Hackers Already Used a Fresh 0-Day to Hack 900 Zimbra Servers

900 Zimbra servers
Written by Emma Davis

The researchers warn that due to a critical RCE vulnerability in the Zimbra Collaboration Suite (ZCS), about 900 vulnerable servers have already been hacked.

This bug is identified as CVE-2022-41352 and allows attackers to upload arbitrary files and perform malicious actions on vulnerable ZCS installations.

Let me remind you that this problem, which received 9.8 points on the CVSS vulnerability rating scale, became known in early October. The bug has been identified as CVE-2022-41352 and is related to the method that the Zimbra (Amavis) antivirus engine uses when scanning incoming email messages. According to Rapid 7 analysts, an attacker could exploit this vulnerability by mailing a specially crafted .cpio, .tar, or .rpm file to the affected server.

Even worse, Metasploit has already added a PoC exploit for this bug, allowing even low-skilled hackers to carry out effective attacks on vulnerable servers.

According to Kaspersky Lab (recall that information security specialists rightly suspect this software manufacturer of having links with Russian intelligence), various APT groups actively exploited the vulnerability shortly after it was reported on the Zimbra forums. The fact is that users wrote about the problem back in September of this year.

Bleeping Computer journalists write that in a private conversation, Kaspersky Lab experts told them about the compromise of at least 876 servers that were hacked even before the vulnerability was widely publicized.

Experts told reporters that an unknown APT using CVE-2022-41352 for attacks apparently compiled a working exploit based on information posted on the Zimbra forums. The first attacks on the problem began in September and targeted vulnerable Zimbra servers in India and some in Turkey. This initial wave of attacks was probably a test, and then the attackers compromised 44 servers.

Now, after the problem was made public and the Metasploit module appeared, exploitation of the vulnerability has intensified. For example, the other day Volexity reported that its analysts identified about 1600 ZCS servers that were compromised by attackers using CVE-2022-41352 to install web shells.

Let me remind you that we also reported that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending