![]() An attacker could chain the two vulnerabilities to extract tokens and credentials from “instances within the cloud infrastructure,” the SonarSource researcher says. The second bug is CVE-2021-35209, an open redirect leading to server-side request forgery (SSRF). When executed, the payload would provide the attacker with access to the victim’s emails and to their webmail session. Tracked as CVE-2021-35208, the first of the vulnerabilities is a DOM-based stored cross-site scripting (XSS) bug that an attacker could trigger when the victim views an incoming email.Īn attacker looking to exploit the issue has to include crafted JavaScript code in the email. The flaws could allow an unauthenticated attacker to compromise the webmail server of an organization and gain access to all employee email messages. In June, Zimbra released patches for multiple security issues in the webmail solution, including two bugs identified by Simon Scannell, a security researcher with SonarSource. Shipping and Medical Laboratories are Targeted by New Threat Actor HydrochasmaVulnerabilities in the Zimbra enterprise webmail solution could allow an attacker to gain unrestricted access to an organization’s sent and received email messages, software security firm SonarSource reveals.Ī webmail solution popular among enterprises worldwide, Zimbra claims to have more than 200,000 business customers, including over 1,000 government and financial institutions and roughly 500 service providers. There is also a possibility that Hydrochasma is a known threat actor that started to experiment with the exclusive use of 'LotL' tools and tactics in specific campaigns to cover their traces. Later, the intruder drops the open-source tools on the infected machine, like Meterpreter, Gogo, Process Dumper, Cobalt Strike beacon, AlliN scanning tool, Fscan, Dogz, SoftEtherVPN, Procdupm, BrowserGhost, Gost proxy, Ntlmrelay, Task Scheduler, Go-strip, and HackBrowserData.įurthermore, the use of so many publicly available tools makes it hard to connect the activity to any specific threat group, which also indicates that the attacker's aim is to stay in the victim's network for extended periods and an effort to escalate privileges and spread laterally across victim’s networks. ![]() ![]() After compromising the machine, the attacker uses the access to drop a Fast Reverse Proxy (FRP), which can expose to the public web local servers behind a NAT (Network Address Translation) or a firewall. The fake documents use the theme 'product specification information' when targeting the shipping companies and a 'job applicant resume' when targeting the medical labs. ![]() The main goal of the threat actor is to steal intelligence, and they rely only on open-source tools and "living off the land" (LotL) tactics, to bypass detection.Ī Hydrochasma attack mostly begins with a phishing email, an assumption based on the fact that, on infected machines Symantec detected the executable imitating documents as the origin of the malicious activity. Threat hunters at software company Symantec tracked a previously unknown threat actor named Hydrochasma that has been targeting shipping and medical laboratories which were involved in COVID-19 vaccine development and treatments.
0 Comments
Leave a Reply. |