The email rar attachment contains an exe file: the first malware, which downloads the second. The stolen data is exfiltrated via SMTP.
Critical vulnerability in Horde webmail. Sonar cybersecurity experts: The flaw (CVE-2022-30287) allows an attacker to fully take over an instance as soon as a victim opens an email the attacker sent
Horde webmail application has a critical vulnerability that could allow an attacker to fully take over an instance as soon as a victim opens an email the attacker sent. This has been discovered by Sonar cybersecurity experts. The flaw (CVE-2022-30287) allows an authenticated user of a Horde instance to execute arbitrary code on the underlying server. The vulnerability can be exploited with a single GET request which can be triggered via Cross-Site-Request-Forgery. For this, an attacker can craft a malicious email and include an external image that when rendered exploits the vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email. The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance. Another side-effect of the flaw is that the clear-text credentials of the victim triggering the exploit are leaked to the attacker. The adversary could then use them to gain access to even more services of an organization.