Jump to content
  • Almost 900 servers hacked using Zimbra zero-day flaw

    alf9872000

    • 388 views
    • 3 minutes
     Share


    • 388 views
    • 3 minutes

    Almost 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability, which at the time was a zero-day without a patch for nearly 1.5 months.

     

    The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.

     

    According to the cybersecurity company Kaspersky, various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.

     

    Kaspersky told BleepingComputer that they detected at least 876 servers being compromised by sophisticated attackers leveraging the vulnerability before it was widely publicized and received a CVE identifier.

    Under active exploitation

    Last week, a Rapid7 report warned about the active exploitation of CVE-2022-41352 and urged admins to apply the available workarounds since a security update wasn’t available then.

     

    On the same day, a proof of concept (PoC) was added to the Metasploit framework, enabling even low-skilled hackers to launch effective attacks against vulnerable servers.

     

    Zimbra has since released a security fix with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible.

     

    However, the exploitation had picked up the pace by then, and numerous threat actors had already started launching opportunistic attacks.

     

    Volexity reported yesterday that its analysts had identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells.

     

    volexity-tweet.png

    Used by advanced hacking groups

    In private conversations with cybersecurity firm Kaspersky, BleepingComputer was told that an unknown APT leveraging the critical flaw had likely pieced together a working exploit based on the information posted to the Zimbra forums.

     

    The first attacks started in September, targeting vulnerable Zimbra servers in India and some in Turkey. This initial wave of attacks was likely a testing wave against low-interest targets to evaluate the effectiveness of the attack.

     

    However, Kaspersky assessed that the threat actors compromised 44 servers during this initial wave.

     

    As soon as the vulnerability became public, the threat actors shifted gears and began to perform mass targeting, hoping to compromise as many servers worldwide as possible before admins patched the systems and shut the door to intruders.

     

    This second wave had a greater impact, infecting 832 servers with malicious webshells, although these attacks were more random than the previous attacks.

     

    ZCS admins who haven’t applied the available Zimbra security updates or the workarounds need to do so immediately, as exploitation activity is in high gear and will likely not stop for some time.

     

    Source

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...