Zimbra exploited: CISA opinion.

CISA updates its guidelines on mitigating Zimbra vulnerabilities.

The United States Cybersecurity and Infrastructure Security Agency (CISA) updated its advisory regarding the exploitation of several vulnerabilities in Zimbra:

“CISA received a benign 32-bit Windows executable file, a malicious dynamic link library (DLL), and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently exploited against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042 and CVE-2022-30333. The executable file is designed to sideload the malicious DLL file. The DLL is designed to load and decrypt the exclusive OR (XOR) encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to run on the compromised system.

CISA provides a list of best practices to help defend against this threat:

  • “Keep anti-virus signatures and engines up to date.
  • “Keep operating system patches up to date.
  • “Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • “Restrict the ability (permissions) of users to install and run unwanted software applications. Do not add users to the local administrators group unless necessary.
  • “Enforce a strong password policy and implement regular password changes.
  • “Be careful when opening email attachments, even if the attachment is expected and the sender appears to be known.
  • “Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • “Disable unnecessary services on agency workstations and servers.
  • “Scan for and remove suspicious attachments from emails; make sure the scanned attachment matches its “true file type” (i.e. the extension matches the file header).
  • “Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • “Be careful when using removable media (e.g. USB sticks, external drives, CDs, etc.).
  • “Analyze all software downloaded from the Internet before running it.
  • “Maintain situational awareness of the latest threats and implement appropriate access control lists (ACLs).”