company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Zimbra

XSS

SSRF

loading..
loading..
loading..

Zimbra vulnerabilities can enable unauthorized access to its webmail servers

Zimbra Webmail servers detected two chained vulnerabilities (XSS & SSRF) with JavaScript payloads. Emails and web sessions of victims could be compromised…

28-Jul-2021
4 min read

Related Articles

loading..

Info Stealer

Dependabot

Discover the intricate GitHub attack: Threat actors impersonating Dependabot, st...

In July 2023, Our scanners detected a series of atypical commits across hundreds of GitHub repositories, seemingly originating from Dependabot but concealing malevolent intentions. This [Threatfeed](https://www.secureblink.com/cyber-security-works) delves deep into the technical intricacies of this cyberattack, highlighting the tactics employed by threat actors and the implications for developers and security professionals. ## **Deceptive Commits** Between July 8-11, threat actors embarked on a sophisticated campaign, compromising both public and private GitHub repositories, focusing predominantly on Indonesian user accounts. Their modus operandi involved crafting counterfeit commit messages meticulously designed to mimic genuine contributions from Dependabot. This ruse aimed to deceive developers into dismissing the malicious activity. The attackers ingeniously camouflaged their actions by impersonating the user account "dependabot[bot]." This manipulation added a layer of authenticity to their deceitful commits, making them appear benign at first glance. ## **Malicious Code Unveiled** In our extensive analysis of the affected repositories, we uncovered two distinct patterns of code changes suggestive of automated scripting. The first insidious alteration introduced a new GitHub Action file named "hook.yml." This file triggered every code push event, surreptitiously exfiltrating GitHub secrets and variables to a malicious endpoint: `hxxps://send[.]wagateway.pro/webhook`. The second malicious modification was equally cunning. The attackers targeted JavaScript files (`.js`) within the projects, appending obfuscated lines of code at the end. This code snippet created a new script tag, executed in web browsers, and fetched an additional script from `hxxps://send[.]wagateway.pro/client.js?cache=ignore`. Its purpose was clear: intercepting user-submitted passwords from web forms and funneling them to the same exfiltration endpoint. ## ** Attack Chain** Understanding the attack's progression is crucial to fortifying defenses against such incursions. The assault unfurled in three distinct phases: **Step 1 – Workspace Initialization:** Victims inadvertently played a pivotal role by initializing their development environments with personal access tokens (PATs) or alternative identification methods. These tokens, stored locally on their machines, became ripe targets for extraction. Notably, PATs do not mandate two-factor authentication (2FA), rendering them vulnerable to exploitation. **Step 2 – Stealing the Developer's Credentials:** How attackers acquired developers' credentials remains speculative, but a prevalent method suggests using malicious packages. These insidious packages covertly exfiltrated PATs to the attackers' command and control (C2) server, providing unhindered access to compromised accounts. **Step 3 – Poisoning the Victim's Code Projects:** Armed with stolen PATs, the attackers authenticated themselves on GitHub and executed the malevolent code changes detailed earlier. The scale of this assault suggested automation, highlighting the need for robust threat detection and prevention measures. ## **Implications and Lessons** This incident serves as a stark reminder of the evolving sophistication of supply chain attacks, particularly when attackers exploit trusted entities like Dependabot. Developers and organizations must exercise vigilance in code acquisition, even from reputable sources like GitHub. It underscores the need for enhanced security measures. To mitigate the risk of compromised tokens, GitHub introduces a groundbreaking solution: fine-grained personal access tokens (PATs) in public beta. These tokens afford developers granular control over permissions, reducing the potential for damage if a token is breached. However, it's important to note that access log activity for GitHub's personal access tokens is exclusively visible to enterprise accounts, leaving non-enterprise users in the dark about potential compromises. ## **Fine-Grained Personal Access Tokens: A Game Changer** GitHub recognizes the paramount importance of safeguarding credentials and introduces fine-grained PATs to bolster security. Here's how they differ from the traditional personal access tokens (classic): - **Granular Permissions:** Fine-grained PATs offer over 50 granular permissions that control access to GitHub's APIs, granting read or read-and-write access on a per-permission basis. For instance, a PAT can be configured to read issues within a repository exclusively. - **Repository Targeting:** Unlike classic PATs, fine-grained tokens do not possess universal access. They are tailored to specific repositories or organizations, minimizing the scope of potential breaches. - **Expiration:** Fine-grained PATs come with expiration dates, ensuring that access is time-limited and reducing long-term risk. ## **Creating Fine-Grained Personal Access Tokens** Developers can create fine-grained PATs through the Developer Settings section in their account settings. This feature simplifies building integrations and testing scripts, offering a level of control and security previously unavailable. ## **Approving and Auditing Tokens** Organization owners gain newfound control over fine-grained PATs. They can opt to approve or reject each token targeting their organization or repositories. This feature enhances visibility and accountability, empowering organizations to safeguard their resources effectively. ## **Choosing the Right Access Method** While fine-grained PATs represent a significant leap in access control, there are scenarios where classic PATs remain necessary, such as access beyond one's organization or integration with enterprise account APIs. GitHub Actions and GitHub Apps are recommended for long-term automation needs, combining highly targeted permissions with administrator controls. ## **What's on the Horizon** GitHub's commitment to security extends beyond this release. Future enhancements include support for GraphQL with fine-grained PATs, expanded API support for fine-grained permissions, and additional features for administrators to set and enforce PAT policies at scale. ## **Get Started with Fine-Grained PATs** Fine-grained personal access tokens are now available to all GitHub users, organizations, and enterprises on GitHub.com. Users are encouraged to provide feedback as GitHub continually refines this groundbreaking security feature.

loading..   28-Sep-2023
loading..   5 min read
loading..

Zero Day

Vulnearbility

Libwebp

Google reassigns CVE-2023-5129, a critical libwebp vulnerability initially mista...

Google has reassigned a zero-day vulnerability to the open-source libwebp library. The flaw, initially identified as a Chrome weakness [CVE-2023-4863](https://nvd.nist.gov/vuln/detail/CVE-2023-4863), has now been allocated a new CVE ID: [CVE-2023-5129](https://nvd.nist.gov/vuln/detail/CVE-2023-5129). This reclassification bears critical implications for the cybersecurity community and projects dependent on libwebp. ## CVE-2023-5129 Google's acknowledgment of CVE-2023-5129 as a critical issue within libwebp, marked with a maximum severity rating of 10/10, brings into focus the pivotal role this library plays in various projects. ### Technical Anatomy CVE-2023-5129 revolves around a heap buffer overflow in WebP, impacting [Google Chrome](http://twitter.com/wdormann/status/1704580087109066776) versions preceding 116.0.5845.187. Its core resides in the [Huffman coding algorithm](https://nvd.nist.gov/vuln/detail/CVE-2023-5129) employed by libwebp for lossless compression. This vulnerability provides malevolent actors the capability to execute out-of-bounds memory writes, exploiting maliciously crafted HTML pages. Such exploits wield immense power, ranging from system crashes to the execution of arbitrary code and unauthorized access to sensitive data. ## Implications for the Cybersecurity Ecosystem The reclassification of CVE-2023-5129 has profound implications for projects across the spectrum. This critical rating elevates the urgency of addressing the security vulnerability, which now appears under multiple CVE IDs, each with distinct severity ratings. ### Widespread Impact Libwebp's inconspicuous role in numerous projects, including 1Password, [Signal](https://www.secureblink.com/cyber-security-news/flashpoint-discovered-project-signal-an-iranian-state-sponsored-ransomware-operation), [Safari](https://www.secureblink.com/cyber-security-news/safari-15-leaks-browsing-history-and-reveals-user-identity-following-the-exploitation-of-its-indexeddb-api), [Mozilla Firefox](https://www.secureblink.com/cyber-security-news/mozilla-addresses-two-critical-zero-day-vulnerability-in-the-latest-release-of-firefox-versions), [Microsoft Edge](https://www.secureblink.com/cyber-security-news/three-million-users-installed-chrome-and-edge-extensions-containing-malware), Opera, and native Android web browsers, underscores the breadth of its reach. These platforms are now in the spotlight due to this vulnerability's heightened criticality. ## Confusion Surrounding CVE-2023-4863 The initial classification of this vulnerability as a Chrome weakness (CVE-2023-4863) left the cybersecurity community puzzled. Questions arose regarding Google's decision to categorize it within Chrome rather than attributing it to libwebp. ### Expert Insights Notably, security consulting firm founder Ben Hawkes, formerly leading Google's Project Zero team, drew connections between CVE-2023-4863 and [CVE-2023-41064](https://nvd.nist.gov/vuln/detail/CVE-2023-41064). The latter vulnerability, [addressed](https://support.apple.com/en-us/HT213905) by Apple on September 7, was exploited in a zero-click iMessage exploit chain known as [BLASTPASS](https://www.secureblink.com/cyber-security-news/urgent-cisa-issues-warning-on-i-phone-spyware-vulnerabilities). This chain aimed to compromise fully patched iPhones with [NSO Group's Pegasus](https://www.secureblink.com/cyber-security-news/pegasus:-the-rise-of-a-sophisticated-spyware-behind-mass-surveillance) commercial spyware. ## Timely Fix Fortunately, this security concern did not linger unresolved. The joint report by Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School on September 6 triggered prompt action from Google. Less than a week later, the issue was effectively patched. ### Citizen Lab's Prowess Citizen Lab's track record in detecting and exposing zero-day vulnerabilities used in targeted spyware campaigns is noteworthy. These campaigns typically target high-risk individuals, such as journalists and opposition politicians, often attributed to state-sponsored threat actors. ## Closing Thoughts Google's reclassification of the zero-day vulnerability as CVE-2023-5129, marking it as a critical issue within libwebp, signifies a pivotal moment in the cybersecurity landscape. The heap buffer overflow within the WebP format has far-reaching implications, affecting a multitude of projects. This reevaluation underscores the necessity for immediate action across various platforms to safeguard user data.

loading..   26-Sep-2023
loading..   4 min read
loading..

Cl0p

MOVEit

Healthcare

BORN Ontario Child Registry Healthcare Data Breach Affects 3.4 Million People ...

BORN Ontario, the provincial perinatal, newborn, and child registry, recently fell victim to a massive healthcare data breach. The data breach was attributed to a global vulnerability within the MOVEit data transfer software by Progress Software through the cybersecurity community. In this [Threatfeed](https://www.secureblink.com/cyber-security-news), we delve into the technical details of the incident and its implications for the affected parties. ## MOVEit Vulnerability Late evening on May 31, 2023, BORN Ontario [learned](https://www.bornincident.ca/) of a critical vulnerability within the [MOVEit](https://www.secureblink.com/cyber-security-news/clop-ransomware-exploits-mov-eit-targeting-u-s-banks-and-universities) data transfer software, a widely used tool for secure file transfers. This software is utilized not only by BORN but also by governments, private sector organizations, and multinationals globally. The vulnerability tracked as [CVE-2023-34362](https://nvd.nist.gov/vuln/detail/CVE-2023-34362) enabled unauthorized malicious actors to access and copy personal health information files. ### Exploitation The attackers, exploiting this zero-day vulnerability, accessed the MOVEit FTP Server. The affected server was subsequently decommissioned, and file transfer operations ceased until the system's safety could be ensured. It is crucial to highlight that the BORN Information System (BIS) was not compromised during this breach. ## Data Exposed The breach impacted files being transferred through MOVEit, potentially compromising the personal health information of approximately 3.4 million individuals. These individuals primarily include those who had sought prenatal or pregnancy care and newborns between January 2010 and May 2023. The exposed data includes: - Full names - Home addresses - Postal codes - Dates of birth - Health card numbers Depending on the type of care received, additional clinical information such as dates of service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes may have been exposed. ## Extent of Impact To put the scale of this breach into perspective, it affected 1.4 million individuals seeking prenatal or pregnancy care and 1.9 million newborns and children. The impact is substantial, and it raises concerns regarding patient privacy and data security. ## Response and Mitigation BORN Ontario took immediate action to mitigate the breach's impact and prevent further unauthorized access. Here are some of the critical steps taken: ### Isolation and Containment The affected server was isolated and taken offline to prevent further exploitation. ### Investigation Third-party cybersecurity experts were engaged to conduct a thorough investigation into the breach's scope and nature. ### Law Enforcement and Reporting BORN Ontario reported the incident to law enforcement agencies and the Privacy Commissioner of Ontario, ensuring that relevant authorities were informed. ### Data Partners Collaboration BORN Ontario collaborated with data partners to address the breach's consequences and identify the individuals affected. ## The MOVEit Zero-Day Vulnerability The specific details of the zero-day vulnerability in MOVEit Transfer have not been disclosed publicly. However, cybersecurity firm Rapid7 suggests that it is a SQL injection vulnerability leading to remote code execution. ### Attack Vector This vulnerability allowed attackers to execute arbitrary code remotely, potentially gaining control over the affected systems. ### Affected Systems Rapid7's research indicates that approximately 2,500 MOVEit Transfer servers are exposed, primarily in the United States. All compromised systems were found to have a webshell named 'human2.asp,' located in the public HTML folder. ### Exploitation Details When accessed with the correct password, this webshell allowed attackers to execute various commands, including: - Retrieving lists of stored files, their uploaders, and file paths. - Creating and deleting MOVEit Transfer users. - Accessing information about the Azure Blob Storage account, potentially enabling data theft from the victim's Azure Blob Storage containers. ## Patching and Mitigation Progress Software has released patches to address the zero-day vulnerability for various MOVEit Transfer versions. Organizations using this software should apply the relevant patch immediately. Until then, they should follow specific mitigation steps. ### Port Blocking To prevent exploitation, administrators are advised to block external traffic to ports 80 and 443 on the MOVEit Transfer server. However, this may affect some functionalities, including web UI access. ### Forensic Analysis Organizations that have been breached should conduct a thorough forensic examination to determine if data was stolen or systems compromised. ## Threat Landscape The MOVEit zero-day vulnerability has resulted in mass exploitation and data theft. The attacks began on May 27, 2023, during the long US Memorial Day holiday when security monitoring was reduced. This attack is reminiscent of previous incidents involving managed file transfer (MFT) platforms. ### Potential Extortion While extortion has not yet begun, organizations affected by this breach should prepare for the possibility of extortion and the publication of stolen data. ## Conclusion The BORN Ontario data breach serves as a stark reminder of the ever-evolving threat landscape in the cybersecurity domain. A critical vulnerability in widely used software can have far-reaching consequences, affecting millions of individuals and organizations. In response to this incident, swift action was taken to contain the threat, investigate the breach, and inform the relevant authorities. The release of patches and mitigation steps is a positive step towards preventing further exploitation of the MOVEit vulnerability. As the investigation unfolds, the cybersecurity community closely monitors the situation for any signs of data misuse or extortion attempts. This incident underscores the need for constant vigilance and robust cybersecurity measures to protect sensitive data in an increasingly digital world.

loading..   25-Sep-2023
loading..   5 min read