Posted on October 16, 2022 at 3:37 PM
Cybersecurity firm Kaspersky, in a tweet, revealed that 876 servers were compromised in a critical Zimbra Collaboration Suite (ZCS) vulnerability. At the time of the hack, the vulnerability was classified as a zero-day without a patch for more than one month.
The vulnerability is a remote code execution flaw tracked as CVE-2022-41352. According to the researchers at the security firm, the flaw enables threat actors to send an email with a malicious archive attachment. It registers a web shell in the ZCS server while evading antivirus checks at the same time.
Kaspersky also revealed that various advanced persistent threats (APT) groups exploited the vulnerability shortly after it was reported on the Zimbra forums.
The cybersecurity firm said the 876 servers were being infiltrated by sophisticated hackers before it received a CVE identifier and was widely publicized.
An Active Exploitation Of Flaws In Zimbra Collaboration Suite
In a report by Rapid7 last week, the firm announced the public active exploitation of Zimbra Collaboration Suite (ZCS), a popular web client and email server, tracked as CVE-2022-41352. The zero-day, with a critical score of 9.8, enables threat actors to upload arbitrary files via “Amavis” email security system.
If the hackers successfully exploit the vulnerability, it enables them to overwrite the Zimbra webroot, gain access to other users’ accounts, and plant shellcode. The bug was discovered at the beginning of September as a zero-day after administrators posted details of the attacks on Zimbra forums.
According to the report, the bug was caused by insecure usage of the ‘cpio’ file. It has a bug that enables attackers to create archives from any filesystem accessible to Zimbra.
Zimbra has already released a security patch to the flaw on September 14 and advised admins to restart their Zimbra servers after they install a portable archiving utility to replace cpio, the flawed piece.
The company says no additional configuration is needed since installing Paxwill will be enough to solve the problem. The exploitation also includes a PoC exploit that enables threat actors to create malicious archives with ease.
On a stronger note, Rapid7 revealed a recent test it conducted, which showed that most Linux distributions supported by Zimbra don’t install Pax by default. This is an additional problem as the servers remain highly vulnerable to attacks.
At the time, Zimbra urged administrators to apply the necessary precaution since a patch was not available for the vulnerability.
Security Patch For ZCS Version 9.0.0 Released
Zimbra said it has provided a security patch for the ZCS version 9.0.0 P27 flaw. This has removed the vulnerable part that made exploitation possible after replacing the flawed component (cpio) with Pax. But before the patch was released, exploitation expanded rapidly as several hackers launched opportunistic attacks.
Yesterday, Volexity reported that 1,600 ZCS servers were identified by its analysts who believe that they were exploited by hackers that leveraged CVE-2022-41352 to plant webshells.
Kaspersky also says an unknown hacking group is taking advantage of the vulnerability, based on details posted to the Zimbra forums. The security company believes that the operational methods of the hacking group show that it is carried out by a sophisticated APT gang with advanced tools for their attack.
Meanwhile, the Metasploit framework added proof of concept (PoC) on the same day, which enabled even inexperienced attackers to successfully launch attacks against susceptible servers.
Admins Have Been Advised To Apply Updates Quickly
The first attacks, which began last month, targeted some Zimbra servers in Turkey and India. But these first waves of attacks were likely targeted at smaller organizations as a testing ground for a more advanced attack. The idea was to assess the effectiveness of the attack before heading into the tasks in full force. And the initial test attack wave, according to Kaspersky, compromised 44 servers.
After the vulnerability was discovered and announced to the public, the hacking group upped their game and started carrying out mass targeting. They hoped to infiltrate as many servers are possible before the admins provide a patch and close the vulnerability windows to hackers.
The second wave was more devastating, as they compromised 832 servers and planted malicious webshells. But this time, the attacks were not as specific as the previous wave of attacks.
Zimbra has advised admins to quickly apply the patches to the vulnerability because the hackers have continued to exploit servers that are not yet updated.