More than 900 servers were hacked thanks to Zimbra zero-day
Zimbra Collaboration Suite has zero-day vulnerabilities for more than a month, showing hackers with a field day leading to nearly 900 lucky owner (opens in a new tab) hacked.
Researchers at Kaspersky noted the vulnerability reported on the Zimbra forum, then all kinds of advanced persistent threat (APT) groups took advantage of it to infiltrate countless servers.
Kaspersky labels the vulnerability as a remote code execution vulnerability that allows threat actors to send emails with malicious files to deploy a webshell in a Zimbra server without triggering an anti-virus warning. It is currently tracked as CVE-2022-41352. As a result, some researchers say, as many as 1,600 servers were actually compromised.
Retired Cpio
Researchers later said at least 876 servers were compromised before sharing a workaround and a patch was issued. However, nearly two months after the initial report, and as soon as Zimbra was set to release a fix, Volexity said it counted about 1,600 compromised servers.
Zimbra then released the patch, which brought cooperation (opens in a new tab) up to version 9.0.0 P27. In it, the company replaced the faulty component (cpio) with Pax, and removed the exploitable code.
The first attacks began in September 2022, targeting servers in India and Turkey. The first attacks were carried out against “low-interest” targets, leading the researchers to conclude that the hackers were just testing the vulnerability’s capabilities, before moving on to more lucrative targets. . However, after making the vulnerability public, threat actors got up to speed, to use it as much as possible, before Zimbra released the patch.
System administrators who cannot apply the patch immediately are encouraged to at least look to the installation for the workaround, as the number of threat actors actively exploiting the vulnerability remains high. .
Through the: BleepingComputer (opens in a new tab)