DailyPost 2214

The area of cyber security is where strategy can be learnt and deployed in a big way. It is an area of war and peace, of ceasefire, of preparation, of reacting to the world around and finally having your kill and if needed to declare it to the world. It is an asymmetrical war which the tech world is bitterly realizing with every passing day. The ransomware attacks across the globe are redefining the contours of cybercrime, cyber war and nature and future of cyber security the world over. Now we have the news of almost 900 servers have been hacked using Zimbra zero-day flaw.

These around 900 servers have been hacked using a critical Zimbra Collaboration Suite (ZCS) vulnerability. At the time of these hacks, it was a zero-day vulnerability without a patch for nearly 1.5 months. The vulnerability in question is tracked as CVE-2022-41352. It is a remote code execution flaw. ”It allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server.” This is done at the same type by passing anti-virus checks. Various APT groups are on the prowl looking for such gaping holes.

It was likely and as reported by Kaspersky, APT groups actively exploited the flaw as soon as it was reported on Zimbra forums. The cybersecurity firm told BleepingComputer said that at least 876 servers were compromised by sophisticated attackers leveraging this vulnerability. This happened before this vulnerability was widely publicized and got a CVE identifier. Rapid7 warned it was being actively exploited and requested admins to work with available workarounds. While this information was being made public to help people ward off the situation, a PoC was added on Metaspoilt framework, this gave even low-skilled hackers to launch attacks against vulnerable servers.

Zimbra released a security fix replacing the vulnerable component and removing the weak part that made exploitation possible. By then the exploitation spree had picked up pace by the threat actors. Opportunistic attacks were on. As per Volexity 1600 ZCS servers were compromised leveraging CVE-2022-41352 to plant webshells. An unknown APT has pieced together a working exploit. In the initial (testing) Zimbra servers were attacked in India and Turkey, with 44 servers being compromised in this initial onslaught. There is now an advisory from cybersecurity experts, that Zimbra admins who haven’t applied the updates or the workarounds, run a serious risk, as the exploitation activity is in high gear and is not likely to stop anytime now.

Sanjay Sahay

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Scroll to Top