Almost 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability, which at the time was a zero-day without a patch for nearly 1.5 months.
The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.
According to the cybersecurity company Kaspersky, various APT (advanced persistent threat) groups actively exploited the flaw soon after it was reported on the Zimbra forums.
Kaspersky told BleepingComputer that they detected at least 876 servers being compromised by sophisticated attackers leveraging the vulnerability before it was widely publicized and received a CVE identifier.
Under active exploitation
Last week, a Rapid7 report warned about the active exploitation of CVE-2022-41352 and urged admins to apply the available workarounds since a security update wasn’t available then.
On the same day, a proof of concept (PoC) was added to the Metasploit framework, enabling even low-skilled hackers to launch effective attacks against vulnerable servers.
Zimbra has since released a security fix with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak part that made exploitation possible.
However, the exploitation had picked up the pace by then, and numerous threat actors had already started launching opportunistic attacks.
Volexity reported yesterday that its analysts had identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells.
Used by advanced hacking groups
In private conversations with cybersecurity firm Kaspersky, BleepingComputer was told that an unknown APT leveraging the critical flaw had likely pieced together a working exploit based on the information posted to the Zimbra forums.
The first attacks started in September, targeting vulnerable Zimbra servers in India and some in Turkey. This initial wave of attacks was likely a testing wave against low-interest targets to evaluate the effectiveness of the attack.
However, Kaspersky assessed that the threat actors compromised 44 servers during this initial wave.
As soon as the vulnerability became public, the threat actors shifted gears and began to perform mass targeting, hoping to compromise as many servers worldwide as possible before admins patched the systems and shut the door to intruders.
This second wave had a greater impact, infecting 832 servers with malicious webshells, although these attacks were more random than the previous attacks.
ZCS admins who haven’t applied the available Zimbra security updates or the workarounds need to do so immediately, as exploitation activity is in high gear and will likely not stop for some time.
