Zimbra Collaboration Suite carried a zero-day vulnerability for more than a month, presenting hackers with a real field day that resulted in almost 900 servers being hacked.
Researchers at Kaspersky noted the vulnerability being reported on the Zimbra forum, after which all kinds of advanced persistent threat (APT) groups leveraged it to compromise countless servers.
Kaspersky labeled the flaw as a remote code execution vulnerability that allows threat actors to send an email with a malicious file that deploys a webshell in the Zimbra server without triggering an antivirus alarm. It is now tracked as CVE-2022-41352. Some researchers claim as many as 1,600 servers were actually compromised, as a result.
The researchers later said at least 876 servers were compromised before a workaround was shared, and a patch was issued. However, almost two months after the initial report, and just as Zimbra was set to release a fix, Volexity said it counted some 1,600 compromised servers.
Zimbra then released the patch, bringing its collaboration suite up to version 9.0.0 P27. In it, the company replaced the flawed component (cpio) with Pax, and removed the exploitable code.
The first attacks started in September 2022, targeting servers in India and Turkey. The first raids were done against “low-interest” targets, prompting researchers to conclude that hackers were merely testing out the flaw’s capabilities, before moving on to more lucrative targets. However, after the public disclosure of the vulnerability, threat actors picked up the pace, in order to use it as much as possible, before Zimbra issues a patch.
System admins who are unable to apply the patch immediately are urged to at least aim to install for the workaround, as the number of threat actors actively exploiting the vulnerability in the wild is still high.
- These are the best ransomware protection services out there