Page 1 of 25
CVE-2019-9670 being actively exploited (Hacked Server)
Posted: Wed Apr 03, 2019 2:32 pm
by maxxer
As many repoted on IRC, the latest security bug found in Zimbra is being actively exploited in the wild.
It's easy to find a compromised install because the exploit campaign creates
/tmp/zmcat binary on the system. It also downloads two
.sh files used to fetch the binary from 185[.]106.120.118.
This is what I found in my nginx access log, so as a temporary mitigation one could block
python-requests user agent (other than installing the patch, that is).
Code: Select all
104.168.158.113:48768 - - [02/Apr/2019:11:49:43 +0200] "POST /AutoDiscover/ HTTP/1.1" 503 13388 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48770 - - [02/Apr/2019:11:49:45 +0200] "POST /service/soap HTTP/1.1" 200 1042 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48772 - - [02/Apr/2019:11:49:47 +0200] "POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap/ HTTP/1.1" 200 1057 "-" "python-requests/2.9.1" "1
0.0.0.5:8443"
104.168.158.113:48774 - - [02/Apr/2019:11:49:49 +0200] "POST /service/extension/clientUploader/upload HTTP/1.1" 200 292 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48776 - - [02/Apr/2019:11:49:51 +0200] "GET /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 468 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48778 - - [02/Apr/2019:11:49:53 +0200] "POST /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 469 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48780 - - [02/Apr/2019:11:49:55 +0200] "GET /img/ikDB.jsp?pwd=4BkLUS HTTP/1.1" 200 470 "-" "python-requests/2.9.1" "10.0.0.5:8443"
Re: CVE-2019-9670 being actively exploited
Posted: Wed Apr 03, 2019 3:36 pm
by JDunphy
With shodan it is possible to exploit these RCE's in near real-time these days. I was shocked when I read about the exploit March 13 and the first patch was 3 days later for 8.7.11 which gave me no time to test the patch and I went straight to production minutes later with P10. Given what I am seeing, I am leaning toward adding modsecurity 3.0 myself now that it isn't as apache dependent and a lot faster with nginx. In addition to having access to the various stages of the pipeline to disrupt these type of attacks, I like it's ability to create dynamic rules in real-time to block ip's using collections which would have more granularity than DoSFilter for some type of attacks. I use this a lot on our web farms here and it is a nice weapon to have against exploits until proper patches can be tested and deployed.
Anyone else deploy modsecurity with zimbra?
Ref:
https://blog.tint0.com/2019/03/a-saga-o ... imbra.html
Ref:
https://github.com/SpiderLabs/ModSecurity-nginx
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 7:33 am
by maxxer
I haven't had the chance to test with modsecurity. Will give a look, thanks.
I wrote
some guidelines on the behaviour of the attack and how to clean zmcat.
In short:
patch
kill running processes for l.sh and s.sh and zmcat
remove scripts and zmcat
remove uploaded jsps
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 10:07 am
by maxxer
Hostsailor replied me they blocked the host currently distributing zmcat!
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 12:47 pm
by pup_seba
Hi guys!
First of all, thank you for sharing your knowledge and findings, I really mean it.
Does anyone knows what harm do they actually do? I mean, yeah, they create some accounts and get access to the server, but...what do they do with that access? With my almost non-existant kung-fu, all I can see is this:
- They change the hugepage value to 128
- They deploy a zmcat file
- They deploy a couple of bash scripts that temporarly (i think) do something to the crontab and rc.local
- They send a tmp.txt file to a remote IP to a folder named "reports"
- They create a couple of accounts and then they try to remove them as it seems that they only use the accounts to download the jsp files that give them access to the terminal
What does that zmcat file does? What is in the tmp.txt file they send? I guess, what I really would like to know is how compromised is someone information after the "damage" is done.
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 1:03 pm
by maxxer
Virustotal detects
zmcat as a Bitcon miner.
The tmp.txt is not uploaded but downloaded: it's the JSP they use to run commands.
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 1:22 pm
by pup_seba
ohhh dear...all of this just for mining bitcoins?! :/
I mean, I can think of so many things to do to a server or even to the AD if they are using (as many people does), an admin account to sync their gal, auth, or even the auto-provisioning configuration...
For the part of the file not being sent but being download...that's good news I think. I did not realized it was being download instead of upload
Thank you for your clarifications!!!
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 1:37 pm
by maxxer
There's an ongoing discussion on IRC. Some are investigating further, because other than creating and deleting temporary account some found evidence of deleted production accounts and compromised java files.
More updates will follow
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 1:41 pm
by L. Mark Stone
Maxxer's excellent blog explains how to detect and clean this infection.
https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/
It's important to note that applying the patches that correct this exposure do NOT clean out an infection that existed before you applied the patch.
Hope that helps,
Mark
Re: CVE-2019-9670 being actively exploited
Posted: Thu Apr 04, 2019 1:51 pm
by pup_seba
Thanks for that blog link Mark! Thanks to it I noticed the "zmcat" file :/ So today, I have to say "sorry, I missed one thing" and then "reclean" two environments for which I left that behind.
I hope than the compromised java do get replaced after upgrading zimbra. I'll be following your findings as close as i can!
You guys are awesome!!!