A bug discovered back in March has been added to CISA’s Known Exploited Vulnerabilities Catalog. This high severity bug, tracked as CVE-2022-27924, affects certain versions of the Zimbra email solution.

 CVE-2022-27924 allows unauthenticated attackers to steal user’s cleartext login credentials from a targeted Zimbra deployment without user interaction via a CRLF injection into the username of a Memcached lookups. This weakness is classified under CWE-74.

Memcached is a free and open source memory object caching system. It improves Zimbra’s performance by storing key/value pairs for email accounts and reducing the number of HTTP requests by the Lookup Service.  

According to researchers SonarSource, the bug’s discoverers, there are two possible exploitation techniques:

• Strategy one requires the use of known email addresses. We all know how easy it is to find email addresses online using publicly available info or by simply guessing the address based on the standard business email setup: firstname.lastname@business.com. The user must also use an IMAP client.
• Strategy two bypasses the restrictions of the first method by “Response Smuggling,” allowing the attacker to “steal cleartext credentials from any vulnerable Zimbra instance without requiring any knowledge about the instance.”

Once a user logs in, their cleartext credentials are sent to the attacker.

A patch for CVE-2022-27924 was released by Zimbra back in May that has been verified by Sonar to resolve the vulnerability by creating an SHA-256 hash of all Memcached keys before they are sent to the server.

Image: Brett Jordan

#cisanalysis #cisa #CVE-2022-27924

Intro

In this article, I will investigate how you can analyse an email, and confirm if it’s a phishing/scam/spam email. The idea here is to look at some tools that you might use for this, as well as how to open the attached file, that is most likely malicious, in a safe (sandboxed) way so you can learn what it does. Unfortunately, my example doesn’t contain an attachment, but I will look into that anyway.  

With that being said, let’s dive into it!

Email Headers

Now that we know how an email travels, let’s look more closely at the components that make up the said email. This is more of a manual approach, but my rationale behind is that we should first understand what we need to do here, before using any specific tooling. You should be able to analyze the suspicious email manually – I don’t see how you would do so with a tool without understanding what’s going on first.

So! We have:

The Header (which contains information about the email – for example, which servers relayed the email)

The Body (which is the email’s text, usually HTML formatted but it can be in regular plaintext)

Let’s look at email header fields:

• From – sender’s address
• Subject – subject line of the email
• To – recipient’s address
• Date – when the email was sent

These headers are what you can see in your email client easily.

(I will use a same email example for this article, keep in mind this was a real scam/spam/phishing email I’ve received couple months back)

Points 1, 2, 3, and 4 are what’s explained above. Note that 3. (To header) says the email’s been sent to recipients i.e., my email address is omitted. This can be done in a couple of ways, but the gist of it is that its due to the SMTP protocol and how it works; more precisely put, due to the Internet standards in regards to emails – RFC821, RFC822, and RFC2821. SMTP would deliver to the RCPT TO, while TO, CC, and BCC are what the email claims where the message is sent. They are in fact optional and can thus be altered.

Going back to our case, when viewing the message raw (even better if you extract the .eml file, like in the image below):

When I check the headers through https://mailheader.org

There’s a couple of things to unpack here, and I’ll circle back to it. Before going into any of that here’s another useful link on headers – Understanding an email header. Of course, there’s many more headers to an email, and I’ve added some links to resources at the end of the article.

  

Email Body

The email body contains the text (either plaintext or HTML formatted). My example email in text only format:

You can view source code as well as the rendered HTML. Header that will be associated with an attachment is usually Content-Type and Content-Disposition. The Content-Type header would say something like pdf/application, and Content-Disposition would say attachment.

I don’t have an attachment, so for me it says Content-Type: text/plain. Content-Transfer-Encoding is also an important one, as it will tell you if it is encoded, and with what encoding.

Before we end this little detour and return to our case, I’d like to emphasize that headers that relate to content can be found in different locations within an email message source. As we’ve seen above, they are not only associated with attachments. They can be text/html (Content-Type), and Content-Transfer-Encoding can be base64, 8bit, etc.

Example Email – analysis

Now that I’ve covered some basics as to what you should be looking at, let’s use some tools to do the same analysis more efficiently. Generally, you don’t need tools (you can already analyze everything with your email/web client) but sender’s IP and reply-to information is only visible through the header.

First tool I wanted to look at is Google’s Messageheader:

Which is great for some quick analysis (more results will be found in the fields below the output above)

However, I slightly prefer the https://mha.azurewebsites.net/ personally:

*Ideally you would use different tools, as you might uncover some additional things that way, its good to mix it up a bit

In the first image (mail header analysis from the Email Headers section) you probably noticed the Reply-to address which you can see above as well.

The email that I received, that’s from an email address sesdep2@kemenpora.go.id actually routes back to wetttttwwttrttr@yandex.com (Reply-To header). Quick Googling has shown that kemenpora.go.id is …The Ministry of Youth and Sports of the Republic of Indonesia (Kemenpora) is a ministry within the Government of Indonesia that is in charge of youth and sports affairs of Indonesia…

Which our first image confirms (Mail server IP and Mail Country from), but the reply would go to an email at Yandex.com.

If I was to continue down this road, the next step would be to investigate the sender’s IP. However, we noticed here that the email is spoofed, so it’s sort of a moot point. The reason for this is because we don’t have any X-Originating-IP or Original-IP headers in the email. However, even if we did, it might not mean all that much as the way threat actors usually go on about this is to utilize a botnet which will make the same email come from different IP addresses.

Concluding our case here, we’ve confirmed the (in)authenticity of the email in question, and acted appropriately (they mentioned in the body to mail them at another address @kakao.com domain, but I didn’t investigate that mailbox beside running it through the MX Toolbox – and a glance was enough to realize something’s phishy)

 

IP Address, Body, and Sandbox

The Email body is important because it’s usually where the payload will reside (in a form of a link or attachment). You can right click and copy the link location, extract it from the raw header directly, or use something like this – (this is an awesome tool, with much more functionalities, for our case scroll down to data and choose URL extractor).

*You can use https://cyberchef.io/ Extract URLs recipe too

You can also use Email extractor, to extract all the emails found in the raw message headers.

  Email extractor example

File Reputation and Sandbox

If you ever want to open/validate those suspicious attachments/files its quite important to know how to do so safely. One such tool can be Talos File Reputation.

On their site, its stated that “The Cisco Talos Intelligence Group maintains a reputation disposition on billions of files. This reputation system is fed into the Cisco Secure Firewall, ClamAV, and Open-Source Snort product lines. The tool below allows you to do casual lookups against the Talos File Reputation system. This system limits you to one lookup at a time, and is limited to only hash matching.”

The other one is the ubiquitous VirusTotal, where you can “Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.”

I need to mention that you don’t need leet skillz to understand the malware! There are online malware sandboxes that do that for you! Imagine having a malicious .pdf that you want to understand; well, by uploading to one of the platforms you can observe its behavior (URLs it tries to contact, IOCs, and a myriad of other nasty things).

Any.Run – “Analyze a network, file, module, and the registry activity. Interact with the OS directly from a browser. See the feedback from your actions immediately”.

Hybrid Analysis – “This is a free malware analysis service for the community that detects and nalyses unknown threats using a unique Hybrid Analysis technology.”

Joe Security – “Deeply analyze URLs to detect phishing, drive by downloads, tech scam and more. Joe Sandbox uses an advanced AI based algorithm including template matching, perptual hashing, ORB feature detection and more to detect the malicious use of legit brands on websites. Add your own logos and templates to extend the detection capabilities.”

 

IP Address

As you saw, this one is quite tricky! And even if you were to find a related IP (which is tough) it would kinda block you when you would find it being an ec2 instance. This is a venue that’s tough to pursue, and there’s too many ways to bypass it. Its not impossible, though. I am leaving some further links at the end of the article.

Conclusion

Okay! That’s been quite a ride, and there’s a lot more to unpack there, as we saw ‘simple’ phishing has quite a bit going for it in the background. Some of the stuff mentioned might even be out of scope (a SOC analyst at an enterprise level might just need to check the email authenticity, given that it slipped through the filters, and they are not going to go on a further hunt), but I felt it was necessary to at least try and outline what goes into it. Think of this article as a teaser on the topic.

Also, my case here wasn’t a typical phishing email, it was more of a scam, but I picked it for the spoofed email address. You can really analyze just about any email, and I just hope I’ve managed to describe what was my intent.

Lastyl, stay safe, validate emails, check those headers, and hover! Also, never click immediately or react on anything without thinking on it – this is a basic human bias (we want to resolve stuff, and they deftly prompted us with a challenge, albeit a fake one), and exactly what threat actors abuse. Some would say think before you act.

Additional Resources, Tools, Links

• https://www.phishtool.com/
• https://www.reversinglabs.com/
• https://datatracker.ietf.org/doc/html/rfc2821
• https://help.returnpath.com/hc/en-us/articles/115000460632-How-to-interpret-SPF-authentication-verification-results
• https://support.intermedia.com/app/articles/detail/a_id/24929/type/KB
• https://ctemplar.com/how-to-trace-email-ip-address-and-learn-who-sent-you-the-email/
• https://www.makeuseof.com/tag/how-to-trace-your-emails-back-to-the-source/
• https://www.theburningofrome.com/trending/can-you-fake-x-originating-ip/
• https://github.com/edoardottt/defangjs
• https://www.ibm.com/docs/en/sqsp/32.0?topic=SSBRUQ_32.0.0/com.ibm.resilient.doc/install/resilient_install_defangURLs.htm

Bonus – How to extract an .eml for viewing

This is ridiculously simple, in fact! Let’s look at an example mail (that I got from Coursera)

1. – Open your email client, and create a new message

2. – Drag the email you’re interested into the body of the new email:

3. – You should see an attachment added to the email:

Notice the name of the attachment

4. – Download the attachment to get the .eml file:

5. – Open the .eml to view raw headers, investigate, find bad guys, confirm stuff, and, most importantly, have some fun!

You now have all the headers!

Cover by Mohamed Hassan

#phish #eml #headers #body #malware #sandbox #pdf

Unsurprisingly, CISA has added the recent critical vulnerability in Atlassian’s Confluence Server and Data Center, CVE-2022-26138, to their Known Exploited Vulnerabilities Catalog.

CVE-2022-26138 is a hard-coded credentials flaw (CWE-798) that allows unauthenticated attackers to remotely exploit the vulnerability and log into to unpatched servers.

When the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2) is installed, an account with the username of ‘disabledsystemuser’ is created along with its associated hard-coded password. This password was leaked on Twitter on the 23rd of July. If CVE-2022-26138 is exploited, an attacker would gain access to any pages that the confluence-users group has access to. Uninstalling the app does not remove the account.

If affected, a Confluence Server or Data Center instance will have an active user account with this information:

• User: disabledsystemuser

• Username: disabledsystemuser

• Email: dontdeletethisuser@email.com

Per an advisory released by Atlassian, there are two options for mitigating CVE-2022-26138. Option one is to update the Questions for Confluence app to a non-vulnerable version:

• 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)

• Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

These “fixed” versions do not create the ‘disabledsystemuser’ account, and will remove it from the system if present.

Option two is to disable or delete the ‘disabledsystemuser’ account. Unfortunately, if Confluence is configured to use a read-only external directory, you are required to remove the account from all external directories and perform a directory resync before the account can be deleted.

CISA has given US federal agencies three weeks to secure their servers.

Image: Maxwell Nelson

First, before I get to the main topic of this article – session management – I will start by introducing some facts about sessions and why they are needed.

Hypertext Transfer Protocol (HTTP) is a stateless protocol!

This means multiple requests can be sent through one HTTP connection; requests are executed independently. 

The server is not attaching any additional information to the requests, so each request cannot know of the requests which are executed before. Once the transaction is terminated, the connection between the browser and the server is lost.

Historically, web used stateless protocol because the goal was to allow web pages to be served to many people using basic hardware as a server. If the connection was maintained for a long time, that would be very resource expensive.

Flow of an HTTP GET file:

– Request it made to get the file via URL

– File is returned in the response

– Connection disconnects

What is a session?

The session is a sequence of HTTP requests and transactions initiated by the user. 

What is session management?

Session management is the management of sessions between the web application and the users. Usually, web applications assign each user a specific session ID. Session IDs are used to uniquely identify the user, to maintain the state of the user and the state of the required web server so it can “remember” which user it is communicating with. Sessions are maintained by the server, and the session ID is sent with each request user makes.

This picture, which is taken from https://thecyphere.com/, gives a simple explanation of session management:

Solution for storing user data between HTTP requests:

In web applications, you need to find a way to store data between HTTP requests to associate one request with the other. Most often, developers use cookies and URLs to transfer the data. If you have sensitive data or you don’t want it to be visible in the UI, the best way to store it is in the session. As I mentioned before, in session management, the solution would be to provide each user session ID to maintain the data. 

Session cookies

Session ID needs to be stored somewhere, and cookies are often used for storage.

So, we have session ID, for example, SESSID=asdsadsa123456789, and we will store it in a cookie. Developers often set a short life for the session, which is automatically deleted if unused for some time (like 20 minutes).

Session management can use two types of cookies, non-persistent cookies, and persistent cookies. Non-persistent are also called session cookies. Persistent cookie will be the one which presents Max-Age or Expires attributes, and it is going to be stored on disk by the web browser until the expiration time.

Session Management Attacks

For the attackers to successfully perform the attack, they first need to explore how the application manages session IDs. After the user authenticates themselves with a known session ID, the target is to hijack the user-validated session with the session ID.

What is a cookie?

Wikipedia’s definition of a cookie is” A cookie is a baked or cooked snack or dessert that is typically small, flat, and sweet.”

But unfortunately, the definition of the cookie in the computer world is not so sweet.

A cookie is just a text file saved on the user’s computer. Maximum size of a cookie is 4KB. Other names of this type of cookie would be HTTP cookie, web cookie, etc.

How is it created?

When a user first visits a website, the site sends data packets to the user’s computer in the form of a text file, a so-called cookie.

*Very important to mention cookies are less safe than sessions because third-party can manipulate content in them. Whereas sessions are considered safer because they are stored in an encrypted form that only the user can read.

Implementation of cookie service in Angular

First, do nmp install of ngx package: npm i ngx-cookie-service 

Documentation of this package can be found here; also, if you need to check out older

versions: https://www.npmjs.com/package/ngx-cookie-service                  

Second, import the service in the app module:

import { CookieService } from 'ngx-cookie-service';
@NgModule({
  ...
    providers:
[CookieService],
...
})
export class AppModule {
}

You will also see in the documentation that it is easily used; just import in the class, inject in the constructor, and then you can use all methods from the cookie service.

constructor(private cookieService: CookieService)
{
  this.cookieService.set(Cookie1, 'Cookie value');
  this.cookieValue = this.cookieService.get('Cookie1');
}

Methods you can use from the cookie service:

• check (checks cookie name)
• get
• getAll (returns cookie name, value, expires, path, domain, secure)
• set (sets value: name, path, domain)
• delete
• deleteAll

How to implement Session Storage in Angular?

There is some confusion regarding the difference between session and local storage. The quick explanation is that data in session storage is lost when the browser closes and data in local storage remains until the browser cache is cleared. For a more detailed explanation, you can check out this site.

So, session storage is part of the web API, which stores ‘key’ – ‘value’ pairs. It can be accessed by the client side only, not by the server, to eliminate the security threat cookies present. 

As for implementation concerns, the best approach is to create the class with some helper methods, such as store and retrieveObject. I named that class SessionStorageManager.

import { Injectable } from "@angular/core";
 
@Injectable()
export class SessionStorageManager {
  readonly roles: string = "roles";
  readonly tenantsSettings: string = "tenantsSettings";
 
  store(key: string, content: Object) {
    sessionStorage.setItem(key, JSON.stringify(content));
  }
 
  private retrieve(key: string) {
    let storedItem: string = sessionStorage.getItem(key);
    if (!storedItem)
      throw No object with key ${key} found in the session storage!;
    return storedItem;
  }
 
  public retrieveObject(key: string) {
    let object = null;
    try {
      object = JSON.parse(this.retrieve(key));
    } catch (err) {
      console.error(err);
    }
    return object;
  }
}

As you can see, we can import this class into other classes that will store or retrieve items.

SessionStorage already has two methods: get and set item.

After we created the class SessionStorageManager, we need to add it also in app.module.ts, in providers.

As I mentioned, we can use it in any class we need to set or get data. For example, if we use Role Guard (if you want to check out its implementation, check out my article about IDOR), we can retrieve roles previously stored when the user logs in. When a user logs in from the API, we get their roles, and then we use SessionStorageManager and method store. So, in Role Guard, we can use SessionStorageManager and the method retrieveObject.

Store method in role service: 

  public loadUserRoles(): void {
    this._roleService.getEntity("/roles").pipe(
      delay(1),
    ).subscribe((data) => {
      this.userRoles = data;
      this._sessionStorage.store(
        this._sessionStorage.roles,
        data
      );
    });
  }

Retrieve method:

 let assignedRoles = this._sessionStorage.retrieveObject(
      this._sessionStorage.roles
 );

The data will be available until the browser closes!

Conclusion

In this article, I explained the best practice for implementing session management, whether it would be the implementation of session storage or cookie service in Angular.

There are many ways to write more secure code to prevent this attack from happening and hackers from succeeding, but first, it is important to choose the right way to set up session management!

In the next part of Session Management attacks article, I will write more about what you should pay attention to while implementing secured session management.

In the end, secure code is the cheapest code!

#session_management #session_cookies #cookie_service 

Cover photo by Mae Mu

Let me state from the start that I am crypto agnostic. I have no strong feelings about whether crypto should or will succeed, fail, or take some third track. What I do feel strongly about is that crypto and the technologies behind it are fascinating, whether as tomorrow’s emerging breakthroughs or today’s false promises (or both).

So it has been interesting to observe the continuing crypto collapse, which has seen coin prices plummet for months amid more than a few high-profile failures. Crypto evangelists are circling the wagons (while secretly sweating). The naysayers, meanwhile, are celebrating the situation as proof they were right all along (while doubting this is actually the end of crypto). No matter which side you fall on, right now looks like a big moment in crypto history – and what happens next is anyone’s guess.

My powers of prognostication are no better than anyone else’s. But as a close crypto observer, I have noticed some odd effects during the recent downturn that, in one way or another, will undoubtedly impact the future of crypto. I want to use this blog to highlight a few of those, then turn it over to the community to unpack what exactly they mean.

Cyber Criminals Take Downturn in Stride

The value of Bitcoin has dropped more than 60% so far in 2022 and plunged 32% in just June. Since Bitcoin is the preferred way to pay ransomware demands, you might expect the huge price drop to impact the criminals behind these attacks. And you would be right – but the results hardly inspire optimism.

Cheaper Bitcoin simply leads attackers to demand more of it – no surprise there. Price drops are bad for people who treat Bitcoin as an investment. But for those who treat it as a fiat currency, the exchange rate hardly matters at all. Ransomware remains as lucrative as ever.

So how to explain the 20% drop in ransomware recorded between Q1 and Q2 2022 (basically in parallel with the crypto collapse)? The disruption of the Russian ransomware gang Conti accounts for a lot. There has also been a recent rise in business email compromise (BEC) schemes, which forgo cryptocurrency but, more importantly, yield higher profits historically.

Crypto volatility creates some extra challenges for hackers, certainly. But recent history proves that swings (or collapses) in crypto will not lead to fewer attacks or lesser losses. As often happens in cybersecurity, the risk changes, but it does not go down.

Crypto Technology Comes Under Scrutiny

Crypto has always had its skeptics, of course, but they are suddenly getting a lot more attention, credibility, and funding than they did before. Just one example is research highlighting numerous flaws in blockchain technology and the philosophy behind it. The research proposes several ways that blockchains are neither decentralized nor immutable, as their proponents claim. The research also shows that 21% of blockchain nodes (the infrastructure of the blockchain) are running an old, vulnerable client, creating a target so obvious it begs to be attacked.

People have criticized crypto in the past – since its inception. But those criticisms were often economic or ethical in nature, not technological, and they were rarely given a platform on NPR (or other major outlets) like the research above. People debate the value of investments all the time. But if the crypto conversation starts to focus on the strengths and weaknesses of the underlying technology instead, as appears to be the case, it could change the trajectory dramatically.

The Resistance Gets Organized and Aggressive

A group of 1500+ computer scientists, engineers, and technologists sent a letter to Congress in early June questioning the value of blockchain technology and calling for stricter crypto regulation. They don’t mince words; the letter paints a bleak picture of the crypto ecosystem and suggests that things will only get worse.

What effect, if any, this will have on Congress is unknown. Still, the size of the group behind the letter along with the strength of their language suggests that opposition to crypto is getting larger and more organized. And coming from some interesting sources; the blockchain research highlighted above was sponsored by DARPA. It’s too conspiratorial to call this “the establishment” fighting back against the crypto insurgents, but it’s nonetheless interesting to consider how the Defense Department and the government more broadly might think about blockchain moving forward. If they’re not on board, will anyone else be?

It’s too early to tell. And the same goes for crypto as a whole, which could conceivably bounce back from this dip to reach new highs…or crash and burn completely. Either way, crypto will face stronger opposition and possibly more regulation from here out.

As a crypto agnostic, I think that’s the best possible consequence of the crypto collapse. Good ideas will survive scrutiny and skepticism, while bad ideas will get exposed and eliminated. Whatever remains of crypto and blockchain after that is, hopefully, the best it has to offer. I, for one, can’t wait to see what that looks like.

#blog #crypto #ransomware #bitcoin #fintech #DARPA #regulation