![]() Some targeted credentials don't seem to be directly tied to spam but could be used to support the attackers' operations, such as databases and web hosting administration panels. Other services targeted by Legion's credential harvesting functionality include Twilio, Nexmo, Stripe/Paypal, AWS console credentials, AWS SNS, S3 and SES specific credentials, Mailgun, Plivo, Clicksend, Mandrill, Mailjet, MessageBird, Vonage, Nexmo, Exotel, Onesignal, Clickatel, and Tokbox. The tool also attempts to brute-force credentials for SendGrid, a platform for email marketing. For example, collected AWS IAM credentials are tested to see if they work with the Amazon Simple Email Service (SES). Some of the cloud platform credentials targeted also seem to be tied to this end goal. Some services also provide email to SMS functionality via SMTP and the Legion contains a script for sending SMS in this way to most US mobile carriers. ![]() The end goal of the attackers who use Legion is to launch mass spam campaigns via email and SMS by using hijacked Simple Mail Transfer Protocol (SMTP) credentials. Nevertheless, the new improved sample analyzed by Cado had zero detections on the multi-engine scan site Virus Total, meaning its developers are well versed in evading detection. The Cado researchers first documented Legion's capabilities last month, but the malware seems similar to a tool that researchers from Lacework analyzed in December and dubbed AndroxGh0st. Deploying webshells Other tools for abusing AWS services.Brute-forcing cPanel and WebHost Manager (WHM) accounts.Exploiting vulnerable versions of Apache.Launching remote code execution (RCE) exploits against web applications.Atlassian are an enterprise software giant, and I suspect this incident will end up doing a fair amount of harm to their reputation, particularly to the most security-conscious companies, who will now be wondering whether there are any other major vulnerabilities lying around. To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:Īll software has bugs, even security bugs, but this one is particularly egregious and absolutely should not have made it into production. "It is important to remediate this vulnerability on affected systems immediately." "A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The company said that Questions for Confluence had 8,055 installations at the time of publication. The company warned the passcode was "trivial to obtain." ![]() Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |