The use of underscores in DNS records can easily trigger DNS purists into a rage. Since the beginning of (DNS) time, only the letters a-z, numbers, and dashes are allowed in DNS labels (RFC 1035 section 2.3.1). After all, we want to remain compatible with ARPANET.
Monthly Archives: August 2022
PowerShell Extension for Visual Studio Code August 2022 Update
We are excited to announce that the August update to the PowerShell Extension for Visual Studio Code is now available on the extension marketplace.
This release adds a walkthrough experience for getting started with PowerShell in VS Code, more regression tests, a major LSP client library update, and includes a number of bug fixes!
Updates in the August Release
Note that these updates all shipped in our PowerShell Preview Extension for VS Code before shipping in our stable channel.
Some highlights of August releases:
- vscode-powershell #4151 Add
integratedConsole.startInBackgroundto completely hide the terminal.
- vscode-powershell #4080 Create a walkthrough experience for PowerShell. (Thanks @S-Hakim!)
- #⃣ vscode-powershell #4141 Improve language client library close action message.
- PowerShellEditorServices #1892 Add symbols for Pester setup and teardown blocks. (Thanks @fflaten!)
- PowerShellEditorServices #1891 Fix whitespace in Pester symbol and add test. (Thanks @fflaten!)
- PowerShellEditorServices #1887 Fix symbol highlight when hovering function name. (Thanks @fflaten!)
- PowerShellEditorServices #1897 – Add artificial stack frame to represent contexts without one.
- PowerShellEditorServices #1894 – Fix stepping while watch expressions or interactive pipeline is running.
- vscode-powershell #4128 – Update
vscode-languageclientand refactor (a lot of TLC).
- vscode-powershell #3266 – Fix debugger to start language client when necessary.
- vscode-powershell #4120 Remove extraneous
)from the do-while snippet. (Thanks @ncook-hxgn!)
- PowerShellEditorServices #1874 Add end-to-end integration test with Vim.
- vscode-powershell #4112 Fix (and test) regression with PSScriptAnalyzer default rules.
- PowerShellEditorServices #1872 Add regression tests for parse error DiagnosticMarkers. (Thanks @fflaten!)
- PowerShellEditorServices #1869 – Fix duplicate DiagnosticMarkers when reopening a file. (Thanks @fflaten!)
- vscode-powershell #4100 Remove popup when extension updates.
- PowerShellEditorServices #1867 – Add regression test for when
- vscode-powershell #4073 – Fix bug where error in
promptfunction crashed REPL.
For the full list of changes please refer to our changelog.
Getting Started Walkthrough
As a part of this release we have introduced a getting started experience for PowerShell in VS Code. This experience was designed through a series of customer surveys and interviews conducted by our summer intern. The walkthrough can be accessed on the Getting Started page in VS Code, or through the command pallette.
We look forward to getting more feedback on this walkthrough and learning how we can improve it.
LSP Client Library Update
This release also includes a major update to our LSP client library dependency, vscode-languageclient. The extension uses this library to start, connect, and communicate with the LSP server, PowerShell Editor Services.
By incorporating this update in vscode-powershell #4128 we were able to prevent a number of race conditions that could be encountered during startup, as the latest version of this library allows us to register our notification and request handlers before starting the server. The lifecycle management code was also given some much needed attention, and so startup and shut-down is now a more stable experience.
Please note that due to an upstream change, there is now a second notification when the server is stopped. We are working with the upstream team to de-duplicate this popup, and are also contemplating enabling a configurable auto-restart of the server.
Getting Support and Giving Feedback
While we hope the new implementation provides a much better user experience, there are bound to be issues. Please let us know if you run into anything.
If you encounter any issues with the PowerShell Extension in Visual Studio Code or have feature requests, the best place to get support is through our GitHub repository.
Sydney Smith and Andy Jordan PowerShell Team
The post PowerShell Extension for Visual Studio Code August 2022 Update appeared first on PowerShell Team.
Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01, (Sun, Aug 28th)
VMware Skyline Announcements at VMware Explore 2022
Tweet We have several exciting announcements we’re making at VMware Explore that further extend Skyline’s ability to boost customer productivity. Check them out below! Tighter integration and a streamlined Aria Universal Suite Experience (formerly known as vRealize Cloud Universal) Skyline will make it easier for customers to onboard to Aria Universal Suite with a streamlined … Continued
The post VMware Skyline Announcements at VMware Explore 2022 appeared first on VMware Support Insider.
Taking Apart URL Shorteners, (Thu, Aug 25th)
Ever get a "shortened" url (bit.ly, tinyurl.com or whatever) and stress about "clicking that link"? Or worse yet, have that "Oh No" moment after you just clicked it? Or possibly tripped over such a link during IR and have to investigate it? Is there a way to look at the link contents without a sandbox with a packet sniffer (or fiddler or burp or similar)?
Don’t Miss the Skyline Swag Giveaway at VMware Explore US
Tweet Heading to VMware Explore US this year? Come visit us at the Skyline pod in the Cloud Management Performance and Troubleshooting section located in the VMware booth so you can get some of our great swag. We’re offering T-shirts, socks, phone stands and more! (Our product team will also be there with expert advice … Continued
The post Don’t Miss the Skyline Swag Giveaway at VMware Explore US appeared first on VMware Support Insider.
Who's Looking at Your security.txt File?, (Tue, Aug 23rd)
In April 2022, the RFC related to the small file “security.txt” was released. It was already popular for a while, but an RFC is always a good way to “promote” some best practices! If you're unaware of this file, it helps to communicate security contacts (email addresses, phone, …) to people who would like to contact you to report an issue with your website or your organization. This security.txt file was deployed on my websites for a while, and I never really paid attention to its popularity. The ISC also has its one.
32 or 64 bits Malware?, (Mon, Aug 22nd)
Last week, I was teaching FOR610 in Amsterdam. When we review ASM, we have a module about the difference in 32-bits VS. 64-bits code (how parameters are passed to functions/API calls, calling convention, etc). It's important to have an understanding of this because most computers are build around a 64-bits CPU today. But attackers are still deploying a lot of 32-bits malware for compatibility reasons and also because this code can be run without (if you respect Microsoft guidelines and API's) problems. A student asked me if there was a lot of native 64-bits malware in the wild. Is there a real trend? I decided to have a look at a bunch of samples and see practically if this trend was real.
Protected: What’s New in VMware Skyline Advisor Pro: Dashboard Enhancements and Accelerated Email Delivery
There is no excerpt because this is a protected post.
The post Protected: What’s New in VMware Skyline Advisor Pro: Dashboard Enhancements and Accelerated Email Delivery appeared first on VMware Support Insider.
AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
Original release date: August 16, 2022
Actions for ZCS administrators to take today to mitigate malicious cyber activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:
- CVE-2022-27925 chained with CVE-2022-37042
Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.
Download the PDF version of this report: pdf, 355 kb
CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. The actor can then steal ZCS email account credentials in cleartext form without any user interaction. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access.
On March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. In June 2022, SonarSource publicly released proof-of-concept (POC) exploits for this vulnerability. Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.
CVE-2022-27925 and CVE-2022-37042
CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have
mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal. On August 10, 2022, researchers from Volexity reported widespread exploitation—against over 1,000 ZCS instances—of CVE-2022-27925 in conjunction with CVE-2022-37042. CISA added both CVEs to the Known Exploited Vulnerabilities Catalog on August 11, 2022.
CVE-2022-37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE-2022-37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE-2022-37042 is found in the
MailboxImportServlet function. Zimbra issued fixes in late July 2022.
CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware. Any ZCS instance with
unrar installed is vulnerable to CVE-2022-30333.
Researchers from SonarSource shared details about this vulnerability in June 2022. Zimbra made configuration changes to use the
7zip program instead of
unrar. CISA added CVE-2022-3033 to the Known Exploited Vulnerabilities Catalog on August 9, 2022. Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.
CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022, and Zimbra issued a fix on February 4, 2022. CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on February 25, 2022.
Note: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available.
CISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:
- Hunt for IOCs including:
- 207.148.76[.]235 – a Cobalt Strike command and control (C2) domain
- Deploy third-party YARA rules to detect malicious activity:
CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories.
See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps.
Additionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:
- Maintain and test an incident response plan.
- Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: cisa.gov/cyber-hygiene-services.
- Properly configure and secure internet-facing network devices.
- Do not expose management interfaces to the internet.
- Disable unused or unnecessary network ports and protocols.
- Disable/remove unused network services and devices.
- Adopt zero-trust principles and architecture, including:
- Micro-segmenting networks and functions to limit or block lateral movements.
- Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.
- Restricting access to trusted devices and users on the networks.
If an organization’s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:
- Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
- Quarantine or take offline potentially affected hosts.
- Reimage compromised hosts.
- Provision new account credentials.
- Report the compromise to CISA via CISA’s 24/7 Operations Center (firstname.lastname@example.org or 888-282-0870). SLTT government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
CISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.
The information in this report is being provided “as is” for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
-  Hackers are actively exploiting password-stealing flaw in Zimbra
-  CISA adds Zimbra email vulnerability to its exploited vulnerabilities catalog
-  CVE-2022-27925 detail
-  Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925
-  CVE-2022-37042 detail
-  Authentication bypass in MailboxImportServlet vulnerability
-  CVE-2022-30333 detail
-  UnRAR vulnerability exploited in the wild, likely against Zimbra servers
-  Zimbra Collaboration Kepler 9.0.0 patch 25 GA release
-  Zimbra UnRAR path traversal
-  Operation EmailThief: Active exploitation of zero-day XSS vulnerability in Zimbra
-  Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15
- August 16, 2022: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.