This Week in Cyber 19th August

Threat Actors Exploiting Multiple Vulnerabilities Against Zimbra Collaboration Suite

Cyber threat actors are targeting unpatched ZCS instances in both government and private sector networks, CISA has warned. CVE’s currently being exploited include CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042 and CVE-2022-30333. CVE-2022-27924 is the highest severity allowing an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access. Telesoft MDR for Network customers running the affected versions of ZCS have been advised on the mitigation steps to take and our UK based Cyber Analysts carried out back in time network traffic analysis to determine if any the of the affected systems had communicated with the IoC provided in the CISA advisory.

Over 9000 VNC servers are online and require no password to access

Virtual Network Computing (VNC) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse input from one computer to another, relaying the graphical-screen updates, over a network. Researchers have discovered at least 9,000 exposed VNC endpoints that can be accessed and used via the public internet without authentication, allowing threat actors easy access to internal networks. During the course of the investigation some of these exposed VNC instances were found to be used for industrial control systems including HMI interfaces and SCADA. Continual auditing of public facing IT infrastructure and a comprehensive vulnerability management program can help to reduce a business’s attack exposure surface. Telesoft provide a continuous vulnerability assessment service to ensure that your network is secure by identifying, analysing and remediating vulnerabilities across your IT infrastructure.

Over a million users installed malicious browser extensions

Browser extensions are seen as a largely positive feature that can provide users the ability to customize almost every aspect of their browsers. There are some extensions such as Adblocker that can enhance end user security posture as it blocks pop-ups and ads from sites that might not be trusted. However, not every extension is designed to benefit the user and some threat actors have managed to create extensions that directly lead to ‘adware’. Kaspersky released a report stating that ‘1.3 million users have attempted to install malicious or unwanted web browser extensions at least once’. The most popular extension identified was an online PDF viewer named ‘WebSearch’ which did benefit the user with some useful tools, but it also captures search queries and redirects traffic to earn affiliate income from certain sites. There are numerous other extensions mentioned in the Kaspersky report and most of them resulted in query capturing or credential harvesting. Users being able to install these extensions highlights how important it is that user access rights are controlled and monitored.

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices - CVE-2022-32893 and CVE-2022-32894. Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).