Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Industrial IoT
Malware, Phishing & Ransomware
News
Risk & Compliance
Secure Remote Access
Technology & Solutions
Threat Landscape
Vulnerabilities

Cyber attackers exploiting unpatched ZCS instances across federal, private sectors

August 17, 2022
Cyber attackers exploiting unpatched ZCS instances across federal, private sectors

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released Tuesday a joint Cybersecurity Advisory (CSA) concerning the active exploitation of multiple vulnerabilities against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. Cyber threat hackers may also target unpatched ZCS instances across government and private sector networks.

The guidance disclosed that the multiple Common Vulnerabilities and Exposures (CVEs) being exploited against the collaboration software and email platform include CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and the CVE-2022-30333. 

It also includes recommendations from CISA advising administrators, especially for organizations that did not immediately update their ZCS instances upon patch release. Organizations must also hunt for malicious activity using the third-party detection signatures for hunting for indicators of compromise (IOCs) and deploying third-party YARA rules to detect malicious activity.

Some of the measures laid down included encouraging those organizations who did not immediately update their ZCS instances upon patch release or whose ZCS instances were exposed to the internet to assume compromise and hunt for malicious activity. Furthermore, ZCS administrators could mitigate malicious cyber activity by patching all systems and prioritizing patching known exploited vulnerabilities, deploying detection signatures, and hunting for indicators of compromise (IOCs). 

Last April, U.S. intelligence agencies disclosed ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The summary added that the SVR has exploited and continues to exploit software vulnerabilities to gain initial footholds into victim devices and networks, including equipment and software from Fortinet, Zimbra, Pulse Secure, Citrix, and VMware.

The advisory said that the CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious hacker to inject arbitrary ‘memcache’ commands into a targeted ZCS instance and cause an overwrite of arbitrary cached entries. “The actor can then steal ZCS email account credentials in cleartext form without any user interaction.” 

With valid email account credentials in an organization not enforcing multifactor authentication (MFA), the advisory said that a malicious hacker could use spear phishing, social engineering, and business email compromise (BEC) attacks against the compromised organization. Additionally, hackers could use valid account credentials to open webshells and maintain persistent access.

The advisory said that on Mar. 11, this year, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Additionally, SonarSource publicly released proof-of-concept (POC) exploits for this vulnerability in June. “Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to the POC and ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks,” the advisory added.

The advisory said that the CVE-2022-27925 is a high-severity vulnerability in ZCS releases 8.8.15 and 9.0 that have ‘mboximport’ functionality to receive a ZIP archive and extract files from it. “An authenticated user has the ability to upload arbitrary files to the system, thereby leading to directory traversal. On August 10, 2022, researchers from Volexity reported widespread exploitation – against over 1,000 ZCS instances – of CVE-2022-27925 in conjunction with CVE-2022-37042. CISA added both CVEs to the Known Exploited Vulnerabilities Catalog on August 11, 2022,” it added. 

The advisory said CVE-2022-37042 is an authentication bypass vulnerability that affects ZCS releases. CVE-2022-37042 could allow unauthenticated malicious hackers access to vulnerable ZCS instances. Zimbra issued fixes late last month. 

The CSA advisory covers the CVE-2022-30333, a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and Unix that allows a hacker to write to files during an extract (unpack) operation. “A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware. Any ZCS instance with ‘unrar’ installed is vulnerable to CVE-2022-30333,” it added.

The advisory said that SonarSource researchers shared details about this vulnerability in June. “Zimbra made configuration changes to use the ‘7zip’ program instead of ‘unrar.’ CISA added CVE-2022-3033 to the Known Exploited Vulnerabilities Catalog on August 9, 2022. Based on industry reporting, a malicious cyber actor sells cross-site scripting (XSS) exploit kit for the ZCS vulnerability to CVE-2022-30333. A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333,” it added.

The last vulnerability covered in the joint CSA includes the CVE-2022-24682. This medium-severity vulnerability impacts ZCS webmail clients running releases before 8.8.15 patch 30, which contains a cross-site scripting (XSS) vulnerability allowing malicious hackers to steal session cookie files. Although researchers from Volexity shared this vulnerability on Feb. 3 this year, and Zimbra issued a fix on Feb. 4, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog later that month. 

The advisory called upon organizations to maintain and test an incident response plan, ensure a vulnerability management program is in place, and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Furthermore, they must properly configure and secure internet-facing network devices without exposing management interfaces to the internet.

The advisory recommended adopting zero-trust principles and architecture, including micro-segmenting networks and functions to limit or block lateral movements. Organizations can also enforce phishing-resistant MFA for all users and VPN connections while restricting access to trusted devices and users on the networks.

Earlier this year, U.S. security agencies provided an overview of Russian state-sponsored cyber operations, with their commonly observed tactics, techniques, and procedures (TTPs), detection actions, incident response guidance, and mitigations. At the time, the agencies said that vulnerabilities known to be exploited by Russian state-sponsored APT adversaries for initial access affected FortiGate VPNs, Cisco router, Oracle WebLogic Server, Kibana, Zimbra software, Exim Simple Mail Transfer Protocol, Pulse Secure, Citrix, Microsoft Exchange, VMware, F5 Big-IP, and Oracle WebLogic.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures