This Week In Security: Zimbra, Lockbit 2, And Hacking NK

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible.

Not the Mimosas You’re Looking For

And speaking of government notices, CISA has published an advisory about Mimosa wireless products, based on multiple CVEs, with three of them scoring the dreaded 10.0. There are improper authorization problems, such that API endpoints are accessible without auth; a Server-Side Request Forgery problem, that could allow an attacker to smuggle messages through a web frontend; a SQL injection; and even unsalted MD5 hashing for storing passwords.

These vulnerabilities were discovered by Noam Moshe, a researcher at Claroty. He’s gone on the record to confirm that it was as bad as it looked, that attacking the cloud interface could lead to compromise of in-the-field hardware. There isn’t a full write-up on this story, but so far it seems to be an unofficial black-box security audit, so it isn’t an official code review. These are just the vulnerabilities discovered by the limited audit. Keep an eye out for more problems to be found.

SAP Pays Their Log4j Dues

One reason the Log4j vulnerability is such a headache is because Java libraries are embedded in so many binaries and appliances, and require an update of the entire binary to fix problems. If the vulnerability was in glibc, just that library could be updated, but every binary that includes Log4j has to be updated individually. Making the point that this is a long process, SAP has released their fixes for their February patch day. Six of the top eight vulnerabilities fixed are Log4j. This one is going to be around for a long time.

Cisco RV Routers

The Cisco RV160, RV260, RV340, and RV345 small business routers have both an RCE and privilege escalation vulnerability, with PoC code available. The RCE is a simple HTTP request that bypasses access controls. Several of these units also have a command injection vulnerability, where user-input is not sufficiently sanitized, leading to commands being executed on the underlying system. While patches are available, Cisco has stated that there are no workarounds for these flaws. Think about that. You literally cannot lock these devices down enough to prevent an RCE. Once again, go to your network closet, and see if one of these are hiding in there somewhere.

Researcher Breaks North Korea

If you get caught up in a state-sponsored hacking campaign, what’s a reasonable response? If you’re an independent researcher like [P4x], launching your own DoS attack against the foreign nation isn’t out of the question. We covered the original campaign back when it happened — North Korean hackers posed as security researchers and reached out to other researchers, asking for help with a project. The catch is that the project they wanted to collaborate on was actually a booby-trapped Visual Studio project. [P4x] was one of the researchers who was targeted, and this just didn’t sit well with him.

North Korea isn’t known for running the most up-to-date versions of anything, and there were enough problems in production that this single researcher was able to knock most of their internet access offline for a while. This has been confirmed by independent researchers, notably Netblocks:

SpoolFool

And if you wondered, the Windows Print Spooler continues to be a disaster for security. There have been multiple spooler vulnerabilities in the last couple years, but of note is CVE-2020-1030, an attack that allows mapping the spool directory to a system directory, and overwriting important files. The fix for this was to check whether the spooler directory is actually safe to write to. Now we have CVE-2022-21999, a bypass for that patch. The essence is that an attacker can add a printer with a spool directory that is safe, but under the attacker’s control, and then use a directory junction to map a system directory to the same place. This still passes the check, but allows writing a malicious DLL to the printer driver folder. Load the driver, trigger a Spooler restart, and you’ve got escalation to System.

SHA256

There’s something very satisfying about finally understanding an algorithm that your computer uses every day for encryption. If you’re reading this, you’re probably similarly intrigued by algorithms. I present the step-by-step SHA256 visualizer.

9 thoughts on “This Week In Security: Zimbra, Lockbit 2, And Hacking NK

  1. I won’t judge if hacking back if you are targeted by some spies is good or not, i just want to say that if i was that guy who nocked out part of the internet in NK i would be *really* afraid to get some visit from not so nice people. :-/

  2. How come a hacker here is a mere “researcher” and the hacker over in Korea is a”spy”? Whoever wrote the original source article should lay off that koolaid for a bit to clear his head.

    1. To some extent that is a fair enough naming – the NK folks are government employee actively working on other nations – which makes them one of only a few things – a spy, solider or diplomat by definition – the nature of their job then pushes them into spy. While the guy who struck back appears to be the run of the mill white hat – spending their time playing offense only to improve defense usually – and most white hats seem to generally be independent contractors living off bug bounties and short term consulting gig much of the time.

  3. > There’s something very satisfying about finally understanding an algorithm that your computer uses every day for encryption. If you’re reading this, you’re probably similarly intrigued by algorithms. I present the step-by-step SHA256 visualizer.

    My computer never uses SHA256 for encryption… hashing, sure, use it all the time, but SHA256 isn’t an encryption algorithm because the algorithm does not accept a key as part of its input and isn’t reversible.

    1. It could be used in CTR mode. The keystream could be the hash of the concatenation of the key and the counter. The keystream is then xored with the data for both encryption and decryption. This would ensure privacy but not authentication. We could use a mode such as GCM or add an HMAC to fix that.
      (But don’t do that; use a steam cipher or block cipher designed for the purpose unless you’re stuck on a desert island and SHA256 is the only secure primitive available.)

  4. >> That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

    It was created by a Canadian ex-pat – Fbi Liaison Alert System, eH?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.