September 2022

Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts

Identified Indicators of Compromise (IOCs)


Identified compromise reports


Highlight of the month

At the early part of August 2022, an increasing number of investigations related to intrusions via Zimbra Collaboration have been noted. Zimbra is a collaborative software suite that manages the email client and server, but also contact management, calendar and document sharing. This suite is available in two versions, one open-source (unaffected), the other commercial version on which these vulnerabilities are focused. Following these investigations, two vulnerabilities have been notified:

CVE-2022-27925 (CVSS: 7.2) concerning a path traversal vulnerability during a mail import (requiring administrator rights) and which can lead to an arbitrary code execution (*authenticated RCE*).

The second vulnerability is the CVE-2022-37042 (CVSS: 9.8) following an incomplete correction of the previous vulnerability leading to an authentication bypass. Here the combination of authentication bypass and writing of arbitrary files allowed to obtain an unauthenticated remote code execution (*unauthenticated RCE*).

The active exploitation of this second vulnerability, which is not limited to any particular actor, has also been confirmed by the Cybersecurity & Infrastructure Security Agency (CISA) which issued an alert. A module has recently been added to the metasploit framework making it even easier to exploit.


common vulnerabilities (CVE)


malware families

Definition of the month

Macros, are a tool to automate actions in Microsoft Office. When used for malicious purposes, they hide in Microsoft Office files and are usually distributed via email attachments or ZIP files. Macros have several uses; for persistence via Normal.dotm, storing executables or commands in hidden columns of Excel files, executing code without user permissions via Excel Workbook. Malicious actors regularly use macros to deploy malware and ransomware. Recently, Microsoft changed the default behavior of Office applications to block macros in files from the Internet. With this change, attackers now have to convince victims to enable macros so that the malicious payload can run. You can protect yourself from this by disabling them and enabling (on Windows 10) Attack Surface Reduction (ASR) rules, to prevent Office apps from creating child processes.


targeted sectors


threats categories

About the cyber threats barometer

Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.

LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.