As Halloween draws near, cyber ghosts from the past are stirring up plenty of fright among security teams. You’ll want to tune in if you use Microsoft Exchange, Fortinet, or Zimbra. Plus, POLONIUM tries to take everyone’s candy with creepy malware.
This week we’ve got a bonus for you!
We round out our episode with special guest Chris Wilder from TAG Cyber discussing the ethics of critical cybersecurity information disclosure.
Microsoft Exchange servers hacked to deploy LockBit ransomware
(01:23)
You might recall our coverage of the recent Microsoft Exchange zero-day vulnerabilities, which received several rounds of insufficient mitigations. Threat groups continue to take advantage of this vulnerability. One successfully deployed LockBit ransomware onto Exchange servers.
Remediation: With the ongoing nature of this threat, you’ll want to patch your Exchange servers as soon as possible for the best odds of staying safe. Back up your servers as frequently as you can.
CVEs: CVE-2022-21969, CVE-2022-41040, CVE-2022-41082
Malware: LockBit(win.lockbit), LockBit, Lockbit, LockBit(elf.lockbit)
Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug
Fortinet previously disclosed a critical security vulnerability impacting its firewall and proxy devices. Now they’re warning users of several threat groups actively exploiting this vulnerability, which can let attackers see straight into your production environment.
Remediation: This affects lots of versions and devices, so you’ll want to deploy any patches available to you out of band to protect yourself.
CVEs: CVE-2022-40684
Unpatched Zimbra Flaw Lets Hackers Backdoor Servers
We have yet another email-based threat vector with Zimbra, which has been on our threat radar recently. Zimbra has failed to properly analyze and protect against malicious Java attachments in emails. A user might not even be aware that they have received a bad email. Once the email with the malicious Java attachment is sent, the code will be executed giving the attacker full control of the Zimbra server.
Remediation: You’ll want to patch ASAP. Another way to avoid these attacks is to block Java attachments at the mail server.
CVEs: CVE-2015-1197, CVE-2022-30333, CVE-2022-41352
POLONIUM Threat Group Targets Israeli Organizations with 'Creepy' Malware
POLONIUM is a Lebanon-based threat group that’s been targeting businesses in Israel. They use a unique, previously unknown toolset and malware to carry out large-scale information theft against cloud storage services such as Dropbox, OneDrive, etc. This attack comes in multiple waves, which unfortunately are likely to go unnoticed without proactively searching for them.
Remediation: In addition to detecting and blocking the malware before it can do any harm, organizations should consider analyzing audit logs for file storage platforms in order to find any large scale data thefts or abnormal amount of downloads that might be taking place.
Malware: POLONIUM, TechnoCreep, FlipCreep, DeepCreep, CreepySnail, MegaCreep, PapaCreep
More Details of macOS Archive Utility Flaw Emerge
Gatekeeper is a built-in security mechanism in macOS, often referred to as “security speed bump,” that notifies the user when they download a file from an untrusted, potentially dangerous source. Bad actors have been able to bypass this measure by crafting an archive or compressed file that tricks Gatekeeper into thinking it’s a trusted system file. Then they can deliver malware without Gatekeeper ever notifying the user that they could be in trouble, and in more extreme cases even root level access to a system.
Remediation: Keep your macOS systems up to date. Don’t wait for the automatic updates, patch ASAP.
CVEs: CVE-2022-32910, CVE-2022-22616
