companyacronym.attackerdomain.com. ↗
- →DeputyDog RAT samples associated with this CVE's threat actor use campaign codes 'kumanichi' and 'moon' — these strings can be used as YARA/memory scan anchors. ↗
- ·The Palo Alto Networks Threat Prevention signature IDs for CVE-2014-0322 (#36426, #364267, #36346, #36347, #36348) are specific to Palo Alto Networks content releases and require a Threat Prevention subscription with content release 433-2194 or later. ↗
- ·The deferred-free bypass technique (forcing TotalMemorySize > 0x186A0) applies specifically to the MemoryProtection::CMemoryProtector introduced in IE patches from July 2014 — the threshold value 0x186A0 is hardcoded and may differ across patch levels. ↗
- ·The EMET bypass in the associated SWF shellcode is described as incomplete — it would be caught by EMET's stack pivot check on VirtualAlloc, meaning EMET 4.1 with stack pivot protection enabled would still block the exploit. ↗
- ·The Flash-based exploit component and the HTML page must both be present and combined for a successful attack — capturing only one component is insufficient to reproduce or fully detect the exploit. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fc9q-h2h8-qq52: Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted J
ghsa_unreviewed·2022-05-14
CVE-2014-0322 [HIGH] CWE-416 GHSA-fc9q-h2h8-qq52: Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted J
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.
VulnCheck
Microsoft Internet Explorer Use-After-Free Vulnerability
vulncheck·2014·CVSS 8.8
CVE-2014-0322 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2014-0322; https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf; https://blog.talosintelligence.com/2014/10/threat-spotlight-group-72.html; https://blogs.cisco.com/security/talos/opening-zxshell; https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/; https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizati
CISA
Microsoft Internet Explorer Use-After-Free Vulnerability
cisa·2022-05-04·CVSS 8.8
CVE-2014-0322 [HIGH] CWE-416 Microsoft Internet Explorer Use-After-Free Vulnerability
Vulnerability: Microsoft Internet Explorer Use-After-Free Vulnerability
Affected: Microsoft Internet Explorer
Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-0322
Remediation Due Date: 2022-05-25
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012) (Metasploit)
exploitdb·2014-04-16·CVSS 8.8
CVE-2014-0322 [HIGH] Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012) (Metasploit)
Microsoft Internet Explorer - CMarkup Use-After-Free (MS14-012) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free",
'Description' => %q{
This module exploits an use after free condition on Internet Explorer as used in the wild
on the "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to
bypass ASLR and finally DEP.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and Exploit in the wild
'Jean-Jamil Khalife', # Exploit
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2014-0322' ],
[ 'MSB', 'MS14-012' ],
[ 'BID', '6
Exploit-DB
Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)
exploitdb·2014-04-14·CVSS 8.8
CVE-2014-0322 [HIGH] Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)
Microsoft Internet Explorer 10 - CMarkup Use-After-Free (MS14-012)
---
mxmlc.exe AsXploit.as -o AsXploit.swf
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32851-AsXploit.as
-->
var g_arr = [];
var arrLen = 0x250;
function dword2data(dword)
{
var d = Number(dword).toString(16);
while (d.length
Metasploit
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
metasploit
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
This module exploits an use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan" in February 2014. The module uses Flash Player 12 in order to bypass ASLR and DEP.
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
## Addressing CVE-2014-6332 SWF Exploit
Palo Alto Networks
Published: November 26, 2014
Threat Research
Vulnerabilities
EMET
Endpoint
Internet Explorer
Shellcode
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776 .
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the
Unit42
Addressing CVE-2014-6332 SWF Exploit
blogs_unit42·2014-11-26·CVSS 8.8
CVE-2014-6332 [HIGH] Addressing CVE-2014-6332 SWF Exploit
Continuing a recent trend in which Internet Explorer vulnerabilities are exploited using Flash, samples of an SWF purportedly used in conjunction with CVE-2014-6332 have appeared in several places. The most famous examples of this trend are the exploits for CVE-2014-0322 and CVE-2014-1776.
We have yet to encounter the SWF sample with its original exploit attached, but by looking at the SWF, it is clear that it is constructed to function with several forms of memory corruption, making the vulnerability itself less interesting. That is a great example of why our Advanced Endpoint Protection approach, which focuses on the core techniques used in attacks, works well. It will prevent uses of this SWF framework, regardless of the vulnerability it is used with.
The interesting part in this expl
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
## Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi , Douglas Goddard , Shaun Hurley , and Alain Zidouemba .
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the ta
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba.
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the targets network.
ZxShell (aka Sensocode) is a Remote Admi
Talos
Threat Spotlight: Group 72
blogs_talos·2014-10-14
Threat Spotlight: Group 72
This post is co-authored by Joel Esler, Martin Lee and Craig Williams.
Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.
Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat actors from the crowd of malici
Talos
Threat Spotlight: Group 72
blogs_talos·2014-10-14
Threat Spotlight: Group 72
## Threat Spotlight: Group 72
This post is co-authored by Joel Esler , Martin Lee and Craig Williams. Everyone has certain characteristics that can be recognised. This may be a way of walking, an accent, a turn of phrase or a style of dressing. If you know what to look for you can easily spot a friend or acquaintance in a crowd by knowing what characteristics to look for. Exactly the same is true for threat actors.
Each threat actor group may have certain characteristics that they display during their attack campaigns. These may be the types of malware that they use, a pattern in the naming conventions of their command and control servers, their choice of victims etc. Collecting attack data allows an observer to spot the characteristics that define each group and identify specific threat
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
CVE-2014-1815 [HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms in the most recent Internet Explorer patches. In June, Microsoft introduced a new isolated heap mechanism to solve the usage issue of use-after-free exploitation. They followed that up In July by implementing a deferred fre
Unit42
Is It the Beginning of the End For Use-After-Free Exploitation?
blogs_unit42·2014-07-17·CVSS 8.8
[HIGH] Is It the Beginning of the End For Use-After-Free Exploitation?
## Is It the Beginning of the End For Use-After-Free Exploitation?
Tao Yan
Bo Qu
Royce Lu
Published: July 16, 2014
Malware
Threat Research
Deferred free
Internet Explorer
Isolated heap
Microsoft
Use after free
Use-after-free bugs have affected Internet Explorer for years. In the past year alone, Microsoft patched 122 IE vulnerabilities, the majority of which were use-after-free bugs. This year Microsoft has already patched 126 IE vulnerabilities to date. Of those vulnerabilities, 4 were actively being exploited in the wild. These 4 exploits (CVE-2014-1815, CVE-2014-1776, CVE-2014-0322, CVE-2014-0324) were all based on use-after-free bugs.
To deal with the increasing number of use-after-free bugs and associated exploits, Microsoft introduced a series of new control mechanisms
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
In February, Microsoft awarded $100,000 to Yu Yang (@Tombkeeper) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program. Yu later demonstrated his research at CanSecWest in March. In his slides, he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen (@guhe120), a Chinese researcher, posted his answer. Although the code was removed soon after posting, a copy was still maintained and used by Metasploit. Following this code, another researcher posted his VB script version using more advanced tech
Unit42
How To Defend Against Advanced IE Exploitation
blogs_unit42·2014-06-06
How To Defend Against Advanced IE Exploitation
## How To Defend Against Advanced IE Exploitation
IPS Team
Published: June 6, 2014
Malware
Threat Research
ActiveX
Flash
Internet Explorer
IPS
Microsoft
Use after free
In February, Microsoft awarded $100,000 to Yu Yang ( @Tombkeeper ) for reporting a new mitigation bypass technique as part of Microsoft’s Bounty Program . Yu later demonstrated his research at CanSecWest in March. In his slides , he mentioned that a "god mode" of Internet Explorer could be turned on by a one byte overwrite. However, he had to heavily redact this information due to an agreement between himself and Microsoft.
After his slides were released, researchers began working to determine what the missing parts were. And before long, Yuki Chen ( @guhe120 ), a Chinese researcher, posted his answer. Although
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
### Summary
- The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163.
- The shared techniques, variable names and code structure suggest these exploits share a common author or template.
- Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full control over the system after a user views a web page in their browser. According to Microsoft, it affects versions of Internet Explorer from version 6 to 11, meaning that almost all IE users are vulnerable to this bug
Unit42
A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
blogs_unit42·2014-05-02·CVSS 8.8
CVE-2014-1776 [HIGH] A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
## A Tale of 3 Vulnerabilities, CVE-2014-1776 Exploit Linked to Previous Attacks
Bo Qu
Published: May 2, 2014
High Profile Threats
Threat Research
Vulnerabilities
CVE-2014-1776
Internet Explorer
Microsoft
## Summary
The exploit code used in the recent CVE-2014-1776 attacks shares many similar characteristics with code that exploited CVE-2014-0322 and CVE-2013-3163 .
The shared techniques, variable names and code structure suggest these exploits share a common author or template.
Palo Alto Networks customers are protected by from exploitation of CVE-2014-1776 with content release 433-2194.
Late last month reports surfaced that a new Internet Explorer vulnerability (CVE-2014-1776) was being exploited in targeted attacks. The vulnerability allows an attacker to take full contr
Talos
Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
blogs_talos·2014-03-11·CVSS 9.3
CVE-2014-0322 [CRITICAL] Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the bulletins, 18 of which are found in IE.
There’s 2 critical and 3 important bulletins this month:
MS14-012 is the first critical bulletin and is the IE bulletin. Most of the vulnerabilities are, as usual, the result of "use-after-free" vulnerabilities. One of the vulnerabilities, CVE-2014-0322, was known publicly before the update and saw targeted attacks since February 14th. The temporary workaround in security advisory 2934088 that has been available from Microsoft since February 19th is now being replaced by a more formal fix. The vulnerability was being exploited in a watering hole attack
Talos
Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
blogs_talos·2014-03-11·CVSS 9.3
[CRITICAL] Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
## Micorosft Update Tuesday: March 2014, all about IE (including two 0-day fixes)
It's Microsoft Update Tuesday. While this month is relatively minor, a total of 5 bulletins, it is pretty large for the requisite Internet Explorer bulletin. There’s a total of 23 CVEs covered by the bulletins, 18 of which are found in IE.
There’s 2 critical and 3 important bulletins this month:
MS14-012 is the first critical bulletin and is the IE bulletin. Most of the vulnerabilities are, as usual, the result of "use-after-free" vulnerabilities. One of the vulnerabilities, CVE-2014-0322 , was known publicly before the update and saw targeted attacks since February 14 th . The temporary workaround in security advisory 2934088 that has been available from Microsoft since February 19 th is now being replace
Zscaler
Zscaler Protects against IE Memory Corruption Vulnerability
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler Protects against IE Memory Corruption Vulnerability
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
Axiom (Axiom, Group 72)
threat_intel·CVSS 8.8
[HIGH] Axiom (Axiom, Group 72)
# Threat Actor Profile: Axiom
ATT&CK ID: G0001
Also known as: Axiom, Group 72
Suspected origin: China
## Overview
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)
## Techniques (TTPs)
### Resource Development
- T1584.005 Botnet
Usage: Axiom has used large groups of compromised machines for use as proxy nodes.(Citation: Novetta-Axiom)
- T1583.002 DNS Server
Usage: Axiom has acquired dynamic DNS ser
Crowdstrike
Sakula Malware: What Is the INOCNATION Campaign?
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Sakula Malware: What Is the INOCNATION Campaign?
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Zscaler
Zscaler found Multiple Security Vulnerabilities | 02-14-2014
blogs_zscaler·CVSS 8.8
[HIGH] Zscaler found Multiple Security Vulnerabilities | 02-14-2014
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
arXiv
Detile: Fine-Grained Information Leak Detection in Script Engines
arxiv_fulltext·2020-07-06
Detile: Fine-Grained Information Leak Detection in Script Engines
Robert Gawlik, Philipp Koppe, Benjamin Kollenda,
Andre Pawlowski, Behrad Garmany Thorsten Holz
## Abstract
Memory disclosure attacks play an important role in the
exploitation of memory corruption vulnerabilities. By analyzing recent
research, we observe that bypasses of defensive solutions that enforce control-flow
integrity or attempt to detect return-oriented programming require memory
disclosure attacks as a fundamental first step.
However, research lags behind in detecting such information leaks.
In this paper, we tackle this problem and present a system for fine-grained,
automated detection of memory disclosure attacks against scripting engines.
The basic insight is as follows: scripting languages, such as
JavaScript in web browsers, are strictly sandboxed. They must not provide a
http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspxhttp://technet.microsoft.com/security/advisory/2934088http://twitter.com/nanoc0re/statuses/434251658344673281http://www.exploit-db.com/exploits/32851http://www.exploit-db.com/exploits/32904http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.htmlhttp://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.htmlhttp://www.kb.cert.org/vuls/id/732479http://www.osvdb.org/103354https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.ziphttp://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspxhttp://technet.microsoft.com/security/advisory/2934088http://twitter.com/nanoc0re/statuses/434251658344673281http://www.exploit-db.com/exploits/32851http://www.exploit-db.com/exploits/32904http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.htmlhttp://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.htmlhttp://www.kb.cert.org/vuls/id/732479http://www.osvdb.org/103354https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.ziphttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0322
2014-02-14
Published
2022-05-04
Added to CISA KEV
Exploited in the wild