Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong
time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.
Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1
.
LockBit 2.0
Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)
Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK”