Apr 15, 2024NewsroomFirmware Security / Vulnerability

A security flaw impacting the Lighttpd web server used in baseboard management controllers (BMCs) has remained unpatched by device vendors like Intel and Lenovo, new findings from Binarly reveal.

While the original shortcoming was discovered and patched by the Lighttpd maintainers way back in August 2018 with version 1.4.51, the lack of a CVE identifier or an advisory meant that it was overlooked by developers of AMI MegaRAC BMC, ultimately ending up in products made by Intel and Lenovo.

Lighttpd (pronounced “Lighty”) is an open-source high-performance web server software designed for speed, security, and flexibility, while optimized for high-performance environments without consuming a lot of system resources.

The silent fix for Lighttpd concerns an out-of-bounds read vulnerability that could be exploited to exfiltrate sensitive data, such as process memory addresses, thereby allowing threat actors to bypass crucial security mechanisms like address space layout randomization (ASLR).

“The absence of prompt and important information about security fixes prevents proper handling of these fixes down both the firmware and software supply chains,” the firmware security company said.

The flaws are described below –

• Out-of-bounds read in Lighttpd 1.4.45 used in Intel M70KLP series firmware
• Out-of-bounds read in Lighttpd 1.4.35 used in Lenovo BMC firmware
• Out-of-bounds read in Lighttpd before 1.4.51

Intel and Lenovo have opted not to address the issue as the products incorporating the susceptible version of Lighttpd have hit end-of-life (EoL) status and are no longer eligible for security updates, effectively turning it into a forever-day bug.

The disclosure highlights how the presence of outdated third-party components in the latest version of firmware can traverse the supply chain and pose unintended security risks for end users.

“This is yet another vulnerability that will remain unfixed forever in some products and will present high-impact risk to the industry for a very long time,” Binarly added.

Mar 05, 2024NewsroomVulnerability / Network Security

A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems.

The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” JetBrains said in an advisory released Monday.

TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” the company noted.

CVE-2024-27199, also an authentication bypass flaw, stems from a path traversal issue that can permit an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of their choosing via the “/app/https/settings/uploadCertificate” endpoint and even alter the port number the HTTPS service listens on.

A threat actor could leverage the vulnerability to perform a denial-of-service against the TeamCity server by either changing the HTTPS port number, or by uploading a certificate that will fail client-side validation. Alternatively, the uploaded certificate could be used for adversary-in-the-middle scenarios if it’s trusted by the clients.

“This authentication bypass allows for a limited number of authenticated endpoints to be reached without authentication,” Rapid7 said of the shortcoming.

“An unauthenticated attacker can leverage this vulnerability to both modify a limited number of system settings on the server, as well as disclose a limited amount of sensitive information from the server.”

The development comes nearly a month after JetBrains released fixes to contain another flaw (CVE-2024-23917, CVSS score: 9.8) that could also enable an unauthenticated attacker to gain administrative control of TeamCity servers.

With security vulnerabilities in JetBrains TeamCity having come under active exploitation last year by North Korean and Russian threat actors, it’s essential that users take steps to update their servers immediately.

Feb 15, 2024NewsroomThreat Intelligence / Vulnerability

Microsoft on Wednesday acknowledged that a newly disclosed critical security flaw in Exchange Server has been actively exploited in the wild, a day after it released fixes for the vulnerability as part of its Patch Tuesday updates.

Tracked as CVE-2024-21410 (CVSS score: 9.8), the issue has been described as a case of privilege escalation impacting the Exchange Server.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” the company said in an advisory published this week.

“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”

Successful exploitation of the flaw could permit an attacker to relay a user’s leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user, Redmond added.

The tech giant, in an update to its bulletin, revised its Exploitability Assessment to “Exploitation Detected,” noting that it has now enabled Extended Protection for Authentication (EPA) by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.

Details about the nature of the exploitation and the identity of the threat actors that may be abusing the flaw are currently unknown. However, Russian state-affiliated hacking crews such as APT28 (aka Forest Blizzard) have a history of exploiting flaws in Microsoft Outlook to stage NTLM relay attacks.

Earlier this month, Trend Micro implicated the adversary to NTLM relay attacks targeting high-value entities at least since April 2022. The intrusions targeted organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils.

CVE-2024-21410 adds to two other Windows flaws – CVE-2024-21351 (CVSS score: 7.6) and CVE-2024-21412 (CVSS score: 8.1) – that have been patched by Microsoft this week and actively weaponized in real-world attacks.

The exploitation of CVE-2024-21412, a bug that enables a bypass of Windows SmartScreen protections, has been attributed to an advanced persistent threat dubbed Water Hydra (aka DarkCasino), which has previously leveraged zero-days in WinRAR to deploy the DarkMe trojan.

“The group used internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” Trend Micro said. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”

Microsoft’s Patch Tuesday update also addresses CVE-2024-21413, another critical shortcoming affecting the Outlook email software that could result in remote code execution by trivially circumventing security measures such as Protected View.

Codenamed MonikerLink by Check Point, the issue “allows for a wide and serious impact, varying from leaking of local NTLM credential information to arbitrary code execution.”

The vulnerability stems from the incorrect parsing of “file://” hyperlinks by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///\\10.10.111.111\test\test.rtf!something”).

“The bug not only allows the leaking of the local NTLM information, but it may also allow remote code execution and more as an attack vector,” the cybersecurity firm said. “It could also bypass the Office Protected View when it’s used as an attack vector to target other Office applications.”

Jan 25, 2024NewsroomRemote Access Trojan

Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC.

“SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP,” Kroll said in an analysis published last week.

The risk and financial advisory solutions provider said it has witnessed an increase in the use of malware throughout Q2 and Q3 2023.

SystemBC, first observed in the wild in 2018, allows threat actors to remote control a compromised host and deliver additional payloads, including trojans, Cobalt Strike, and ransomware. It also features support for launching ancillary modules on the fly to expand on its core functionality.

A standout aspect of the malware revolves around its use of SOCKS5 proxies to mask network traffic to and from C2 infrastructure, acting as a persistent access mechanism for post-exploitation.

Customers who end up purchasing SystemBC are provided with an installation package that includes the implant executable, Windows and Linux binaries for the C2 server, and a PHP file for rendering the C2 panel interface, alongside instructions in English and Russian that detail the steps and commands to run.

The C2 server executables — “server.exe” for Windows and “server.out” for Linux — are designed to open up no less than three TCP ports for facilitating C2 traffic, inter-process communication (IPC) between itself and the PHP-based panel interface (typically port 4000), and one for each active implant (aka bot).

The server component also makes use of three other files to record information regarding the interaction of the implant as a proxy and a loader, as well as details pertaining to the victims.

The PHP-based panel, on the other hand, is minimalist in nature and displays a list of active implants at any given point of time. Furthermore, it acts as a conduit to run shellcode and arbitrary files on a victim machine.

“The shellcode functionality is not only limited to a reverse shell, but also has full remote capabilities that can be injected into the implant at runtime, while being less obvious than spawning cmd.exe for a reverse shell,” Kroll researchers said.

The development comes as the company also shared an analysis of an updated version of DarkGate (version 5.2.3), a remote access trojan (RAT) that enables attackers to fully compromise victim systems, siphon sensitive data, and distribute more malware.

“The version of DarkGate that was analyzed shuffles the Base64 alphabet in use at the initialization of the program,” security researcher Sean Straw said. “DarkGate swaps the last character with a random character before it, moving from back to front in the alphabet.”

Kroll said it identified a weakness in this custom Base64 alphabet that makes it trivial to decode the on-disk configuration and keylogging outputs, which are encoded using the alphabet and stored within an exfiltration folder on the system.

“This analysis enables forensic analysts to decode the configuration and keylogger files without needing to first determine the hardware ID,” Straw said. “The keylogger output files contain keystrokes stolen by DarkGate, which can include typed passwords, composed emails and other sensitive information.”

In the current digital landscape, data has emerged as a crucial asset for organizations, akin to currency. It’s the lifeblood of any organization in today’s interconnected and digital world. Thus, safeguarding the data is of paramount importance. Its importance is magnified in on-premises Exchange Server environments where vital business communication and emails are stored and managed.

In this article, you will learn about the evolving threats of data loss, the shift in responsibilities of administrators, and key backup and recovery strategies for preventing data loss in the Exchange Server environment.

Data Loss Scenarios in Exchange Servers

Data loss in on-premises Exchange Server environment has become increasingly common. Cybersecurity threats, like ransomware attacks, have emerged as a significant cause of data loss in recent years, with many financially motivated threat actors increasingly targeting the vulnerabilities in Exchange Servers. These attackers try to exploit the vulnerabilities, such as ProxyLogon, to gain unauthorized access to the server or users’ email accounts.

Besides vulnerabilities in the system, hardware failure and human errors can also cause data loss in on-premises Exchange Servers. According to a study by Gartner, it is estimated that 30% of organizations will experience an incident involving data loss caused by a negligent employee by 2025.

Evolving Role of Exchange Server Administrators

The role of Exchange Server administrators has significantly evolved in recent years due to increasing malware/ransomware attacks, forcing them to quickly adapt and act as guardians to protect the organizations’ data and reputation.

However, the complexity of managing huge volumes of data in modern on-premises Exchange Server environments has also increased substantially. Today, administrators need to navigate the complexity of the Exchange Server environment, which is primarily driven by factors such as requirements for enhanced security measures to fight against sophisticated cybercriminals and newer threats.

Understanding the Stakes

The consequences of data loss in Exchange Server environments are profound.

1. Financial Losses

Financial losses are one of the most common consequences of data loss. The operations of an organization are supported by data. If the data is lost, it means the organization loses not only its ability to generate income but also its ways of operating. In addition, when data is lost, a considerable amount of resources are channeled towards data recovery.

2. Reputational Damage

Building trust takes time. However, losing it takes only one bad decision. A data breach or ransomware attack can severely tarnish an organization’s reputation in the market, breaking customers’ or clients’ trust. Nobody wants to end up in the headlines of the media for all the wrong reasons.

3. Downtime and Lack of Business Continuity

Email communication is essential for daily operations. Loss of critical data can disrupt workflow and hamper productivity, which can have severe implications on the organization.

A report by IDC states that the average cost of downtime due to data loss in a mid-sized organization is approximately $1.25 million per year.

4. Business Closure

Data loss can potentially lead to an organization’s bankruptcy or closure. According to the University of Texas, 94% of companies that suffer from catastrophic data loss do not survive. Out of these, 43% never reopened, and 51% closed within two years.

5. Regulatory and Legal Fines

Businesses are obliged by the data protection laws, rules, regulations, and industry standards. Failing to do so can have severe implications, such as hefty fines. Legal actions can also undermine your organization’s reputation.

Prevent Data Loss – Develop a Thoughtful Backup Strategy

The most common reason for data loss in Exchange Servers is database corruption or damage. To safeguard against data loss, administrators need a comprehensive backup strategy tailored to their Exchange Server environments.

Below are some Exchange Server backup methods and strategies that administrators can follow to prevent permanent data loss.

1. Utilize VSS-Based Backup

Exchange Server supports Volume Shadow Copy Service (VSS)-based backups. You can use the Exchange-aware Windows Server Backup application with a VSS plug-in to back up active and passive Exchange database copies and restore the backed-up database copies.

2. Backup Combination

Exchange administrators should ideally use a combination of full and incremental backups. Full backups capture the entire Exchange Server database, while Exchange Server incremental backupscapture and store the changes since the last full backup.

In addition, there are differential backups that record changes since the last full backup without truncating transaction logs. However, these are used less frequently due to their complexity.

3. Transaction Log Management

Transaction logs play a crucial role in maintaining database consistency. It’s also critical for database recovery on Exchange Servers. When you perform a full backup, it automatically truncates the transaction logs to save disk storage. Thus, always backup the transaction logs before performing a full backup.

4. Circular Logging

Circular logging is disabled in Exchange Server by default. However, administrators can enable it to truncate the database logs automatically. You can use this when the transaction logs are not purging automatically after a full backup.

5. Follow the 3-2-1 Backup Rule

Follow the 3-2-1 backup strategy to protect your Exchange Server data from permanent loss. The strategy simply states that you must have the following:

• At least three copies of your data on different media, such as disks and tape.
• One copy is stored off-site or in a remote location to ensure that natural, man-made, or geographical disasters cannot damage all the backup copies (disaster recovery).

Proactive Measures for Data Protection

A proactive approach has been fundamental in preventing data loss. Therefore, administrators should consider the following best practices for data protection:

• Robust Security Measures
• Implement robust security protocols, regularly update security software, and install Exchange Server and Windows updates to protect against threats.
• Continuous Learning
• Continuous learning and training about email security and cyber-attacks among administrators, employees, and customers is critical to stay informed about emerging threats and vulnerabilities.
• Access Control
• Restrict access to sensitive data and implement strong authentication mechanisms. Make sure to use the RBAC to restrict access on Windows and Exchange Server environments.

Exchange Server Recovery Strategies

Exchange administrators also need to be ready when it comes to the recovery of corrupt or dismounted databases in case something happens. Here are some strategies that can help in the quick recovery of the database in case of an issue or incident.

1. Recovery Databases

Recovery databases (RDBs) are special Exchange Server databases that allow administrators to mount and extract data from the restored mailbox database. RDBs help in restoring data without impacting the live environment.

2. Use Exchange Native Data Protection

Exchange Server 2016 and 2019 have capabilities to safeguard data without relying solely on traditional backups.

3. Dial Tone Portability

Administrators can use Dial Tone Portability or Dial Tone Recovery. In this, an empty Exchange database with the same database name and schema version is created that allows users to continue to send and receive new emails while the administrators restore and recover the failed databases. This method provides continuity during disaster recovery.

4. Exchange Recovery Tools

In case of a server crash and/or when the Exchange database backup isn’t available or obsolete, Exchange recovery tool, such as Stellar Repair for Exchange, can help Exchange administrators extract mailboxes from severely corrupt or damaged Exchange database. The tool also assists in the dial tone recovery method. It allows the extraction and export of recovered mailboxes from damaged EDB files to the dial tone database or any existing healthy database on the same Exchange Server. This helps restore the mailboxes of users and their Outlook connectivity and minimize downtime and disruption.

Conclusion

Exchange Server administrators play a critical role in protecting crucial business data in an increasingly challenging landscape. The risks associated with data loss are substantial and range from financial repercussions to damage to the organization’s reputation. To mitigate these risks, administrators must develop thoughtful backup strategies and adopt proactive security measures along with robust recovery plans in place.

To mitigate data loss risks, organizations should prioritize backup and recovery strategies. Regularly backing up Exchange Server data and having a well-defined recovery plan can significantly reduce the impact of data loss incidents.

Dec 19, 2023NewsroomCryptojacking / Cyber Threat

The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware.

The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers.

“This vulnerability allows remote authenticated attackers to execute code using a gadget chain and is commonly chained with CVE-2020-14882 (an authentication bypass vulnerability also affecting Oracle Weblogic Server) or the use of leaked, stolen, or weak credentials,” Imperva said in a report published last week.

The 8220 Gang has a history of leveraging known security flaws to distribute cryptojacking malware. Earlier this May, the group was spotted utilizing another shortcoming in Oracle WebLogic servers (CVE-2017-3506, CVSS score: 7.4) to rope the devices into a crypto mining botnet.

Recent attack chains documented by Imperva entail the exploitation of CVE-2020-14883 to specially craft XML files and ultimately run code responsible for deploying stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa.

“The group appears to be opportunistic when selecting their targets, with no clear trend in country or industry,” Imperva security researcher Daniel Johnston said.

Targets of the campaign include healthcare, telecommunications, and financial services sectors in the U.S., South Africa, Spain, Columbia, and Mexico.

“The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives,” Johnston added. “While considered unsophisticated, they are constantly evolving their tactics and techniques to evade detection.”