Internet Storm Center Spotlight


SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Thousands of Zimbra platforms actively targeted with critical vulnerabilities

Description: Security experts are warning that attackers are actively exploiting a vulnerability in the Zimbra digital collaboration platform, and the exploit is circulating in the wild. A range of reports indicate threat actors are using the vulnerabilities, which can provide adversaries with full remote code execution with no authentication needed. Microsoft stated that more than 30,000 instances are believed to be publicly exposed, and the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2022-37042 and CVE-2022-27925 to its list of known exploited vulnerabilities. The vulnerabilities specifically affect Zimbra Collaboration Suite (ZCS) email servers and are similar to other vulnerabilities discovered in 2021 affecting Microsoft Exchange Server. CISA also warned users of another ZCS vulnerability on Aug. 4 — CVE-2022-27924, which was also being exploited in the wild. Federal agencies must patch for CVE-2022-27924 by Aug. 24.

References:

- https://therecord.media/cisa-orders-civilian-agencies-to-patch-zimbra-bug-after-mass-exploitation/

- https://thestack.technology/microsoft-exchange-alternative-zimbra-hacked/

Snort SIDs: 60409, 60410


Title: Exploit available for critical VMWare privilege escalation vulnerability

Description: A researcher who discovered two critical vulnerabilities in VMware ONE Workspace Access released proof of concept exploit code for one of them. An attacker could exploit CVE-2022-31656 to gain admin privileges on the targeted device. VMWare had already released a warning telling users to patch the issue as soon as possible even before the PoC code was released. Security firm Imperva said it detected attempts to exploit the vulnerability after Aug. 9 when the code went public.

References:

- https://www.vmware.com/security/advisories/VMSA-2022-0021.html

- https://www.imperva.com/blog/what-we-know-about-vmware-cve-2022-31656-and-cve-2022-31659/

Snort SIDs: 60403, 60415

Internet Storm Center Entries


Encrypted messaging app Signal warned users that 1,900 people had their login codes compromised as the result of a recent cyber attack against the Twilio platform.

https://www.theverge.com/2022/8/15/23306949/signal-messaging-app-sms-twilio-data-breach-security-privacy


Instagram and Facebook’s in-app web browsers inject JavaScript code into every site users’ visit on iOS devices, allowing the host to view every every interaction with external websites.

https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser


The Biden administration has filled three key cybersecurity-related positions, but some industry executives and other officials are unclear about who is responsible for what.

https://www.axios.com/2022/08/16/bidens-three-headed-cybersecurity-team


China suspended a popular health care app in the country for articles it posted debunking COVID-19 misinformation and pushing back against claims the Chinese government is making about various forms of COVID treatment.

https://asia.nikkei.com/Spotlight/Coronavirus/China-suspends-major-platform-that-doubted-Beijing-COVID-policies


The head of Ukraine’s national cybersecurity agency said Russia has committed “cyber war crimes” during, and leading up to, its invasion of Ukraine.

https://www.vice.com/en/article/pkgaqv/head-of-ukraines-cybersecurity-says-russia-has-committed-cyber-war-crimes


Great talks from this year's Black Hat and DefCon.

https://techcrunch.com/2022/08/15/black-hat-def-con-2022/


The Pentagon tested the security of electric “microgrids” at DEF CON, which revealed several vulnerabilities in the software the technology runs on.

https://www.cyberscoop.com/pentagon-hackers-secure-the-microgrid/


The U.K.’s National Health Service is still dealing with the fallout of a cyber attack on one of its managed service providers.

https://www.bbc.com/news/technology-62506039


A UK water supply system’s corporate network was hit with ransomware earlier this week.

https://threatpost.com/water-supplier-hit-clop-ransomware/180422/

Prevalent Malware Files


COMPILED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5: 93fefc3e88ffb78abb36365fa5cf857c

VirusTotal: https://www.virustotal.com/gui/file/e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934/details

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg


SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c

MD5: a087b2e6ec57b08c0d0750c60f96a74c

VirusTotal: https://www.virustotal.com/gui/file/e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Tool.Kmsauto::1201


SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0

MD5: 8c69830a50fb85d8a794fa46643493b2

VirusTotal: https://www.virustotal.com/gui/file/c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0/details

Typical Filename: AAct.exe

Claimed Product: N/A

Detection Name: PUA.Win.Dropper.Generic::1201


SHA 256: 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7

MD5: 0e4c49327e3be816022a233f844a5731

VirusTotal: https://www.virustotal.com/gui/file/8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7/details

Typical Filename: aact.exe

Claimed Product: AAct x86

Detection Name: PUA.Win.Tool.Kmsauto::in03.talos


SHA 256: 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681

MD5: f1fe671bcefd4630e5ed8b87c9283534

VirusTotal: https://www.virustotal.com/gui/file/58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681/details

Typical Filename: KMSAuto Net.exe

Claimed Product: KMSAuto Net

Detection Name: PUA.Win.Tool.Hackkms::1201