Sysmon v14.0, AccessEnum v1.34, and Coreinfo v3.53

by | Aug 16, 2022 | Technology

This article is contributed. See the original author and article here.


Sysmon v14.0


This major update to Sysmon, an advanced host monitoring tool, adds a new event type, FileBlockExecutable that prevents processes from creating executable files in specified locations. It also includes several performance improvements and bug fixes.

 

AccessEnum v1.34


AccessEnum, a tool for enumerating file system and registry permissions, now supports paths longer than MAX_PATH characters.

 

Coreinfo v3.53


This update to Coreinfo, a utility that reports system CPU, memory and cache topology and information, now handles NUMA nodes with more than 64 processors.

 

Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite

by | Aug 16, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Actions for ZCS administrators to take today to mitigate malicious cyber activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include: 

  • CVE-2022-24682 
  • CVE-2022-27924 
  • CVE-2022-27925 chained with CVE-2022-37042 
  • CVE-2022-30333

Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.

Download the PDF version of this report: pdf, 355 kb

CVE-2022-27924

CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary memcache commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. The actor can then steal ZCS email account credentials in cleartext form without any user interaction. With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access.

On March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. In June 2022, SonarSource publicly released proof-of-concept (POC) exploits for this vulnerability.[1][2] Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.

CVE-2022-27925 and CVE-2022-37042

CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user has the ability to upload arbitrary files to the system thereby leading to directory traversal.[3] On August 10, 2022, researchers from Volexity reported widespread exploitation—against over 1,000 ZCS instances—of CVE-2022-27925 in conjunction with CVE-2022-37042.[4] CISA added both CVEs to the Known Exploited Vulnerabilities Catalog on August 11, 2022. 

CVE-2022-37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE-2022-37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE-2022-37042 is found in the MailboxImportServlet function.[5][6] Zimbra issued fixes in late July 2022.

CVE-2022-30333

CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[7] Any ZCS instance with unrar installed is vulnerable to CVE-2022-30333.

Researchers from SonarSource shared details about this vulnerability in June 2022.[8] Zimbra made configuration changes to use the 7zip program instead of unrar.[9] CISA added CVE-2022-3033 to the Known Exploited Vulnerabilities Catalog on August 9, 2022. Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.[10]

CVE-2022-24682

CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[11], and Zimbra issued a fix on February 4, 2022.[12] CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on February 25, 2022. 

DETECTION METHODS

Note: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available. 
CISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:

  • Hunt for IOCs including:
    • 207.148.76[.]235 – a Cobalt Strike command and control (C2) domain
  • Deploy third-party YARA rules to detect malicious activity:

CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories.

See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps.

Additionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:

  • Maintain and test an incident response plan.
  • Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: cisa.gov/cyber-hygiene-services
  • Properly configure and secure internet-facing network devices.
    • Do not expose management interfaces to the internet.
    • Disable unused or unnecessary network ports and protocols.
    • Disable/remove unused network services and devices.
  • Adopt zero-trust principles and architecture, including:
    • Micro-segmenting networks and functions to limit or block lateral movements.
    • Enforcing phishing-resistant multifactor authentication (MFA) for all users and VPN connections.
    • Restricting access to trusted devices and users on the networks.

INCIDENT RESPONSE

If an organization’s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:

  1. Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
  2. Quarantine or take offline potentially affected hosts.
  3. Reimage compromised hosts.
  4. Provision new account credentials.
  5. Report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). SLTT government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response. 

ACKNOWLEDGEMENTS

CISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

The AI-powered contact center, part 2: Achieve superior self-service voice support

The AI-powered contact center, part 2: Achieve superior self-service voice support

by | Aug 16, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

Many people still prefer to pick up the phone when they want to access customer service. Many others find that the phone is a vital last resort when they fail to get answers in digital channels. Regardless of why people call a contact center, it is essential that the experience is fast, simple, and satisfying.

In the first article in the series, we talked about how the Microsoft Digital Contact Center Platform is an open, extensible, and collaborative platform for delivering seamless, omnichannel customer engagement at scale. In this article, we’ll look at how the Microsoft Digital Contact Center Platform brings together Nuance and Microsoft innovations to help organizations engage customers efficiently and effectively in the voice channelfrom the moment they reach the interactive voice response (IVR) system.

Reimagining the voice channel

Most IVRs make customers navigate a maze of menu options and listen to irrelevant messages because they lack the intelligence to resolve inquiries themselves. They frustrate customers, who have learned to keep pressing ‘0’ or shout “agent!” to reach a human agent who has no knowledge of what happened during the IVR session. That forces the customer to restart their search for a satisfactory resolution. These can be frustratingeven infuriatingcustomer experiences, which can damage brand loyalty.

With a conversational IVR, however, callers can explain their needs in their own words and get answers to questions in a few seconds.

Conversational IVRs use natural language understanding (NLU) to interpret what callers want to accomplish and resolve their issues in a fast, satisfying self-service experience. Of course, some interactions will require a live agent (like complex queries, sensitive issues, or high-value transactions), so AI-powered IVRs route those calls to an available agent with the right skill set.

The best conversational IVRs can recognize thousands of complex instances of customer intent from customers’ natural spoken words, tone, and patterns; dramatically improving the customer experience. For example, when the health insurance company Humana replaced its legacy system with a conversational IVR, its Net Promoter Score (NPS) rose by 80 percent.

Making customer experiences better

Modern IVR solutions give callers intelligent, seamless, conversational self-service experiences that lead to faster resolutions, increased customer satisfaction, and lower service costs.

The most advanced IVR systems can improve customer experiences in many ways. They can offer callers the option to shift to digital experiences such as a virtual assistant or live chat to get faster servicewhile maintaining context throughout the engagement. They can also integrate with call-back management systems, so when wait times are long, the IVR gives customers the option to be called back rather than waiting in line.

On the Microsoft Digital Contact Center Platform, conversational IVRs can create even more value for customersand for organizationsby uniting Microsoft and Nuance innovations. When the IVR escalates an engagement to a live agent, it can hand over the full context of the conversation. The agent desktop can also pull in a unified view of the customer, including previous interactions, purchase history, and more. Agents feel empowered to quickly address queries and issues, increasing their productivity, while the customer feels understood and valued.

Intelligent routing means happier, more loyal agents

Conversational IVRs can handle most routine inquiries and even more complex interactions, increasing call containment and minimizing transfers to agents. When transfers are needed, agents have a clear view of the context of incoming calls and can serve customers more effectively. And because agents are no longer handling routine interactions, they can apply their skills to higher-value, more rewarding engagements, which in turn increases agent experience and loyalty.

For example, at a major global telco, a conversational IVR successfully handles more than 70 percent of the 4 million calls it receives each month, reducing the strain on the organization’s live agents.

On the Microsoft Digital Contact Center Platform, IVRs use intelligent routing to further increase the ability of agents to resolve most incoming calls successfully and swiftly. The real-time data and context from the IVR enhance call handling by intelligently routing callers to the live agent best suited to help, while providing them with the information needed to provide rapid, reliable resolution. That leads to higher customer and agent satisfaction as well as a significant reduction in contact center costs.

Faster, more secure interactions

One of the most valuable developments in modern IVR technology is the addition of biometric authentication. Voice biometrics technology in Nuance Gatekeeper can accurately identify customers (and fraudsters) based on more than 1,000 characteristics of their “voiceprint” using only half a second of their natural speech.

Authenticating callers using voice biometrics increases security (because PINs and passwords can be easily bought or stolen) and eliminates the need for agents to spend time on lengthy, often tedious knowledge-based authentication processes. It also enables deeper level of personalization. By seamlessly authenticating a caller in the IVR with voice biometrics, a conversational IVR can use existing data sources to understand the caller’s relationship with the brand, past history, and other data points to personalize the experience. One of the world’s largest asset managers uses passive voice biometrics to authenticate 79 percent of customers as they speak with its conversational IVR. By automating the caller authentication process, the contact center reduced the average handle time for each call by 82 seconds because agents no longer have to begin every interaction by verifying the caller’s identity.

Intelligent IVR applications for every need

The Microsoft Digital Contact Center Platform makes it easy to build an enterprise-grade, secure, conversational voicebot or FAQ application for the IVR that can handle everything from straightforward queries to complex interactions. What’s more, these applications will be purpose-built to meet specific requirements and business goals.

Organizations can build DIY voicebots in Nuance Mix (more on that in our next article) or call on the expertise of Nuance’s professional services teams, speech scientists, data scientists, and conversational design specialists. And as the Microsoft Digital Contact Center Platform continues to evolve, organizations will be able to build voicebots with Microsoft Power Virtual Agents, then enhance and evolve those bots with Nuance Mix.

Defining the future of voice support together

By bringing together Nuance Conversational IVR and Mix, Microsoft Power Virtual Agents, and Microsoft Dynamics 365 Customer Service, along with Microsoft Azure Communications Services and Azure Cognitive Services, organizations now have a single platform to create innovative customer and agent experiences.

For example, organizations can build bespoke, enterprise-grade applications using highly intelligent call routing capabilities in Dynamics 365; or create smart, personalized, empathetic, and natural IVR and bot applications with Azure Cognitive Services. It is now possible to turn those innovative “what if?” customer service ideas into reality. And, of course, it is all possible while protecting your current investments thanks to backwards compatibility and a clear, disruption-free migration path to any future solutions.

Next steps

Next time, we will dive deeper into how Nuance MixNuance’s conversational AI tooling platformcomplements Microsoft Power Virtual Agents. Until then, learn more about the Microsoft Digital Contact Center Platform and how to create engaging, personalized digital experiences.

The post The AI-powered contact center, part 2: Achieve superior self-service voice support appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.