Overview of SMTP Smuggling: SMTP Smuggling is an emerging cyber threat exploiting the Simple Mail Transfer Protocol (SMTP), a fundamental email communication protocol. It enables attackers to bypass traditional email security measures by manipulating inconsistencies in SMTP server handling, specifically during the end-of-data sequence processing.
Technical Nuances and Impact: The technique leverages discrepancies in how outbound and inbound SMTP servers interpret message data endings. This allows attackers to insert arbitrary SMTP commands and send fraudulent emails from what appear to be legitimate domains, thereby defeating email authentication systems like DMARC, DKIM, and SPF.
Affected Systems and Remediation Efforts: Major email service providers like Microsoft, GMX, and Cisco are impacted, with vulnerabilities also in SMTP implementations from Postfix and Sendmail. Microsoft and GMX have addressed the issue, but Cisco views it as a non-vulnerability feature, leaving Cisco Secure Email instances vulnerable in default settings. Security advisories recommend reconfiguring Cisco products to mitigate risks.
Wider Implications and CVE Assignments: The attack's potential extends to millions of domains and is not limited to proprietary systems. Open-source mail transfer agents like Postfix, Sendmail, and Exim are also at risk, with specific Common Vulnerabilities and Exposures (CVEs) identified: CVE-2023-51764 (Postfix), CVE-2023-51765 (Sendmail), and CVE-2023-51766 (Exim).
Exploitation of Google OAuth Endpoint: Information-stealing malware is exploiting an undocumented Google OAuth endpoint named MultiLogin. This allows attackers to hijack user sessions, maintaining access to Google services even after a password reset. This critical exploit was first unveiled by a threat actor named PRISMA and has been incorporated into various Malware-as-a-Service (MaaS) stealer families.
Mechanics of the Exploit: MultiLogin, designed for synchronizing Google accounts across services, is being targeted by attackers. The exploit involves extracting tokens and account IDs from Chrome's token_service table of WebData, crucial for generating and maintaining access through service (GAIA ID) and encrypted_token columns.
Token-Cookie Generation and Attack Scenarios: The exploit enables various token-cookie generation scenarios, including maintaining access when a user is logged in and generating a one-time use token if the password is changed but Google remains signed in. The stolen token-GAIA ID pairs are used in conjunction with MultiLogin to continually regenerate Google service cookies, facilitating unauthorized logins.
Response and Mitigation Efforts: Google acknowledges the attack method, stating that users can revoke stolen sessions by logging out of the impacted browser. They emphasize that stolen tokens and cookies can be invalidated by the user, contradicting reports that suggest otherwise. Enhanced Safe Browsing in Chrome is recommended for protection against such exploits.
Ready for the next week's brief? Stay informed with the latest key developments.
Incident Overview: Orange Spain experienced a significant internet outage on January 3 due to a hacker, known as 'Snow', breaching its RIPE account. This attack led to misconfigured BGP routing and an invalid RPKI setup, affecting the internet traffic of Orange Spain customers for several hours.
Method of Attack: The hacker gained access to Orange Spain's RIPE account using credentials stolen by malware, specifically Raccoon Stealer. The attack involved modifying the AS number associated with Orange's IP addresses and enabling an invalid RPKI configuration, leading to improper internet traffic routing and a substantial loss in traffic.
Hacker's Motivation and Actions: After gaining access, 'Snow' contacted Orange Spain to offer new credentials, claiming their intention was to prevent a more malicious actor from exploiting the account. Despite the disruption, the hacker stated they did not demand a ransom or intend to cause an outage.
Response and Security Implications: Orange Spain confirmed the hijack and restoration of services, emphasizing no customer data was compromised. RIPE NCC, in response, launched an investigation and advised account holders to update passwords and enable multi-factor authentication (MFA) to bolster security against such incidents.
Vulnerability Discovery and Impact: RedTeam Pentesting disclosed a significant vulnerability in Bitwarden's Windows Hello implementation, enabling unauthorized access to Bitwarden vaults. The issue, identified as CVE-2023-27706, allowed attackers to bypass the requirement for both the master password and biometric authentication, facilitating remote theft of all credentials from the vault. This vulnerability was discovered during a penetration test and has been corrected in Bitwarden version v2023.4.0.
Exploitation Technique: The exploit involved accessing an internal network, targeting workstations using Bitwarden. Attackers downloaded the Bitwarden data.json file from %AppData%\Bitwarden and observed the vault's use of Windows Hello for biometric unlocking. This unlocking mechanism relied on a derived key, which could be exploited to bypass the need for the master password.
Utilizing DPAPI and Active Directory Backup Keys: The attackers leveraged the Data Protection API (DPAPI) in Windows, which encrypts data using user-specific keys derived from their passwords. By already having compromised the client's Active Directory, the attackers accessed DPAPI backup keys stored on domain controllers. These keys enabled decryption of the Bitwarden vault's biometric login credentials, further bypassing the need for user interaction or endpoint protection interference.
Execution and Successful Data Extraction: The decryption process involved three main steps: decrypting the account encryption key using the biometric key, decrypting a second layer of keys, and finally decrypting the credentials. The penetration testers wrote a Python script to automate this decryption, successfully extracting sensitive credentials from the Bitwarden vault without requiring the user's master password or biometric authentication.
Innovative Technique Overview: A new variant of DLL search order hijacking has been identified, capable of bypassing security measures in Windows 10 and 11. This technique targets executables in the trusted WinSxS folder, exploiting the classic DLL search order hijacking approach. It facilitates the execution of malicious code without the need for elevated privileges, which makes it a potent threat for systems running the affected Windows versions.
DLL Search Order Hijacking Explained: DLL search order hijacking traditionally exploits how Windows applications load DLLs. Attackers target applications that do not specify the full path to required libraries, using a predefined search order to locate the necessary DLLs. The new method places malicious DLLs in non-standard directories with the same name as legitimate ones, ensuring the library containing the attack code is loaded instead of the legitimate library.
The Role of the WinSxS Folder: This technique uniquely targets files in the C:\Windows\WinSxS folder, known as Windows side-by-side. WinSxS is crucial for operating system customization and updating, ensuring compatibility and integrity. By exploiting this folder, attackers can execute code with minimal detection, as the malicious code operates within the memory space of a trusted binary.
Operational Mechanism and Risk Assessment: The attack involves finding vulnerable binaries in the WinSxS folder and pairing them with a custom DLL. Simply executing a file in the WinSxS folder from a command line with the custom folder containing the rogue DLL as the current directory triggers the attack. This method is particularly dangerous due to its low detection probability and the utilization of elevated privileges available to WinSxS folder DLLs.
Subscribe to the Mandos Way
Join security professionals, CISOs and tech leaders for cybersecurity strategies & weekly Briefs.