Search for your darkweb exposure
Cyble-CRIL
Main Menu
Cyble-Zimbra

Active exploitation of Zimbra Collaborative Suite (ZCS)

Multiple Vulnerabilities Being Exploited By Threat Actors

Over the past few weeks, Cyble Research Labs has observed active exploitation of the Zimbra Collaborative Suite. Threat Actors have been targeting unpatched Zimbra Collaborative Suite (ZCS) instances deployed within state and private organizations.

The recent vulnerabilities impacting ZCS are:

– CVE-2022-27924
– CVE-2022-27925 chained with CVE-2022-37042
– CVE-2022-30333
– CVE-2022-24682

Researchers investigated internet-facing ZCS instances and found over 70,000 exposed instances, as shown in the figure below.

Figure 1- Geographical distribution of Exposed ZCS instances

Note: Not all the exposed assets are affected by these vulnerabilities. However, the scope for finding vulnerable instances is greater due to the high number of exposed assets.

Researchers narrowed their search and found that several exposed ZCS instances are deployed in organizations dealing in critical infrastructure sectors, as shown below. Organizations within the critical sector play a crucial role in the national economy, national security, public health, and safety. An attack on any of these exposed assets of the critical sector organizations can have a devastating impact.

Figure 2 – Exposed ZCS assets of organizations dealing in the critical infrastructure sector

CVE Details

CVE-2022-27924

The Zimbra Collaboration Suite versions 8.8.15 and 9.0 allow unauthenticated attackers to inject arbitrary Memcache commands into a targeted instance, causing an overwrite of arbitrary cached entries. Threat Actors (TA) can then steal ZCS email account credentials in cleartext form without any user interaction.

A malicious actor can use spear phishing, social engineering, and Business Email Compromise (BEC) attacks against a compromised organization using a valid email account. Additionally, attackers can also execute web shells and maintain persistence on the victim’s device.

CVE-2022-27925

CVE-2022-27925 is a high severity vulnerability in ZCS 8.8.15 and 9.0 that utilizes the mboximport functionality to receive a ZIP archive and extract files from it. An authenticated user can upload arbitrary files to the system, resulting in directory traversal.

CVE-2022-37042

CVE-2022-37042 allows an unauthenticated malicious actor to access a vulnerable ZCS instance. According to Zimbra, CVE-2022-37042 is found in the MailboxImportServlet function. When chained with CVE-2022-27925, this vulnerability allows for unauthenticated Remote Code Execution (RCE).

The vulnerability has also been added to the known exploited vulnerability catalog along with CVE-2022-27925 by CISA.

CVE-2022-30333

CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX that allows a malicious actor to write to files while extracting (unpacking). A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email containing a malicious RAR file.

Researchers also noticed that the CVE-2022-30333 was being sold on Russian darkweb forums in late July, as shown in Figure 3.

The Threat Actor mentions the prerequisites for exploitation and the prize for selling the exploit. Even though multiple Proof of Concepts, scripts, and a Metasploit module are publicly available for this vulnerability, it is interesting that cybercrime forums are still actively buying and selling exploits for ZCS vulnerabilities.

Figure 3 – TA selling CVE-2022-30333 on darkweb forums

CVE-2022-24682

CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients; the vulnerable ZCS webmail clients contain cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files.

Conclusion

The details and Proof of Concept for ZCS exploitation are present in the public domain, with a scope of over 70 thousand targets, vastly increasing the chances of a cyber incident occurring. Thus, it is recommended that the organizations using the vulnerable product update them with the recent patches released by the vendor.

Recommendations

  1. Keep ZCS updated with the recent patches released by the official vendor. 
  2. Limit the exposure of critical assets over the internet by implementing proper network segmentation.
  3. Restrict access to trusted users and devices on the internet.
  4. Implement Multi-Factor Authentication.
  5. Regular Vulnerability assessment and PenTesting (VAPT) exercises can help organizations uncover the security weakness within their environment.
  6. Logging and monitoring of assets is important.

Recent Blogs

Evolving Threat Landscape of Hacktivism in Colombia

May 31, 2023

Bl00dy Ransomware Targets Indian University: Actively Exploiting PaperCut Vulnerability

May 30, 2023

PixBankBot: New ATS-Based Malware Poses Threat to the Brazilian Banking Sector

May 30, 2023
Colombia OT Devices Blog
May 31, 2023

CRIL investigates the evolving threat landscape of hacktivism leading to cyberattacks on Colombian Critical Infrastructure and Zero-day Sales by Hacktivists.

Read More »
Bl00dy Ransomware Targets Indian University
May 30, 2023

CRIL analyzes Bl00dy Ransomware’s recent targeting of an Indian University via exploitation of the PaperCut vulnerability.

Read More »
PixBankBlog ATS Blog
May 30, 2023

Cyble analyzes PixBankBot, a new ATS-based malware that targets Brazilian banks through the popular Pix instant payment platform.

Read More »

About Us 


Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint.

Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020.

Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, Dubai and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  

Scroll to Top