Zimbra Collaboration Suite contained a zero-day vulnerability for over a month, giving hackers a real day in the field that resulted in nearly 900 servers (opens in a new tab) be hacked.
Kaspersky researchers noted a vulnerability reported on the Zimbra forum, after which all the Advanced Persistent Threat (APT) groups used it to take over countless servers.
Kaspersky has identified this vulnerability as a remote code execution vulnerability that allows cybercriminals to send an email with a malicious file that installs a web shell on a Zimbra server without triggering an antivirus alert. It is now being tracked as CVE-2022-41352. Some researchers claim that as many as 1,600 servers were compromised as a result.
Retiring cpio
Researchers later stated that at least 876 servers had been compromised before a workaround was made available and a patch released. However, nearly two months after the initial report, when Zimbra was due to release a fix, Volexity said it counted around 1,600 affected servers.
Zimbra then released a patch, bringing her collaboration (opens in a new tab) package for version 9.0.0 P27. In it, the company replaced the faulty component (cpio) with Pax and removed the redemptive code.
The first attacks began in September 2022, targeting servers in India and Turkey. The first raids were conducted on “low interest” targets, leading researchers to conclude that the hackers were only testing the vulnerability before moving on to more lucrative targets. However, after the vulnerability was publicly disclosed, cybercriminals have stepped up their pace to exploit it as much as possible before Zimbra releases a patch.
System administrators who are unable to apply the patch immediately should at least aim to install a workaround as the number of cybercriminals actively exploiting the vulnerability is still high.
By: Beeping Computer (opens in a new tab)