Email marketing firm MailChimp disclosed on Sunday that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks.
The data breach was confirmed to the press by Mailchimp on Monday, but it had come to light over the weekend when users of the Trezor hardware cryptocurrency wallet reported being targeted by sophisticated phishing emails.
MailChimp has confirmed that the data breach was more significant than just Trezor's account being accessed by threat actors.
According to MailChimp, some of their employees fell for a social engineering attack that led to the theft of their credentials.
"On March 26, our Security team became aware of a malicious actor accessing one of our internal tools used by customer-facing teams for customer support and account administration," MailChimp CISO, Siobhan Smyth, had informed BleepingComputer.
"The incident was propagated by an external actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised."
"We acted swiftly to address the situation by terminating access for the compromised employee accounts and took steps to prevent additional employees from being affected."
These credentials were used to access 319 MailChimp accounts and to export "audience data," likely mailing lists, from 102 customer accounts.
In addition to viewing accounts and exporting data, the threat actors gained access to API keys for an undisclosed number of customers, which have now been disabled and can no longer be used.
Application Programming Interface (API) keys are access tokens that allow MailChimp customers to manage their accounts and perform marketing campaigns directly from their own websites or platforms.
Using these compromised API keys, a threat actor can create custom email campaigns, such as phishing campaigns, and send them to mailing lists without accessing MailChimp's customer portal.
MailChimp has notified all of the compromised account holders have been notified and that the threat actors accessed customers in the cryptocurrency and finance sectors.
MailChimp says that they received reports of this access being used to conduct phishing campaigns against stolen contacts but have not disclosed information about those attacks.
Mailchimp would not say how many other cryptocurrency services or financial institutions were affected by the incident.
This data breach is reminiscent of recent breaches by the Lapsus$ hacking group, who used social engineering, malware, and credential theft to gain access to numerous well-known companies, including Nvidia, Samsung, Microsoft, and Okta.
The Okta data breach was accomplished through a similar method as MailChimp, by social-engineering a contractor who had access to internal customer support and account management systems.
Armoryze security team recommends that all MailChimp impacted customers should enable two-factor authentication on their accounts for further protection.
A security flaw was recently reported by OpenSSL. The vulnerability could be exploited to trigger an infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack.
The function BN_mod_sqrt() for computing square roots contains a bug that could cause it to loop indefinitely for non-prime moduli. This function is used internally when parsing a certificate that contains an elliptic curve public key in compressed form or an explicit elliptic curve parameter with a base point encoded in compressed form.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial-of-service attack,” OpenSSL said in an advisory published on March 15, 2022.
A specific certificate can be crafted to trigger an infinite loop, vulnerable situations include:
Solution / Mitigation:
At present, the OpenSSL project team has released a new version to fix the CVE-2022-0778 vulnerability, and organizations who use OpenSSL are advised to upgrade to the latest version as soon as possible.
According to Binarly, the 23 high-severity vulnerabilities could impact millions of enterprise devices, such as laptops, servers, routers, network appliances, industrial control systems (ICS), and edge computing devices. There are more than 25 affected vendors, including HP, Lenovo, Fujitsu, Microsoft, Intel, Dell, Bull (Atos) and Siemens.
UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.
UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.
Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.
The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.
In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:
Install the latest stable version of firmware provided by your vendor or your nearest reseller of your computing environments.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates.
Our security team are aware of recent exploitation of 12-year-old security flaw in the sudo-like Polkit’s pkexec tool, which is found in all major Linux distributions.
About Polkit pkexec in Linux:
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Vulnerability Description (CVE-2021-4034):
A local privilege escalation vulnerability was found on polkit's pkexec utility under CVE-2021-4034. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009 (commit c8c3d83, “Add a pkexec(1) command”).
Take vulnerability management, threat detection and response to the next level. Subscribe for a free trial of USM Anywhere, it centralizes asset discovery, vulnerability scanning and security monitoring of networks and devices in the cloud, on premises, and in remote locations, helping you to quickly detect and respond to threats virtually anywhere.