Attackers are exploiting multiple, previously disclosed flaws that impact Zimbra’s enterprise collaboration software and email platform, warned the Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday. The vulnerabilities can enable various attacks if exploited, including email account credential theft.
The advisory, jointly released by CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC), said that government and private sector networks are being targeted and urged organizations to patch all systems, deploy detection signatures and hunt for IoCs.
“CISA and the MS-ISAC encourage organizations who did not immediately update their [Zimbra] instances upon patch release, or whose… instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this [Cybersecurity Advisory,]” according to the Tuesday advisory.
Among the targeted vulnerabilities are CVE-2022-27925 and CVE-2022-37042, which were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog last week. CVE-2022-27925 is a high-severity flaw in the mboximport functionality of Zimbra’s collaboration suite (ZCS), which could allow an authenticated user to upload arbitrary files to the system in order to achieve remote code execution. When chained with CVE-2022-37042 - an authentication bypass bug in MailboxImportServlet - the flaw becomes more serious, allowing for unauthenticated remote code execution.
Researchers with Volexity found 1,000 ZCS instances around the world that were backdoored and compromised via these chained flaws, including ones that belonged to government departments and ministries, military branches, and global businesses all the way down to “a significant number of small businesses unlikely to have dedicated IT staff to manage their mail servers, and perhaps less likely to be able to effectively detect and remediate an incident.”
“Knowing the paths to which the attacker had installed webshells, and the behavior of ZCS when contacting a URL that did not exist, Volexity performed a scan of ZCS instances in the wild to identify third-party compromises using the same webshell names,” according to Volexity researchers in an analysis last week. “This scan yielded over 1,000 infected ZCS instances worldwide. Bearing in mind that this scan only used shell paths known to Volexity, it is likely that the true number of compromised servers is higher.”
CISA also highlighted exploitation efforts against a known high-severity flaw (CVE-2022-27924) that enables an unauthenticated bad actor to inject memcache commands into targeted Zimbra instances, causing an overwrite of arbitrary cached entries. CISA said that the threat actor can then steal Zimbra collaboration suite email account credentials in cleartext form without any user interaction, opening the door to further nefarious activities.
“With valid email account credentials in an organization not enforcing multifactor authentication (MFA), a malicious actor can use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization,” according to the advisory. “Additionally, malicious actors could use the valid account credentials to open webshells and maintain persistent access.”
The flaw was reported in March and fixed in May, but in June a proof-of-concept exploit was released for the vulnerability. CISA said due to the PoC and ease of exploitation for the flaw, it expects to see “widespread exploitation of unpatched ZCS instances in government and private networks.”
Attackers have also leveraged a medium-severity flaw in the calendar feature in ZCS (CVE-2022-24682) that could enable them to steal session cookie files, and a recently patched high-severity traversal flaw (CVE-2022-30333) in RARLAB UnRAR for Linux and Unix in order to target Zimbra instances with UnRAR installed. Bad actors can exploit the latter flaw against a Zimbra server by sending an email with a malicious RAR file. After the email receipt, the server would automatically extract the RAR file to check for spam or malware, said CISA.
“Based on industry reporting, a malicious cyber actor is selling a cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE-2022-30333,” according to CISA. “A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.”
Organizations can take several steps beyond patching these flaws, including maintaining incident response programs, developing a vulnerability management program, configuring and securing internet-facing network devices and enforcing measures like multi-factor authentication. If organizations are compromised via vulnerable Zimbra instances, CISA recommended they collect and review artifacts like running or services, reimage compromise hosts and provision new account credentials.