CISA updates its quidance on mitigating Zimbra vulnerabilities.
Zimbra exploited: advice from CISA.
“CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL) and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The executable file is designed to side-load the malicious DLL file. The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.”
CISA provides a list of best practices to help defend against this threat:
- “Maintain up-to-date antivirus signatures and engines.
- “Keep operating system patches up-to-date.
- “Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- “Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- “Enforce a strong password policy and implement regular password changes.
- “Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- “Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- “Disable unnecessary services on agency workstations and servers.
- “Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- “Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- “Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- “Scan all software downloaded from the Internet prior to executing.
- “Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).”