This Week in Security: Zimbra, Lockbit 2, And Hacking NK

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible.

Not the Mimosas You’re Looking For

And speaking of government notices, CISA has published an advisory about Mimosa wireless products, based on multiple CVEs, with three of them scoring the dreaded 10.0. There are improper authorization problems, such that API endpoints are accessible without auth; a Server-Side Request Forgery problem, that could allow an attacker to smuggle messages through a web frontend; a SQL injection; and even unsalted MD5 hashing for storing passwords.

These vulnerabilities were discovered by Noam Moshe, a researcher at Claroty. He’s gone on the record to confirm that it was as bad as it looked, that attacking the cloud interface could lead to compromise of in-the-field hardware. There isn’t a full write-up on this story, but so far it seems to be an unofficial black-box security audit, so it isn’t an official code review. These are just the vulnerabilities discovered by the limited audit. Keep an eye out for more problems to be found.

SAP Pays Their Log4j Dues

One reason the Log4j vulnerability is such a headache is because Java libraries are embedded in so many binaries and appliances, and require an update of the entire binary to fix problems. If the vulnerability was in glibc, just that library could be updated, but every binary that includes Log4j has to be updated individually. Making the point that this is a long process, SAP has released their fixes for their February patch day. Six of the top eight vulnerabilities fixed are Log4j. This one is going to be around for a long time.

Cisco RV Routers

The Cisco RV160, RV260, RV340, and RV345 small business routers have both an RCE and privilege escalation vulnerability, with PoC code available. The RCE is a simple HTTP request that bypasses access controls. Several of these units also have a command injection vulnerability, where user-input is not sufficiently sanitized, leading to commands being executed on the underlying system. While patches are available, Cisco has stated that there are no workarounds for these flaws. Think about that. You literally cannot lock these devices down enough to prevent an RCE. Once again, go to your network closet, and see if one of these are hiding in there somewhere.

Damn, we tried to give some time for blue team to patch but here it is. Our exploit pops up right after our talk with @pedrib1337 at @offensive_conCVSS 10 Cisco AnyConnect VPN GatewayCVE-2022—20699 https://t.co/EnwAOvvG1j

— Rado RC1 (@RabbitPro) February 5, 2022

Researcher Breaks North Korea

If you get caught up in a state-sponsored hacking campaign, what’s a reasonable response? If you’re an independent researcher like [P4x], launching your own DoS attack against the foreign nation isn’t out of the question. We covered the original campaign back when it happened — North Korean hackers posed as security researchers and reached out to other researchers, asking for help with a project. The catch is that the project they wanted to collaborate on was actually a booby-trapped Visual Studio project. [P4x] was one of the researchers who was targeted, and this just didn’t sit well with him.

North Korea isn’t known for running the most up-to-date versions of anything, and there were enough problems in production that this single researcher was able to knock most of their internet access offline for a while. This has been confirmed by independent researchers, notably Netblocks:

ℹ Network data confirm reports of disruptions to internet connectivity in #NorthKorea. Per @a_greenberg the incidents are attributed to a denial of service attack by a hacker getting even after NK spies targeted him last year.

📰 https://t.co/v0Tafj6bQ1 pic.twitter.com/fz5ROxbrLD

— NetBlocks (@netblocks) February 3, 2022

SpoolFool

And if you wondered, the Windows Print Spooler continues to be a disaster for security. There have been multiple spooler vulnerabilities in the last couple years, but of note is CVE-2020-1030, an attack that allows mapping the spool directory to a system directory, and overwriting important files. The fix for this was to check whether the spooler directory is actually safe to write to. Now we have CVE-2022-21999, a bypass for that patch. The essence is that an attacker can add a printer with a spool directory that is safe, but under the attacker’s control, and then use a directory junction to map a system directory to the same place. This still passes the check, but allows writing a malicious DLL to the printer driver folder. Load the driver, trigger a Spooler restart, and you’ve got escalation to System.

SHA256

There’s something very satisfying about finally understanding an algorithm that your computer uses every day for encryption. If you’re reading this, you’re probably similarly intrigued by algorithms. I present the step-by-step SHA256 visualizer.

Read more: hackaday.com


Posted

in

by