Over 900 Servers were Hacked by Taking Advantage of a Zimbra Zero-Day Flaw

Nearly 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability. This was a zero-day without a patch for almost 1.5 months, causing significant damage.

The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to bypass antivirus checks by sending an email with a malicious archive attachment containing a web shell in the ZCS server.

The cybersecurity company Kaspersky reports that multiple APT (advanced persistent threat) groups jumped on the opportunity to exploit the flaw soon after it was discovered on Zimbra forums.

Before the CVE identifier was widely publicized, Kaspersky informed that they had already detected at least 876 servers being compromised by sophisticated attackers taking advantage of the vulnerability.

During active exploitation

Last week, Rapid7 released a report explaining the active exploitation of CVE-2022-41352 and advised admins to apply available workarounds as there was no security update available then.

On the same day, a proof of concept (PoC) was added to the Metasploit framework, making it easier for anyone- even those with little hacking experience- to launch successful attacks against vulnerable servers.

Zimbra released a security fix with ZCS version 9.0.0 P27, which replaces the vulnerable component (cpio) with Pax and removes the weak part that made exploitation possible. However, the cyber-attacks had already accelerated by then, and many threat actors had already started launching opportunistic attacks.

Volexity’s analysts found that around 1,600 ZCS servers had been infiltrated by malicious actors who used CVE-2022-41352 to place web shells.

Used by advanced hacking groups

In a conversation with cybersecurity firm Kaspersky stated that an unknown APT (Advanced Persistent Threat) group had likely exploited a critical flaw based on information posted to the Zimbra forums.

The first attacks began in September and were executed against susceptible Zimbra servers in India and Turkey. These initial assaults might have been a trial wave against low-priority targets to assess the potency of the attack. However, during this initial wave, Kaspersky found that the threat actors had compromised 44 servers.

The moment the security flaw was announced to the public, hackers turned their attention to large-scale targeting in an attempt to take over as many servers worldwide as possible before system administrators could apply fixes and block them from access.

The second wave was more intense, leading to 832 servers being infected with web shells. These attacks were more random than the previous ones, though.

ZCS admins who have not applied available Zimbra security updates or workarounds should do so immediately, as there is a high amount of exploitation activity, and it will probably not stop anytime soon.