Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won't stop attacking it, security experts say.

Microsoft's official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that's been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That's because some organizations are still using Internet Explorer (IE) despite Microsoft's long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn't dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman's Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea's MBN pointed to several large organizations still running IE.

"Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing," says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. "For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers."

Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.

"This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use," Schell says. It's hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.

Any organization that hasn't already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. "The end of support means that new vulnerabilities will not get security patches if they don't meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates," she says.

**Bugs Still Abound**

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.

According to Maddie Stone, security researcher at Google's Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.

"It's not clear to me how Microsoft may or may not lock down access to MSHTML in the future," Stone says. "But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year" with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.

Tenable's Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

"Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities," Tills notes.

**The Usual Mitigations**

Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti's Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.

"MSHTML is now just one of many libraries that we have in Windows 11," says Johannes Ullrich, dean of research at the SANS Institute. "Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface," he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.

"IE is still popular enough to be a worthwhile target" for attackers, Ullrich adds.

Even so, the continuing number of zero-days being discovered in IE doesn't necessarily mean that attackers have suddenly intensified their interest in attacking it. "It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase," Ullrich says.

Internet Explorer Now Retired but Still an Attacker Target

SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say.

Enterprise cloud services like Microsoft 365 leave enterprises open to ransomware threat actors who want to encrypt files saved in SharePoint Online and OneDrive libraries, researchers warn.   

The new target marks a potential pivot point for ransomware attackers running out of luck focusing on endpoints and network drives and might find less resistance attacking cloud infrastructure, new research from Proofpoint says. The team was able to document the attack chain from initial credential compromise to account takeover, discovery, exfiltration, and, ultimately, the ransom demand. 

"Until now, IT and security teams felt that cloud drives would be more resilient to ransomware attacks," the Proofpoint team wrote along with their findings. "After all, the now-familiar 'AutoSave' feature along with versioning and the good old recycle bin for files should have been sufficient as backups. However, that may not be the case for much longer."  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft 365 Function Leaves SharePoint, OneDrive Files Open to Ransomware Attacks

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  
But after spending a few days on the show floor and interacting with everyone, there are a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

I’m still decompressing from Cisco Live and the most human interaction I’ve had in a year and a half.  

But after spending a few days on the show floor and interacting with everyone, there are a few things that stand out to me about the state of security and what people are interested in at Cisco Live. So, I wanted to take some time to highlight a few things that stood out to me at this year’s Cisco Live. _Editor's note: The Threat Source newsletter will be on a summer break next week, so no new edition!_ 

**Don’t think about the worst **

A lot of our lightning talks at the Cisco Secure Pub this week centered around some crazy days, many of which left us scrambling — the Colonial Pipeline ransomware attack, Log4J, Kaseya, you name it. The problem is no one wants to think about how awful these days are. 

During these talks, I saw a lot of heads in the audience nodding around how we need to be prepared for the worst, but no one wants to talk about that. Who wants to be the one to predict the next Log4J? Unfortunately, it’s going to happen, we just don’t know when. That’s why things like Incident Response plans and playbooks are so important. 

You may not want to talk about the toughest day of your professional career, but it’s going to come, so we may as well embrace it and be ready. 

**A wink and a nod **

Speaking of these major incidents, it seems like a ton of major security events have happened since the last Cisco Live in person. While they were happening, it was all anyone could talk about. But in person, words like “SolarWinds” and “Kaseya” were all spoken in hush tones or were just vaguely referenced to in-person like “back then” or “the dark times.”  

If we are going to truly learn from these events, I feel like we need to speak about them openly and honestly. I try to have a judgment-free security zone because eventually, a breach is going to happen to everyone. So the point is not to shame someone when it happens, we should be discussing the lessons learned openly so we can do better next time, rather than trying to brush it under the rug. 

During these stretches, we were all busy and stressed and it made for some late nights. That’s OK, and it should be OK to talk about that, even if you’re within earshot of someone who was involved.

**We can’t replicate everything over the internet **

The future is hybrid work, there’s no doubt about it. And I’d be the first person to tell you I prefer working from home versus commuting to the office today. But I must admit — it’s tough to replicate the connections at conferences and shows over Webex. 

Meetings and 1:1 check-ins work great for virtual meeting platforms, but there’s something about just making a personal connection in-person to a stranger. I was working at the Talos booth this week and struck up a conversation with someone who worked in network operations for an NFL team. Being a huge NFL fan, I had all sorts of questions to ask about the ins and outs of his job and the organization, especially given Cisco Talos Incident Response’s recent work at the Super Bowl and NFL draft. 

Unfortunately, this isn’t something we’ve been able to capture virtually. That operations person and I exchanged information on what we’re seeing in the field, what pain points exist and even got to talking about the NFL offseason. My wife, boss and parents would be shocked to hear me say this — but I actually missed talking to people in person.    

**The one big thing **

Microsoft’s Patch Tuesday for this month included 40 high-severity vulnerabilities, including one critical issue. The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to an NFS service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. 

> **Why do I care? **This month’s round of updates also includes a fix for the high-profile Follina vulnerability disclosed a few weeks ago. Attackers are actively exploiting this in the wild to deliver malware, so this is especially important to patch for immediately. Also, this release marks the official end of Internet Explorer, the Microsoft browser that’s been around for more than 25 years. As of Tuesday, Microsoft stopped officially supporting most versions of Explorer and disabled the IE desktop application. All Explorer users are encouraged to switch over to Microsoft Edge (or another web browser).   
> **So now what? **Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. And it goes without saying, but all Microsoft users should update their products as soon as possible. 

**Other news of note**

U.S. defense contractor L3Harris is in talks to acquire the controversial Israeli tech company NSO Group, the creators of the Pegasus spyware. Pegasus is known to be used by threat actors to track unwilling targets, including activists, journalists and government leaders. This has set off alarm bells for privacy experts and those following national security, and some are even calling on the White House to preemptively block any sort of deal. NSO Group is currently on a U.S. blacklist for working “contrary to the foreign policy and national security interests of the U.S.” (The Guardian, Haaretz) 

Apple unveiled the newest version of its iOS operating system for iPhones last week, including several new security features and improvements. Users will no longer have to download standalone versions of the operating system to implement security updates, and instead, the patches will be installed automatically. Another new feature is the ability to edit and unsend iMessages. However, security and privacy experts worry this ability could allow stalkers, harassers, and abusers to contact their victims and then hide any trace of their messages, leading some people to call on Apple to change the feature. (9To5Mac, Mac Rumors) 

A newly discovered Linux malware is extremely difficult to detect while spreading silently across a network. Security researchers call this campaign “Symbiote,” and it's already been spotted in the wild. Symbiote infects running Linux processes and steals user credentials, gains rootkit functionality and installs a backdoor for remote access. Once it infects the processes, it can become difficult to detect by the typical security software, and some researchers are wondering if it’s even possible to detect this attack. (ThreatPost, Ars Technica) 

**Can’t get enough Talos? **

*   Boosting Security Resilience and Defending the IT Ecosystem
*   Businesses need to be more aggressive with their cyber security, Cisco warns
*   Cisco unveils sweeping new cloud capabilities, SASE and WAN forecasting offerings
*   Deepfake attacks expected to be next major threat to businesses  
    

  

**Upcoming events where you can find Talos **

**BlackHat** **U.S.** (Aug. 6 - 11, 2022)  
Las Vegas, Nevada 

**DEF CON U.S.** (Aug. 11 - 14, 2022)  
Las Vegas, Nevada 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** b2ef49a10d07df6db483e86516d2dfaaaa2f30f4a93dd152fa85f09f891cd049   
**MD5:** 067f9a24d630670f543d95a98cc199df **Typical Filename:** RzxDivert32.sys **Claimed Product:** WinDivert 1.4 driver   
**Detection Name:** W32.B2EF49A10D-95.SBX.TG 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 **MD5:** 8c69830a50fb85d8a794fa46643493b2   
**Typical Filename:** AAct.exe **Claimed Product:** N/A    
**Detection Name:** PUA.Win.Dropper.Generic::1201

Threat Source newsletter (June 16, 2022) — Three top takeaways from Cisco Live

A secure Web browser takes the top prize, and for the second year in a row malware detection is an afterthought.

**RSA CONFERENCE 2022 –** RSAC's Innovation Sandbox is a _Shark Tank_\-like competition, bringing 10 startup finalists to present onstage before judges.

Talon Security seized the first-place prize with a bold vision for the corporate Web browser of the future. For those thinking the browser is too competitive a market to take on, Talon's pitch makes intriguing arguments.

Deploying any kind of traditional security controls or software across operating systems, and into third-party contractors or personal devices, is logistically difficult or impossible. Yet Web browsers can be deployed by any user without admin privileges. In 2019, Microsoft consolidated under Google's open source Chromium code base, so Talon's Chromium browser should enjoy broad device and Web compatibility.

After requiring users to have Talon's browser to access their clouds, corporations then gain centralized management to control access levels. Talon ensures privileged data stays contained within the browser, as it can block saving, screen capture, or cut and paste.

Talon is not the only startup stretching our understanding of security's future. With these nine other innovative finalists, three trends have emerged.

**Core Security Still Being Reimagined**

Many of these entrepreneurs proposed bold visions for reimagining cloud security. Zero trust has been a popular approach, centralizing continuous authorization, device attestation, and taking the least-privilege approach in the cloud. Sharon Goldberg, CEO of the second-place finisher, BastionZero, takes issue with even calling today's solutions zero trust, "when really they create a single point of compromise."

BastionZero's founders came out of the cryptography world, where decentralized encryption, such as that in Bitcoin, and Transport Layer Security (TLS) are common. BastionZero enables engineers and build processes to authenticate to the cloud using multiple roots of trust. With this differentiator, if one root is compromised, organizations still maintain control.

Attack surface management company SevCo is the brainchild of JJ Guy and Greg Fitzgerald, the founders of Carbon Black and Cylance, respectively. Attempts at device inventories have always been an industry failure, and the problem has become worse with our remote and rapidly churning workforce.

SevCo's real-time streaming platform continuously correlates inventory from many sources through APIs. They record suspicious changes over time and are expecting to tame the problem of unmanaged and malicious devices reaching into clouds.

**Risk Management for Data, Privacy, and DevOps**

Unlike past years at Innovation Sandbox, the majority of 2022 finalists sell to users who do not report to the CISO. Talon's Web browser, SevCo's IT inventory, and BastionZero's authentication are more likely to fall under the CIO. Judges are surely sensitive to the demand for securing post-cloud IT infrastructure and defending digitization across organizations.

Another trio of startups in the competition emphasized working across these departments. Dasera frees data security that's been siloed within data, IT, and privacy teams. It visualizes data context, automates workflows, and coordinates policy and actions. Dasera ends up being a single pane of glass to visualize and manage data security across multiple departments and throughout its life cycle.

Torq is using a no-code approach that's seen recent success in automating cloud operations. It allows security professionals to visually build automation without the help of programmers, reducing costs. In addition to automating incident response, Torq can seamlessly coordinate with IT on the growing backlog of account provisioning, caused by identity attacks.

SecDevOps startup Cycode reaches across the organization to defend DevOps' entire pipeline: from application code to open source libraries and deployment paths. Cycode also automates remediation workflows to reduce costs.

**Cloud Security Focuses on APIs, Over-Permissioning**

Malware is still big on endpoints but receives less emphasis in cloud security. It's difficult for hackers to ensure their malware runs in the cloud near the data they target, especially with technologies like "serverless" containers and lambda functions. From what we know today, hackers are more likely to make API calls into or across the cloud, often sitting at their own devices behind anonymized IPs.

The cloud's crown jewels are applications and APIs that are exposed to the outside by design, said Neosec founder Giora Engel. Attackers can access them directly with credentials — whether legitimate or stolen. Hence the cloud security adage, "Hackers don’t break in, they log in." Neosec leverages API gateways, like Google Apigee. It discovers an organization's APIs, detects their vulnerabilities, and monitors use and abuse. Neosec wields behavioral analytics and offers a managed detection and response service on top.

Lightspin also doesn't focus on malware detection but manages cloud posture and protects workloads through a unique graph technology. Less-experienced analysts can visualize the most critical attack paths where vulnerabilities and configurations need closing. It's one of the easier products to use in its space.

Meanwhile, Cado Security brings forensics and incident response to cloud workloads. Instead of placing agents inside these workloads, Cado obtains cloned images of their disk, memory, and surrounding logfiles. Since offline forensic analysis has zero impact on high-availability workloads, cloud forensics has exciting potential.

Cado is one of the few examining binary files and processes inside workloads. It doesn't tout specific malware detection, yet allows searching for malware indicators and visualizing timelines.

Araali Networks is bucking the trend and places agents into the private cloud, leveraging Kubernetes DaemonSets and Linux's extended Berkeley Packet Filter (eBPF). Araali examines network traffic, enforces policies, and blocks malicious code.

Innovation Sandbox 2022 was a barometer for the rapid industry changes that are underway to secure the cloud. Cybersecurity must defend digitization across IT, data, privacy, and DevOps. It's a different world, where threats are a lot bigger than just malware.

RSAC Startup Competition Focuses on Post-Cloud IT Infrastructure

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.
Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and

Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks.

Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, carrying out credential theft and lateral movement activities, before harvesting intellectual property and dropping the ransomware payload.

The entire sequence of events played out over the course of two full weeks, the Microsoft 365 Defender Threat Intelligence Team said in a report published this week.

"In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in," the researchers said, pointing out how "no two BlackCat 'lives' or deployments might look the same."

BlackCat, also known by the names ALPHV and Noberus, is a relatively new entrant to the hyperactive ransomware space. It's also known to be one of the first cross-platform ransomware written in Rust, exemplifying a trend where threat actors are switching to uncommon programming languages in an attempt to evade detection.

The ransomware-as-a-service (RaaS) scheme, irrespective of the varying initial access vectors employed, culminates in the exfiltration and encryption of target data that's then held ransom as part of what's called double extortion.

The RaaS model has proven to be a lucrative gig economy-style cybercriminal ecosystem consisting of three different key players: access brokers (IABs), who compromise networks and maintain persistence; operators, who develop and maintain the ransomware operations; and affiliates, who purchase the access from IABs to deploy the actual payload.

According to an alert released by the U.S. Federal Bureau of Investigation (FBI), BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022 since it was first spotted in November 2021.

Furthermore, Microsoft said that "two of the most prolific" affiliate threat groups, which have been associated with several ransomware families such as Hive, Conti, REvil, and LockBit 2.0, are now distributing BlackCat.

This includes DEV-0237 (aka FIN12), a financially motivated threat actor that was last seen targeting the healthcare sector in October 2021, and DEV-0504, which has been active since 2020 and has a pattern of shifting payloads when a RaaS program shuts down.

"DEV-0504 was responsible for deploying BlackCat ransomware in companies in the energy sector in January 2022," Microsoft noted last month. "Around the same time, DEV-0504 also deployed BlackCat in attacks against companies in the fashion, tobacco, IT, and manufacturing industries, among others."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers

A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure.
The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable

A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure.

The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker," Proofpoint said in a report published today.

The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added.

The attack, at its core, hinges on a Microsoft 365 feature called AutoSave that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online.

It commences with gaining unauthorized access to a target user's SharePoint Online or OneDrive account, followed by abusing the access to exfiltrate and encrypt files. The three most common avenues to obtain the initial foothold involve directly breaching the account via phishing or brute-force attacks, tricking a user into authorizing a rogue third-party OAuth application, or taking over the web session of a logged-in user.

But where this attack stands apart from traditional endpoint ransomware activity is that the encryption phase requires locking each file on SharePoint Online or OneDrive more than the permitted versioning limit.

Microsoft elaborates the versioning behavior in its documentation as follows -

_Some organizations allow unlimited versions of files and others apply limitations. You might discover, after checking in the latest version of a file, that an old version is missing. If your most recent version is 101.0 and you notice that there is no longer a version 1.0, it means that the administrator configured the library to allow only 100 major versions of a file. The addition of the 101st version causes the first version to be deleted. Only versions 2.0 through 101.0 remain. Similarly, if a 102nd version is added, only versions 3.0 through 102.0 remain._

By leveraging the access to the account, an attacker can either create too many versions of a file or alternatively reduce the version limit of a document library to a lower such as "1" and then proceed to encrypt each file twice.

"Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account," the researchers explained. "At this point, the attacker can ask for a ransom from the organization."

Microsoft, in response to the findings, pointed out that older versions of files can be potentially recovered and restored for an additional 14 days with the assistance of Microsoft Support, a process that Proofpoint found to be unsuccessful.

We have reached out to the tech giant for further comment, and we will update the story if we hear back.

To mitigate such attacks, it's recommended to enforce a strong password policy, mandate multi-factor authentication (MFA), and prevent large-scale data downloads to unmanaged devices.

"Files stored in a hybrid state on both endpoint and cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files," the researchers said. "To perform a full ransom flow, the attacker will have to compromise the endpoint and the cloud account to access the endpoint and cloud-stored files."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage

Attackers could also potentially gain access to various internal services, researcher warns

Attackers could also potentially gain access to various internal services, researcher warns

A memcached injection vulnerability in business webmail platform Zimbra could allow attackers to steal login credentials without user interaction, security researchers have revealed.

Zimbra, an open source alternative to services including Microsoft Exchange, is used by more than 200,000 businesses and more than 1,000 government and financial institutions worldwide, according to its developer, Synacor.

Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource), has documented how unauthenticated attackers could poison an unsuspecting victim’s cache.

It is then possible to steal cleartext credentials from the Zimbra instance, when the mail client connects to the Zimbra server, as demonstrated in the following proof-of-concept video:

Because newline characters () were not escaped in untrusted user input, attackers could inject arbitrary memcached commands into a targeted instance and trigger an overwrite of arbitrary cached entries.

Memcached servers store key/value pairs that can be set and retrieved with a simple text-based protocol and interpret incoming data line by line.

**Escalation risk**

Zimbra users have been urged to upgrade their installations immediately, given the potential impact of successful exploitation.

**RECOMMENDED** Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol

The severity of the vulnerability (CVE-2022-27924) is listed as ‘high’ (CVSS 7.5) rather than ‘critical’, but once a mailbox is breached, “attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information”, Scannell warned.

“With mail access, attackers can reset passwords, impersonate their victims, and silently read all private conversations within the targeted company.”

**Continuous injections**

Attackers could poison victims’ IMAP route cache entries by ascertaining the victim’s email address – an easy enough task with OSINT methods – but the researchers also successfully deployed response smuggling to steal cleartext credentials without first obtaining this information.

“By continuously injecting more responses than there are work items into the shared response streams of Memcached, we can force random Memcached lookups to use injected responses instead of the correct response,” explained Scannell.

“This works because Zimbra did not validate the key of the Memcached response when consuming it. By exploiting this behavior, we can hijack the proxy connection of random users connecting to our IMAP server without having to know their email addresses.”

**Holding the newline**

The flaw affects both open source and commercial versions of Zimbra in their default configurations.

The flaws were reported on March 11 and an initial fix, released on March 31, failed to properly address the issue. The comprehensively patched versions are 8.8.15 with patch level 31.1 and 9.0.0 with patch level 24.1.

Catch up with the latest security research news

“Zimbra patched the vulnerability by creating a SHA-256 hash of all Memcache keys before sending them to the Memcache server,” said Scannell. “As the hex-string representation of a SHA-256 can’t contain whitespaces, no new-lines can be injected anymore.”

**Sonar disclosed the flaw on June 14.**

Scannell concluded his write-up by observing that cross-site scripting (XSS) and SQL injection flaws arising from a lack of input escaping “have been well known and documented for decades”, but that “other injection vulnerabilities can occur that are less known and can have a critical impact”.

As a consequence, Scannell recommends that developers “be aware of special characters that should be escaped when dealing with technology where less documentation and research about potential vulnerabilities exists”.

The vulnerability has emerged four months after Zimbra released a hotfix for an XSS flaw whose abuse underpinned a series of sophisticated spear-phishing campaigns linked to an unknown Chinese threat group.

Sonar also discovered a pair of Zimbra vulnerabilities last year that, if combined, allowed unauthenticated attackers to gain control of Zimbra servers.

**RELATED** Horde Webmail contains zero-day RCE bug with no patch on the horizon

Business email platform Zimbra patches memcached injection flaw that imperils user credentials

New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.

police forces around the world have increasingly used hacking tools to identify and track protesters, expose political dissidents’ secrets, and turn activists’ computers and phones into inescapable eavesdropping bugs. Now, new clues in a case in India connect law enforcement to a hacking campaign that used those tools to go an appalling step further: planting false incriminating files on targets’ computers that the same police then used as grounds to arrest and jail them. 

More than a year ago, forensic analysts revealed that unidentified hackers fabricated evidence on the computers of at least two activists arrested in Pune, India, in 2018, both of whom have languished in jail and, along with 13 others, face terrorism charges. Researchers at security firm Sentinel One and nonprofits Citizen Lab and Amnesty International have since linked that evidence fabrication to a broader hacking operation that targeted hundreds of individuals over nearly a decade, using phishing emails to infect targeted computers with spyware, as well as smartphone hacking tools sold by the Israeli hacking contractor NSO Group. But only now have Sentinel One’s researchers revealed ties between the hackers and a government entity: none other than the very same Indian police agency in the city of Pune that arrested multiple activists based on the fabricated evidence.

“There’s a provable connection between the individuals who arrested these folks and the individuals who planted the evidence,” says Juan Andres Guerrero-Saade, a security researcher at Sentinel One who, along with fellow researcher Tom Hegel, will present findings at the Black Hat security conference in August. “This is beyond ethically compromised. It is beyond callous. So we’re trying to put as much data forward as we can in the hopes of helping these victims.”

Sentinel One’s new findings that link the Pune City Police to the long-running hacking campaign, which the company has called Modified Elephant, center on two particular targets of the campaign: Rona Wilson and Varvara Rao. Both men are activists and human rights defenders who were jailed in 2018 as part of a group called the Bhima Koregaon 16, named for the village where violence between Hindus and Dalits—the group once known as “untouchables”—broke out earlier that year. (One of those 16 defendants, 84-year-old Jesuit priest Stan Swamy, died in jail last year after contracting Covid-19. Rao, who is 81 years old and in poor health, has been released on medical bail, which expires next month. Of the other 14, only one has been granted bail.)

Early last year, Arsenal Consulting, a digital forensics firm working on behalf of the defendants, analyzed the contents of Wilson’s laptop, along with that of another defendant, human rights lawyer Surendra Gadling. Arsenal analysts found that evidence had clearly been fabricated on both machines. In Wilson’s case, a piece of malware known as NetWire had added 32 files to a folder of the computer’s hard drive, including a letter in which Wilson appeared to be conspiring with a banned Maoist group to assassinate Indian prime minister Narendra Modi. The letter was, in fact, created with a version of Microsoft Word that Wilson had never used, and that had never even been installed on his computer. Arsenal also found that Wilson’s computer had been hacked to install the NetWire malware after he opened an attachment sent from Varvara Rao’s email account, which had itself been compromised by the same hackers. “This is one of the most serious cases involving evidence-tampering that Arsenal has ever encountered,” Arsenal’s president, Mark Spencer, wrote in his report to the Indian court.

In February, Sentinel One published a detailed report on Modified Elephant, analyzing the malware and server infrastructure used in the hacking campaign to show that the two cases of evidence fabrication Arsenal had analyzed were part of a much larger pattern: The hackers had targeted hundreds of activists, journalists, academics, and lawyers with phishing emails and malware since as early as 2012. But in that report, Sentinel One stopped short of identifying any individual or organization behind the Modified Elephant hackers, writing only that the “activity aligns sharply with Indian state interests.”

Now the researchers have gone further in nailing down the group’s affiliations. Working with a security analyst at a certain email provider—who also spoke to WIRED but asked that neither they nor their employer be named—Sentinel One learned that three of the victim email accounts compromised by the hackers in 2018 and 2019 had a recovery email address and phone number added as a backup mechanism. For those accounts, which belonged to Wilson, Rao, and an activist and professor at Delhi University named Hany Babu, the addition of a new recovery email and phone number appears to have been intended to allow the hacker to easily regain control of the accounts if their passwords were changed. To the researchers’ surprise, that recovery email on all three accounts included the full name of a police official in Pune who was closely involved in the Bhima Koregaon 16 case.

The three hacked accounts have other fingerprints that link them—and thus the Pune police—to the larger Modified Elephant hacking campaign: The email provider found that the hacked accounts were accessed from IP addresses that Sentinel One and Amnesty International had previously identified as those of Modified Elephant. In the case of Rona Wilson, the email provider security analyst says that Wilson’s email account received a phishing email in April 2018 and then appeared to be compromised by the hackers using those IPs, and at the same time the email and phone number linked to the Pune City Police were added as recovery contacts to the account. The analyst says Wilson’s email account was then itself used to send out other phishing emails to targets in the Bhima Koregaon case for at least two months before Wilson was arrested in June of 2018.

“We generally don’t tell people who targeted them, but I’m kind of tired of watching shit burn,” the security analyst at the email provider told WIRED of their decision to reveal the identifying evidence from the hacked accounts. “These guys are not going after terrorists. They’re going after human rights defenders and journalists. And it’s not right.”

To further confirm the link between the recovery email and phone number on the hacked accounts and the Pune City Police, WIRED turned to Citizen Lab security researcher John Scott-Railton, who along with researchers at Amnesty International had earlier revealed the extent of the hacking campaign against the Bhima Koregaon 16 and shown that the NSO hacking tool Pegasus had been used to target some of their smartphones. To prove that the Pune City Police controlled the recovery contacts on the hacked accounts, Scott-Railton dug up entries in open source databases of Indian mobile phone numbers and emails for the recovery phone number that linked it to an email address ending in pune@ic.in, a suffix for other email addresses used by police in Pune. Scott-Railton found that the number is also linked in the database to the recovery email address connected to the hacked accounts for the same Pune police official.

Separately, security researcher Zeshan Aziz found the recovery email address and phone number tied to the Pune police official’s name in the leaked database of TrueCaller, a caller ID and call-blocking app, and found the phone number linked to his name in the leaked database of iimjobs.com, an Indian job recruitment website. Finally, Aziz found the recovery phone number listed with the official’s name on multiple archived web directories for Indian police, including on the website of the Pune City Police. (WIRED also verified that at the time the accounts were compromised, the email provider would have sent a confirmation link or text message to any recovery contact information added to an email account, which suggests that the police did, in fact, control that email address and phone number.)

Scott-Railton further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.

WIRED reached out in multiple emails and phone calls to the Pune City Police and the Pune police official whose personal details were linked to the hacked accounts and received no reply.

One Mumbai-based defense attorney representing several of the Bhima Koregaon 16, Mihir Desai, says he would need to independently corroborate the new evidence of the Pune police’s links to the hacking campaign. But taken at face value, he says, it appears “very damning.” He adds that he is hopeful it could help his clients, including Anand Teltumbde, who has been accused of terrorist connections based in part on an apparently fabricated document found on Rona Wilson’s computer. “We’ve known things have been planted, but the police could have always said, ‘we are not involved in all this,’” says Desai. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.”

The conclusion that Pune police are tied to a hacking campaign that appears to have framed and jailed human rights activists presents a disturbing new example of the dangers of hacking tools in the hands of law enforcement—even in an ostensible democracy like India. Sentinel One’s Guerrero-Saade argues that it also raises questions about the validity of any evidence pulled from a computer that’s been hacked by a law enforcement surveillance operation. “This should invite a conversation about whether we can trust law enforcement with these sorts of malware operations at all,” says Guerrero-Saade. “What does it mean to have evidentiary integrity when you have a compromised device? What does it mean for somebody to hack a device for fact-finding in a law enforcement operation when they can also alter the contents of the device in question?”

Beyond any larger questions, Guerrero-Saade and his fellow Sentinel One researcher Tom Hegel say they’re focused on the fate of the victims in the Bhima Koregaon case, almost all of whom have remained in jail even as the evidence against them proves to be more corrupt with every year. Ultimately, the researchers hope their findings can not only demonstrate police wrongdoing in the case, but win those activists and human rights defenders their freedom. “The real concern here is the folks languishing in prison,” says Guerrero-Saade. “We’re hoping this leads to some form of justice.”

Police Linked to Hacking Campaign to Frame Indian Activists

Microsoft SharePoint Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-30158.

CVE-2022-30157

Microsoft Office Remote Code Execution Vulnerability.

Tag

#microsoft