CVE-2021-31207

Vulnerability updated 4 months ago (2024-08-01T14:20:10.409Z)

Download STIX

Preview STIX

CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and allows the attacker to bypass security features and execute remote code. The threat posed by this flaw is severe due to its potential use in initial stages of sophisticated attacks, such as those deploying BlackCat ransomware. APT40 has been successful in exploiting vulnerabilities dating back to 2017, demonstrating their ability to leverage older flaws alongside newer ones like CVE-2021-31207. Their tactics often involve spearphishing attacks to establish initial access, followed by exploitation of lax security practices leaving known vulnerabilities unpatched. For instance, they have previously exploited a seven-year-old privilege-escalation vulnerability affecting older versions of Microsoft Windows (CVE-2016-0099), and the two-year-old ProxyShell vulnerabilities (including CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) affecting Microsoft Exchange. Check Point IPS provides protection against these threats, including the Microsoft Exchange Server Security Feature Authentication Bypass (CVE-2021-31207) and the Microsoft Exchange Server Remote Code Execution (CVE-2021-34473). Therefore, it is essential for organizations to keep their software up-to-date and apply patches for identified vulnerabilities promptly. By doing so, they can significantly reduce the risk of falling victim to attacks leveraging these vulnerabilities.

Description last updated: 2024-08-01T13:29:35.460Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Proxyshell is a possible alias for CVE-2021-31207. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT ac	6

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploits

Log4j

Confluence

Microsoft

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Hive Malware is associated with CVE-2021-31207. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT40 Threat Actor is associated with CVE-2021-31207. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2021-34473 Vulnerability is associated with CVE-2021-31207. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	5
The CVE-2021-26084 Vulnerability is associated with CVE-2021-31207. CVE-2021-26084 is a critical vulnerability related to Atlassian's Confluence software. The flaw in the software design or implementation was first exploited as a zero-day, before its public disclosure in June 2022. It allowed remote attackers to execute code on a Confluence Server via injection atta	Unspecified	3
The vulnerability CVE-2021-34523 is associated with CVE-2021-31207.	Unspecified	3
The CVE-2021-44228 Vulnerability is associated with CVE-2021-31207. CVE-2021-44228, also known as the Log4Shell vulnerability, is a significant flaw in Apache's Log4j software. Disclosed in December 2021, it quickly became one of the most severe bugs due to its widespread usage and potential for exploitation. Various Advanced Persistent Threat (APT) actors attempted	Unspecified	2
The Log4Shell Vulnerability is associated with CVE-2021-31207. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	2
The Proxyshell Cve-2021-34473 Vulnerability is associated with CVE-2021-31207. ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) is a set of three chained vulnerabilities that perform unauthenticated remote code execution (RCE) in Microsoft Exchange. Identified as a significant flaw in software design or implementation, it allows unauthorized users to execute arbitra	Unspecified	2

Source Document References

Information about the CVE-2021-31207 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	2 months ago	14 Million Patients Impacted by US Healthcare Data Breaches in 2024
Securelist	3 months ago	New malicious web shell from the Tropic Trooper group is found in the Middle East
Securityaffairs	4 months ago	Cybersecurity agencies warn of China-linked APT40 's capabilities
CISA	4 months ago	People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action \| CISA
Securityaffairs	6 months ago	A malware campaign exploits Microsoft Exchange Server flaws
CERT-EU	10 months ago	ProxyShell-targeting Babuk Tortilla ransomware decrypted after hacker’s arrest \| #ransomware \| #cybercrime \| National Cyber Security Consulting
MITRE	a year ago	RaaS AvosLocker Incident Response Analysis
MITRE	a year ago	Ransomware Spotlight: AvosLocker
CERT-EU	a year ago	GitHub - kh4sh3i/ProxyShell: CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability
CERT-EU	a year ago	What we know about BlackCat and the MGM hack
Securityaffairs	a year ago	Earth Lusca expands its arsenal with SprySOCKS Linux malware
Trend Micro	a year ago	Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
CERT-EU	a year ago	From Caribbean shores to your devices: analyzing Cuba ransomware – GIXtools
Securelist	a year ago	Analysis of Cuba ransomware gang activity and tooling
CERT-EU	a year ago	Qualys Top 20 Exploited Vulnerabilities \| Qualys Security Blog
Malwarebytes	a year ago	2022's most routinely exploited vulnerabilities—history repeats
CERT-EU	a year ago	Unmasking the top exploited vulnerabilities of 2022 – GIXtools
CERT-EU	a year ago	Five Eyes intelligence agencies discloses the 12 top-exploited vulnerabilities of 2022
BankInfoSecurity	a year ago	Patching Conundrum: 5-Year Old Flaw Again Tops Most-Hit List
CERT-EU	a year ago	Five Eyes Agencies Call Attention to Most Frequently Exploited Vulnerabilities