Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Technical Issue. Show all posts

Eurostar: Users Forced Into Resetting Passwords, Then Fails and Locks Them Out


Eurostar, the International high-speed rail operator has recently been emailing its customers this week, enticing them into resetting their account passwords in a bid to “upgrade” security. 

But, when users click the password reset link, "technical issues" are apparently keeping them from changing their passwords or logging into their accounts. 

Eurostar Password Reset Bug is Locking Passengers Out 

The company, renowned for linking countries like the UK to France, Belgium, and the Netherlands with most of its trains crossing the Channel Tunnel, has been emailing customers where the railway operator would claim to be “busy” upgrading the account security for its customers. 

Apparently, the email would read “Dear customer, we’ve been busy upgrading our security to protect your account and your personal details. To continue using your Eurostar account, you’ll need to reset your password. If you also use the Eurostar mobile app, you’ll need to update it to the latest version.” 

Nevertheless, clicking the "reset password" link and following the navigation is ineffective. Users instead encounter the following error message: "Sorry, we're having a few technical problems so we can't send the email at the moment. Please try again a little later." 

That bug has caused immense frustration among Eurostar passengers and users around the globe who are now effectively locked out of their accounts. 

Users are shown the password reset interstitial after each successful login attempt, which prevents them from accessing their accounts until they reset their passwords. However, owing to the aforementioned technical problem, the password reset never occurs. 

In regards to the issue, a user tweets “@Eurostar how to tell your customers you hate them without saying it: lock everyone’s account and make it impossible to reset their password.” Moreover, it was observed that the perplexed users, were mistaking Eurostar’s legitimate email for a phishing attempt. 

Ongoing Maintenance to Blame? 

In a lengthy Twitter thread on Friday, Eurostar acknowledged that users were experiencing problems accessing their Club Eurostar accounts and attributed this to ongoing maintenance. Yet, this was before the business started sending out emails for password resets. 

Among many instances, customers have complained that their reservations and data were "lost" from their accounts. 

The railway operator, at the time, advised users to clear their browser cookies or re-attempt registration with the same email address. Although, nobody seems to benefit from this as a solution. 

The last time a comprehensive password reset was implemented by Eurostar was in 2018 following a data breach, as The Telegraph at the time reported. 

It is still unclear whether the forced password reset is really Eurostar's attempt to increase account security or if it is a response to a cybersecurity issue like system compromise or data breach. 

In regards to the situation, a Eurostar spokesperson addresses the issue with the statement, “our customers were contacted to reset their password following an update to our customer authentication system. The sudden volume of customers who attempted to do this caused some technical difficulties and we are working to resolve this as soon as possible. We apologize for any inconvenience this has caused.”  

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw

 

An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”