Red Hat Security Advisory 2024-4004-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4004.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4004-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4004  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4004-03

Red Hat Security Advisory 2024-4003-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4003.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4003-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4003  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack  
(CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to  
open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and  
Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s)  
listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4003-03

Red Hat Security Advisory 2024-4002-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4002.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4002-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4002  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4002-03

Red Hat Security Advisory 2024-4001-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4001.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4001-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4001  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4001-03

The service, likely a rebrand of a previous operation called "Caffeine," mainly targets financial institutions in the Americas and EMEA and uses malicious QR codes and other advanced evasion tactics.

Source: ronstik via Alamy Stock Photo

A highly organized phishing-as-a-service operation (PhaaS) is targeting Microsoft 365 accounts across financial firms with business email compromise (BEC) attacks that leverage a two-factor authentication (2FA) bypass, QR codes, and other advanced evasion tactics to maximize success, researchers have found.

Security analysts from EclecticIQ in February discovered a broad phishing campaign targeting financial institutions, in which threat actors used embedded QR codes in PDF attachments to redirect victims to phishing URLs, according to a blog post published June 18. Specific organizations targeted included banks, private funding firms, and credit union service providers across the Americas and Europe, Middle East and Africa (EMEA) regions.

EclecticIQ eventually tracked the origin of the campaign to a PhaaS platform called ONNX Store, "which operates through a user-friendly interface accessible via Telegram bots," Eclectic IQ threat intelligence analyst Arda Büyükkaya wrote in the post.

A key part of the ONNX service is a 2FA bypass mechanism that intercepts 2FA requests from victims using encrypted JavaScript code, to decrease the likelihood of detection and bolster the success rate of attacks, Büyükkaya noted. Moreover, the phishing pages delivered in the attacks use typosquatting to closely resemble Microsoft 365 login interfaces, making them more likely to trick targets into entering their authentication details.

**Snapshot of an ONNX Attack**

A typical email used in the attack shows a threat actor purporting to send the employee a human resources-related PDF document, such as an employee handbook or a salary remittance slip. The document impersonates Adobe or Microsoft 365 to try to trick a recipient into opening the attachment via a QR code that, once scanned, directs victims to a phishing landing page.

The use of QR codes is an increasingly common tactic for evading endpoint detection, Büyükkaya noted: "Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees' mobile devices, making it challenging to monitor these threats."

The attacker-controlled landing page is designed to steal login credentials and 2FA authentication codes using the adversary-in-the-middle (AitM) method, analysts found.

"When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the user's browser and the server," Büyükkaya wrote. In this way, attackers can quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect, he noted.

Another PhaaS operator, Tycoon, also has used a similar AitM technique and a multifactor authentication (MFA) bypass involving a Cloudflare CAPTCHA, demonstrating how malicious actors are learning from each other and adapting strategies accordingly, Büyükkaya said.

ONNX also shares overlap in both Telegram infrastructure and advertising methods with a phishing kit called Caffeine (first discovered by researchers at Mandiant in 2022), the researchers found — so it could be a rebranding of that operation, according to ElecticIQ.

Another scenario is that the Arabic-speaking threat actor MRxC0DER, who is believed to have developed and maintained Caffeine, is providing client support to the ONNX Store, while the broader operation "is likely managed independently by a new entity without central management," Büyükkaya wrote.

**JavaScript Encryption Adds Level of Evasion**

Another anti-detection measure in the ONNX phishing kit is the use of encrypted JavaScript code that decrypts itself during page load, and includes a basic anti-JavaScript debugging feature. "This adds a layer of protection against anti-phishing scanners and complicates analysis," according to the analysis.

EclecticIQ researchers observed a functionality in the decrypted JavaScript code that's specifically designed to steal 2FA tokens entered by the victims and relay them to the attacker, who then uses the stolen credentials and tokens in real time to log in to Microsoft 365.

"This real-time relay of credentials allows the attacker to gain unauthorized access to the victim's account before the 2FA token expires, circumventing multifactor authentication," Büyükkaya wrote.

**Mitigating and Preventing ONNX Phishing Attacks**

ElecticIQ provided countermeasures for combatting specific tactics used by ONNX Store. To mitigate threats from embedded QR codes in PDF documents, organizations should block PDF or HTML attachments from unverified external sources in email server settings. They also can educate employees on the risks associated with scanning QR codes from unknown sources.

To combat the typosquatted domains used by the threat actor to impersonate Microsoft, organizations can implement domain name system security extensions (DNSSEC), which protects domains from multiple cyber threats, including typosquatting.

There are also measures that defenders can take to combat the theft of 2FA tokens, such as implementing FIDO2 hardware security keys for 2FA; setting a short expiration time for login tokens that limits a cyberattacker's window of opportunity to use them; and using security monitoring tools to detect and alert for any unusual behavior, such as multiple failed login attempts or logins from unusual locations.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'ONNX' MFA Bypass Targets Microsoft 365 Accounts

Red Hat Security Advisory 2024-1482-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1482.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:1482-03Product:            Red Hat Enterprise Linux SupplementaryAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1482Issue date:         2024-06-19Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.This update upgrades IBM Java SE 8 to version 8 SR8-FP15.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1482-03

Red Hat Security Advisory 2024-1481-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1481.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: java-1.8.0-ibm security updateAdvisory ID:        RHSA-2024:1481-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1481Issue date:         2024-06-19Revision:           03CVE Names:          CVE-2024-20918====================================================================Summary: An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.This update upgrades IBM Java SE 8 to version 8 SR8-FP15.Security Fix(es):For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-20918References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2024-1481-03

A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.
The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC,

Cybercrime / Cryptocurrency

A threat actor who goes by alias **markopolo** has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.

The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS), Recorded Future's Insikt Group said in an analysis published this week.

"This campaign, primarily targeting cryptocurrency users, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications," the cybersecurity company noted, describing markopolo as "agile, adaptable, and versatile."

There is evidence connecting the Vortax campaign to prior activity that leveraged trap phishing techniques to target macOS and Windows users via Web3 gaming lures.

A crucial aspect of the malicious operation is its attempt to legitimize Vortax on social media and the internet, with the actors maintaining a dedicated Medium blog filled with suspected AI-generated articles as well as a verified account on X (formerly Twitter) carrying a gold checkmark.

Downloading the booby-trapped application requires victims to provide a RoomID, a unique identifier to a meeting invitation that's propagated via replies to the Vortax account, direct messages, and cryptocurrency-related Discord and Telegram channels.

Once a user enters the necessary Room ID on the Vortax website, they are redirected to a Dropbox link or an external website that stages an installer for the software, which ultimately leads to the deployment of the stealer malware.

"The threat actor that operates this campaign, identified as markopolo, leverages shared hosting and C2 infrastructure for all of the builds," Recorded Future said.

"This suggests that the threat actor relies on convenience to enable an agile campaign, quickly abandoning scams once they are detected or producing diminishing returns, and pivoting to new lures."

The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.

The development comes as Enea revealed SMS scammers' abuse of cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to trick users into clicking on bogus links that direct to phishing landing pages that siphon customer data.

"Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .HTML files) containing embedded spam URLs in their source code," security researcher Manoj Kumar said.

"The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket."

In the final stage, the website automatically redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript and deceives them into parting with personal and financial information.

"Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning," Kumar said. "Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning: Markopolo's Scam Targeting Crypto Users via Fake Meeting Software

Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances.
Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024.
The flaws

Email Security / Vulnerability

Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances.

Both shortcomings impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024.

The flaws, rated Moderate in severity, are listed below -

*   **CVE-2024-30270** (CVSS score: 6.7) - A path traversal vulnerability impacting a function named "rspamd\_maps()" that could result in the execution of arbitrary commands on the server by allowing a threat actor to overwrite any file that's can be modified with the "www-data" user

*   **CVE-2024-31204** (CVSS score: 6.8) - A cross-site scripting (XSS) vulnerability via the exception handling mechanism when not operating in the DEV\_MODE

The second of the two flaws is rooted in the fact that it saves details of the exception sans any sanitization or encoding, which are then rendered into HTML and executed as JavaScript within the users' browser.

As a result, an attacker could take advantage of the scenario to inject malicious scripts into the admin panel by triggering exceptions with specially crafted input, effectively allowing them to hijack the session and perform privileged actions in the context of an administrator.

Put differently, by combining the two flaws, it's possible for a malicious party to take control of accounts on a Mailcow server and gain access to sensitive data as well as execute commands.

In a theoretical attack scenario, a threat actor can craft an HTML email containing a CSS background image which is loaded from a remote URL, using it to trigger the execution of an XSS payload.

"An attacker can combine both vulnerabilities to execute arbitrary code on the admin panel server of a vulnerable mailcow instance," SonarSource vulnerability researcher Paul Gerste said.

"The requirement for this is that an admin user views a malicious email while being logged into the admin panel. The victim does not have to click a link inside the email or perform any other interaction with the email itself, they only have to continue using the admin panel after viewing the email."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

"ClearFake" and "ClickFix" attackers are tricking people into cutting and pasting malicious PowerShell scripts to infect their own machines with RATs and infostealers.

Source: Nico El Nino via Shutterstock

Threat actors are using fake browser updates and software fixes to trick users into cutting/copying and pasting PowerShell scripts loaded with various malware strains — including remote access Trojans (RATs) and infostealers — to infect their computers.

Researchers from Proofpoint observed the socially engineered technique employed by initial access broker tracked as TA571, as well as an unidentified actor in the last three months, starting as early as March 1, they revealed in a blog post published June 17.

There appear to be two methods of social engineering used in the activity — one that offers fake browser updates in yet another ClearFake campaign, and the other that delivers error messages related to Word, Google Chrome, and OneDrive dubbed "ClickFix" by the researchers. Malware delivered in the campaign includes the DarkGate and NetSupport RATs, the malware loader Matanbuchus, and various information stealers, including Lumma and Vidar.

"Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar," Proofpoint researchers Tommy Madjar, Dusty Miller, Selena Larson, and the Proofpoint Threat Research Team explained in the post.

The campaigns show users are a pop-up textbox that suggests an error occurred when trying to open the document or webpage, and further instructions to copy and paste a malicious script into either the PowerShell terminal or the Windows Run dialog box to eventually execute the script via PowerShell, they said.

Attackers use "clever" and "authoritative" social engineering in the fake error messages delivered to users in the campaign, and also "provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk," the researchers noted.

The activity reflects a trend among cybercriminals to adopt "increasingly creative attack chains" that ensure the success of campaigns that employ nested PowerShell and other technical tactics that are not easily detected by users, they said.

**ClearFake for Malware Delivery**

Proofpoint first observed the cut-and-paste technique with a ClearFake campaign in early April as well as "every other ClearFake campaign since then," the researchers noted. ClearFake is a previously identified fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.  

In the latest campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, using a technique known as EtherHiding. The initial script then loaded a second script from a domain to eventually present a fake warning warning instructing them to install a "root certificate" to view the website correctly.

The message included instructions to click a button to copy a PowerShell script and then provided steps on how to manually run this script on the victim's computer. If this is done, the user effectively executes the PowerShell by pasting it into the PowerShell command line interface window. Proofpoint observed at least five types of malware being delivered in this way, including the Lumma stealer, Amadey Loader, and JaskaGo.

**ClickFix Baits With Error Messages**

Proofpoint first began to observe what it calls the ClickFix campaign in mid-April when its researchers found compromised sites containing an inject leading to an iframe on pley\[.\]es displayed as an overlay error message. The messaged claimed that a faulty browser update needed to be fixed and asked the victim to open “Windows PowerShell (Admin)”–which will open an User Account Control (UAC) prompt–and then right-click to paste the code.

If users take the bait, PowerShell runs another remote PowerShell script that downloads and runs an executable, eventually leading to Vidar stealer. While the payload domain used in the PowerShell was taken offline just a few days after the researchers discovered the activity, the custom content of the iframe was replaced with the ClearFake injection that was still active earlier this month. The researchers remain unclear if the same actor is behind ClearFake and ClickFix, however.

**TA571 Attribution**

Proofpoint observed TA571 using cut-and-paste PowerShell against victims as early as March 1 in a campaign that included more than 100,000 messages and targeted thousands of organizations globally. The threat actor employed emails containing an HTML attachment that displayed a page resembling Microsoft Word as well as error message claiming that "the Word Online" extension is not installed.

The message presented users with two options to continue, either "how to fix" or "auto-fix," both of which led them down to malicious paths to install malware, including Matanbuchus or DarkGate, using PowerShell or DLL files.

TA571's use of similar attack chains throughout the spring using "various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box" demonstrates a link between the actor and the ClickFix campaign, the researchers noted.

**Mitigating Malware Compromise**

Proofpoint included a list of indicators of compromise (IoCs) in recent campaigns, acknowledging that it is not an "exhaustive list" but merely a snapshot of websites, email addresses, and other processes related to the malicious activity that its researchers have observed.

Overall the attack chain requires "significant user interaction" to be successful, which means the most practical way for organizations to help avoid compromise on their network is employee awareness and training, the researchers noted.

"Organizations should train users to identify the activity and report suspicious activity to their security teams," the researchers wrote. "This is very specific training but can easily be integrated into an existing user training program." 

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#java