Links
https://www.bleepingcomputer.com/news/security/hackers-exploiting-unpatched-rce-bug-in-zimbra-collaboration-suite/?&web_view=true
https://thehackernews.com/2022/10/new-report-uncovers-emotets-delivery.html
https://thehackernews.com/2022/10/hackers-exploiting-unpatched-rce-flaw.html
https://gizmodo.com/toyota-warns-customers-they-may-get-scam-emails-after-d-1849630698
https://www.bleepingcomputer.com/news/security/city-of-tucson-discloses-data-breach-affecting-over-123-000-people/
Emotet’s Current Tactics
- Emotet
- June 2014
- Appeared as a banking trojan
- 2016
- All-purpose malware loaded including ransomware
- Jan 2021
- Infrastructure taken down by law enforcement
- Currently
- Being run by Mummy Spider (TA542)
- Tactic
- It’s been around because it’s versatile
- Uses different attack vectors
- Can hide for long periods of time.
- Relies on emails with compromised attachments
- Currently
- VMware said 3 different attacks observed
- Excel macro
- Excel Macro with Powershell
- Visual Basic Application with Powershell
- Some used mshta.exe to launch malicious HTA file
- ¼ of attacks come in excel documents
- LOLBins
- Popular tactic
- MSHTA and Powershell
- Signed by Microsoft
- Trusted by Windows
- March and June 2022
- Utilizing the Epoch 5 command and control
- New plugins
- designed to capture credit card data from the Google Chrome browser
- a spreader module that uses the SMB protocol for lateral movement
- spamming module
- account info stealer for Outlook and Thunderbird
- Popular tactic
- VMware said 3 different attacks observed
- June 2014
Zimbra’s Unpatched RCE Flaw
- Active Exploit (CVE-2022-41352)
- CVSS 9.8
- Allows malicious actor to upload files and other actions
- Part of Zimbra’s antivirus engine
- Sept 2022
- No, fix yet
- Urge to install the pax utility and restart
- If the pax package is not installed, Amavis will fall back to using cpio
- will allow an unauthenticated attacker to create and overwrite files on the Zimbra server
- including the Zimbra webroot
- Versions
- 8.15 and 9.0
- Linux Version
- Oracle Linux 8
- Red Hat Enterprise Linux 8
- Rocky Linux 8
- CentOS 8
- Exception
- Ubuntu
- Pax is already installed by default
- Tactic
- email an archive file (CPIO or TAR) to a susceptible server
- which is then inspected by Amavis using the cpio file archiver utility to extract its contents.
- cpio has no mode where it can be securely used on untrusted files
- an attacker can write to any path on the filesystem that the Zimbra user can access
- email an archive file (CPIO or TAR) to a susceptible server
- Ubuntu
- will allow an unauthenticated attacker to create and overwrite files on the Zimbra server
Toyota Customers prepare for Phishing
- Toyota
- Customer information leaked
- 296,000 pieces of customer information leaked
- Toyota Smartphone App
- Warned Customers
- Risk of Pishing/Spam and emails
- Leak
- Customers who signed up starting July 2017
- Using emails
- Email addresses and customer numbers
- No sensitive information
- name, Phone Numbers of Credit Cards
- Though can be tied together with other leaks online
- No current reports of it being used
- Customers who signed up starting July 2017
- Contractor
- Third-party
- Uploaded source code with the data accidentally to a public server
- No detected access at this time
- Dec 2017 until Sept 2022
- Third-party
- Customer information leaked
City of Tucson discloses data breach
- City of Tucson
- Data Breach
- Personal Information
- 123,000 people
- names and Social Security numbers, driver’s license or state identification number, and passport number
- Attack
- May 17 and May 31
- May 29 City learned of the malicious activity of user account
- Aug 4
- Learned that documents may have been copied
- Sept 12
- Review of information concluded and determined the information
- Sept 23
- Notification of residents
- The attacker breached city’s network
- Exfil a large number of files with sensitive information
- May 17 and May 31
- No detected so far
- No use of this information has been detected
- 12 months of free access to Experian credit monitoring