Open Redirect in Oracle BlueKai

-

Phishing threat actors are continuously seeking new methods to increase the chances of success in their campaigns. Phishing is still one of the main initial access vectors into target networks. One technique that makes phishing emails particularly difficult to block is the use of open redirect vulnerabilities to distribute malicious links. Although often underestimated and left unaddressed for months or years, open redirect vulnerabilities can present a considerable risk to your users. Open redirect bugs often occur in the form of a parameter inside a query which contains a URL to redirect a user to. 


In late 2020, a client of mine was targeted in a spear-phishing campaign that leveraged a universal open redirect vulnerability in the Oracle BlueKai Data Management Platform. The vulnerability was responsibly disclosed to Oracle Security in December 2020. At the time of writing, the vulnerability remains unpatched and has not been assigned a CVE number (despite multiple other open redirects having one - see here). However, an attacker was able to conceal a malicious URL inside the BlueKai open redirect bug and was able to bypass the target’s secure email gateway (SEG) as a result.


Example of a malicious URL using an Open Redirect:


http://*.domain.*/dir/dir?redir=https%3A%2F%2F<malicious URL>


The <malicious URL> part is where the attackers were able to append their credential harvesting page to steal Office 365 account details. Email security tools are often unable to pick up that this is a malicious link as it comes from a trustworthy hostname with an established reputation. However, clicking on the link takes the user straight to the attacker’s credential harvesting page.


I recreated a proof-of-concept (PoC) for demonstration purposes of the scenario in which we saw this vulnerability in Oracle BlueKai being leveraged in the wild:



We also used a URL to demonstrate the common weakness enumeration definition (CWE-601: URL Redirection to Untrusted Site) to highlight the issue to Oracle Security:



Disclosure Timeline

  • 7 December 2020 - Discovery of In The Wild Exploitation
  • 8 December 2020 - Responsible Disclosure to Oracle (secalert_us@oracle.com)
  • 8 December 2020 - Oracle responds and assigns it the ID of "S1391642 - OPEN REDIRECT"
  • 23 December 2020 - First of many monthly Status Reports by Oracle
  • 23 June 2021 - Requested an update on the Open Redirect bug, six months after initial disclosure
  • 9 July 2021 - Oracle says the redirection is "key to the way the service functions" and there are "no plans yet to change the behaviour in the near future". Oracle employee considers the "issue as closed"
  • 17 July 2021 - Email sent to Oracle requesting permission to disclose the issue publicly on this blog considering the case was "closed" and is a "key way the service functions"
  • 22 July 2021 - Product Security Group Manager of Oracle responds saying the bug has been "escalated internally", but has determined that the redirect behaviour is a "known issue that is commonly found in Internet Scale advertising platforms like Google, Adobe, and BlueKai", adding that Oracle is "exploring various mechanisms to prevent misuse of redirects"
  • 22 July 2021 - Response sent to Oracle saying that public disclosure will be delayed to give the Product Security Group more time to review and potentially fix the issue
  • August - December 2021 - No response from Oracle other than automated Monthly State Reports with no additional information
  • 21 December 2021 - Public disclosure on this blog to raise awareness

Some vendors often fail to consider patching these bugs and have taken years to fix them. However, they are often shared or sold around cybercriminal communities and leveraged for a wide array of campaigns. In November 2020, Cyjax analysts also uncovered multiple links related to the email marketing service, Adobe Campaign, being abused in phishing attacks. The attackers had spotted an open redirect bug and began exploiting a large wave of phishing attacks.


https://[redacted]-t.[redacted].net/r/?id=he5e7463,33113b4d,33113b55&p1=phishing-website.com


http://rt1-t.confirmation.[redacted]-mail.com/r/?id=hd6347f9%2C151fc709%2C151fc79b&p1=phishing-website.com#victim@example.com


In February 2021, the Microsoft Threat Intelligence Center (MSTIC) reported that it was tracking a phishing campaign using a domain generation algorithm (DGA), free email services, and compromised email accounts to launch a massive phishing campaign. These emails are linked by open redirect URLs that begin with a distinct pattern: 


https://t.[redacted].tld/r/?


MSTIC highlighted that the use of the open redirect is both an automated detection evasion technique and a way to trick human users into clicking the redirector URLs, which show a legitimate domain followed by the malicious link. [1]


Call To Action


Attackers often look for open redirect links inside marketing emails. There are several steps application developers should take when designing a system to prevent creating open redirects. The primary being that these systems should be applying backend checks to ensure the user is only able to be sent to a small number of predefined domains or URLs. All others - such as threat actor-created pages - should ideally be rejected via verification checks.


Open redirect links are a difficult component to combat and a part of the overall security challenge that phishing continues to present. We recommend organisations review mail flow rules - including certain IP ranges or domain-level allow lists, to ensure phishing emails are unable to slip through. Security researchers should continue to research these issues and highlight phishing campaigns they detect using these open redirect vulnerabilities to get these issues fixed sooner rather than later.


Further Reading:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more