A “Secure Private Business Email & Collaboration” suite from provider Zimbra has been getting widely exploited in the wild by a range of threat actors using vulnerabilities that give full remote code authentication with no authentication needed (pre-auth RCE). Over 30,000 instances are believed to be publicly exposed.
The Zimbra Collaboration suite is used by 200,000+ businesses in 140+ countries. Many use it as a lower cost and open source Microsoft Exchange alternative. It has a large SME and education sector user base but users also include multinationals and some banks. Those that don’t patch regularly should assume compromise.
(The fact that Ukraine's security authority recently warned that its government agencies were getting hit via a Zimbra vulnerability from 2018 suggests that users may not be great on basic hygiene).
Those unable to conduct incident response should look to rebuild their ZCS instance using the latest patch and import Mail from the old server to the new server. Alternatively, start by inspecting the Zimbra users directory (usually /opt/zimbra/) to identify possible webshells and any other evidence of exploitation.
Security firm Volexity has provided YARA rules here to identify related webshells.
An initial CVE patched by Zimbra in March 2022 and allocated CVE-2022-27925 gave RCE but the initial vulnerability description clearly stated its exploitation required valid administrator credentials.
When security firm and memory forensics specialist Volexity started seeing “multiple incidents where the victim organization experienced serious breaches to their Zimbra Collaboration Suite (ZCS) email servers” it investigated further and found a way to exploit the vulnerability without an authenticated administrative session – something a wealth of threat actors also appear to have spotted and abused over the summer.
“Volexity believes this vulnerability was exploited in a manner consistent with what it saw with Microsoft Exchange 0-day vulnerabilities it discovered in early 2021. Initially it was exploited by espionage-oriented threat actors, but was later picked up by other threat actors and used in mass-exploitation attempts” the US-based company said in a recent blog, saying its scans have found over 1,000 ZCS instances around the world that have been backdoored, belonging to “a variety of global organizations, including government departments and ministries; military branches; worldwide businesses with billions of dollars of revenue…”
(Knowing the paths to which the attacker had installed webshells, and the behaviour of ZCS when contacting a URL that did not exist, it scanned ZCS instances to spot compromises using the same webshell names.)
“Volexity notified Zimbra of the authentication issue with this endpoint and its impact on the original CVE-2022-27925. Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases”.
The company added: “If your organization runs ZCS and did not apply patches 8.8.15P31 or 9.0.0P24 before the end of May 2022, you should consider your ZCS instance may be compromised (and thus all data on it, including email content, may be stolen) and perform a full analysis of the server.