CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

CVE-2019-9670 being actively exploited (Hacked Server)

Post by maxxer »

As many repoted on IRC, the latest security bug found in Zimbra is being actively exploited in the wild.

It's easy to find a compromised install because the exploit campaign creates /tmp/zmcat binary on the system. It also downloads two .sh files used to fetch the binary from 185[.]106.120.118.

This is what I found in my nginx access log, so as a temporary mitigation one could block python-requests user agent (other than installing the patch, that is).

Code: Select all

104.168.158.113:48768 - - [02/Apr/2019:11:49:43 +0200]  "POST /AutoDiscover/ HTTP/1.1" 503 13388 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48770 - - [02/Apr/2019:11:49:45 +0200]  "POST /service/soap HTTP/1.1" 200 1042 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48772 - - [02/Apr/2019:11:49:47 +0200]  "POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap/ HTTP/1.1" 200 1057 "-" "python-requests/2.9.1" "1
0.0.0.5:8443"
104.168.158.113:48774 - - [02/Apr/2019:11:49:49 +0200]  "POST /service/extension/clientUploader/upload HTTP/1.1" 200 292 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48776 - - [02/Apr/2019:11:49:51 +0200]  "GET /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 468 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48778 - - [02/Apr/2019:11:49:53 +0200]  "POST /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 469 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48780 - - [02/Apr/2019:11:49:55 +0200]  "GET /img/ikDB.jsp?pwd=4BkLUS HTTP/1.1" 200 470 "-" "python-requests/2.9.1" "10.0.0.5:8443"
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: CVE-2019-9670 being actively exploited

Post by JDunphy »

With shodan it is possible to exploit these RCE's in near real-time these days. I was shocked when I read about the exploit March 13 and the first patch was 3 days later for 8.7.11 which gave me no time to test the patch and I went straight to production minutes later with P10. Given what I am seeing, I am leaning toward adding modsecurity 3.0 myself now that it isn't as apache dependent and a lot faster with nginx. In addition to having access to the various stages of the pipeline to disrupt these type of attacks, I like it's ability to create dynamic rules in real-time to block ip's using collections which would have more granularity than DoSFilter for some type of attacks. I use this a lot on our web farms here and it is a nice weapon to have against exploits until proper patches can be tested and deployed.

Anyone else deploy modsecurity with zimbra?

Ref: https://blog.tint0.com/2019/03/a-saga-o ... imbra.html
Ref: https://github.com/SpiderLabs/ModSecurity-nginx
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

I haven't had the chance to test with modsecurity. Will give a look, thanks.

I wrote some guidelines on the behaviour of the attack and how to clean zmcat.

In short:
patch
kill running processes for l.sh and s.sh and zmcat
remove scripts and zmcat
remove uploaded jsps
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

Hostsailor replied me they blocked the host currently distributing zmcat!
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: CVE-2019-9670 being actively exploited

Post by pup_seba »

Hi guys!

First of all, thank you for sharing your knowledge and findings, I really mean it.

Does anyone knows what harm do they actually do? I mean, yeah, they create some accounts and get access to the server, but...what do they do with that access? With my almost non-existant kung-fu, all I can see is this:
- They change the hugepage value to 128
- They deploy a zmcat file
- They deploy a couple of bash scripts that temporarly (i think) do something to the crontab and rc.local
- They send a tmp.txt file to a remote IP to a folder named "reports"
- They create a couple of accounts and then they try to remove them as it seems that they only use the accounts to download the jsp files that give them access to the terminal

What does that zmcat file does? What is in the tmp.txt file they send? I guess, what I really would like to know is how compromised is someone information after the "damage" is done.
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

Virustotal detects zmcat as a Bitcon miner.

The tmp.txt is not uploaded but downloaded: it's the JSP they use to run commands.
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: CVE-2019-9670 being actively exploited

Post by pup_seba »

ohhh dear...all of this just for mining bitcoins?! :/

I mean, I can think of so many things to do to a server or even to the AD if they are using (as many people does), an admin account to sync their gal, auth, or even the auto-provisioning configuration...

For the part of the file not being sent but being download...that's good news I think. I did not realized it was being download instead of upload :)

Thank you for your clarifications!!!
User avatar
maxxer
Outstanding Member
Outstanding Member
Posts: 224
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by maxxer »

There's an ongoing discussion on IRC. Some are investigating further, because other than creating and deleting temporary account some found evidence of deleted production accounts and compromised java files.

More updates will follow
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: CVE-2019-9670 being actively exploited

Post by L. Mark Stone »

Maxxer's excellent blog explains how to detect and clean this infection.

https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/

It's important to note that applying the patches that correct this exposure do NOT clean out an infection that existed before you applied the patch.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: CVE-2019-9670 being actively exploited

Post by pup_seba »

Thanks for that blog link Mark! Thanks to it I noticed the "zmcat" file :/ So today, I have to say "sorry, I missed one thing" and then "reclean" two environments for which I left that behind.

I hope than the compromised java do get replaced after upgrading zimbra. I'll be following your findings as close as i can!

You guys are awesome!!!
Post Reply