Indicateurs de compromission (IOCs) identifiés
Rapports de compromission identifiés (regroupement d’IoCs)
HIGHLIGHT OF THE MONTH
At the beginning of August 2022, an increasing number of investigations related to intrusions via Zimbra Collaboration have been noted. Zimbra Collaboration is a collaborative software suite that manages the email client and server, as well as contact management, calendar and document sharing. This suite is available in two versions, one open-source (not affected), the other commercial version on which these vulnerabilities are focused. Following these investigations, two vulnerabilities have been declared:
CVE-2022-27925 (CVSS: 7.2) concerning a path traversal vulnerability during a mail import (requiring administrator rights) and which can lead to an arbitrary code execution (*authenticated RCE*).
The second vulnerability is the CVE-2022-37042 (CVSS: 9.8) following an incomplete correction of the previous vulnerability leading to an authentication bypass. Here, the combination of authentication bypass and writing of arbitrary files allowed to obtain an unauthenticated remote code execution (*unauthenticated RCE*).
The active exploitation of this vulnerability, which is not limited to any particular actor, has also been confirmed by the Cybersecurity & Infrastructure Security Agency (CISA), which issued an alert available here. A module has recently been added in the metasploit framework making it even easier to use.
The vulnerability has been fixed in releases 9.0.0P26 and 8.8.15P33.
DEFINITION OF THE MONTH
Macros, are a tool to automate actions in Microsoft Office. When used for malicious purposes, they hide in Microsoft Office files and are usually distributed via email attachments or ZIP files. Macros have several uses; for persistence via Normal.dotm, storing executables or commands in hidden columns of Excel files, executing code without user permissions via Excel Workbook.
Malicious actors regularly use macros to deploy malware and ransomware. Recently, Microsoft changed the default behavior of Office applications to block macros in files from the Internet. With this change, attackers now have to convince victims to enable macros so that the malicious payload can run. You can protect yourself from this by disabling them and enabling (on Windows 10) Attack Surface Reduction (ASR) rules, to prevent Office apps from creating child processes.
ABOUT THE CYBER THREATS BAROMETER
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.
Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.