This Week In Security: Zimbra, Lockbit 2, And Hacking NK

Unknown attackers have been exploiting a 0-day attack against the Zimbra e-mail suite. Researchers at Volexity first discovered the attack back in December of last year, detected by their monitoring infrastructure. It’s a cross-site scripting (XSS) exploit, such that when opening a malicious link, the JavaScript running on the malicious page can access a logged-in Zimbra instance. The attack campaign uses this exploit to grab emails and attachments and upload them to the attackers. Researchers haven’t been able to positively identify what group is behind the attacks, but a bit of circumstantial evidence points to a Chinese group. That evidence? Time zones. The attacker requests all use the Asia/Hong_Kong time zone, and the timing of all the phishing emails sent lines up nicely with a work-day in that time zone.

Zimbra has responded, confirming the vulnerability and publishing a hotfix for it. The campaign seems to have been targeted specifically against European governments, and various media outlets. If you’re running a Zimbra instance, make sure you’re running at least 8.8.15.1643980846.p30-1.

LockBit 2.0

Because security professionals needed something else to keep us occupied, the LockBit ransomware campaign is back for a round two. This is another ransomware campaign run in the as-a-Service pattern — RAAS. LockBit 2 has caught enough attention, that the FBI has published a FLASH message (PDF) about it. That’s the FBI Liaison Alert System, in the running for the worst acronym. (Help them figure out what the “H” stands for in the comments below!)

Like many other ransomware campaigns, LockBit has a list of language codes that trigger a bail on execution — the Eastern European languages you would expect. Ransomware operators have long tried not to poison their own wells by hitting targets in their own back yards. This one is being reported as also having a Linux module, but it appears that is limited to VMWare ESXi virtual machines. A series of IoCs have been published, and the FBI are requesting any logs, ransom notes, or other evidence possibly related to this campaign to be sent to them if possible. Continue reading “This Week In Security: Zimbra, Lockbit 2, And Hacking NK”

Creating A PCB In Everything: Upverter

For the last five months, I’ve been writing a series of posts describing how to build a PCB in every piece of software out there. Every post in this series takes a reference schematic and board, and recreates all the elements in a completely new PCB tool.

There are three reasons why this sort of review is valuable. First, each post in this series is effectively a review of a particular tool. Already we’ve done Fritzing (thumbs down), KiCad (thumbs up), Eagle (thumbs up), and Protel Autotrax (interesting from a historical perspective). Secondly, each post in this series is a quick getting started guide for each PCB tool. Since the reference schematic and board are sufficiently complex for 90% of common PCB design tasks, each of these posts is a quick how-to guide for a specific tool. Thirdly, this series of posts serves as a basis of comparison between different tools. For example, you can do anything you want in KiCad and most of what you want in Eagle. Fritzing is terrible, and Autotrax is the digital version of the rub-on traces you bought at Radio Shack in 1987.

With that introduction out of the way, let’s get cranking on Upverter.

A little bit about Upverter

Upverter was founded in 2010 as an entirely web-based EDA tool aimed at students, hobbyists, and Open Hardware circuit designers. This was one of the first completely web-based circuit design tools and Upverter’s relative success has been a bellwether for other completely web-based EDA tools such as circuits.io and EasyEDA.

I would like to take a second to mention Upverter is a Y Combinator company (W11), which virtually guarantees this post will make it to the top of Hacker News. Go fight for imaginary Internet points amongst yourselves.

Upverter is a business after all, so how are they making money? Most EDA suites offer a free, limited version for personal, hobbyist, and ‘maker’ projects, and Upverter is no exception. The professional tier offers a few more features including CAM export, 3D preview, an API, simulation (coming soon), BOM management, and unlimited private projects for $125 per seat per month, or $1200 per seat per year.

To give you a basis of comparison for that subscription fee, Eagle CAD’s new license scheme gives you everything – 999 schematic sheets, 16 layers, and unlimited board area – for $65 per month, or $500 per year. Altium’s CircuitStudio comes in at $1000 for a one-year license. There are more expensive EDA suites such as Altium Designer and OrCAD, but you have to call a sales guy just to get a price.

Upverter is positioning itself as a professional tool at a professional price. There are better tools out there, of course, but there are thousands of businesses out there designing products with tools that cost $500 to $1000 per seat per year. In any event, this is all academic; the Hackaday crowd gravitates towards the free end of the market, whether that means beer or speech.

A big draw for Upverter is their Parts Concierge service. You’ll never have to create a part from scratch again, so the sales copy says. Apparently, Upverter is using a combination of very slick scripts to pull part layouts off a datasheet and human intervention / sanity check to create these parts. Does it work? We’re going to find out in the review below.

Continue reading “Creating A PCB In Everything: Upverter”