Two sentences summarizing: U.S. CISA and MS-ISAC warn that multiple CVEs in Zimbra Collaboration Suite are being actively exploited in government and private networks, with attackers able to gain access and maintain persistence. The advisory provides patch guidance, IOC detections, and incident response steps to mitigate and hunt for malicious activity.
#Zimbra #CVE-2022-27924 #CVE-2022-27925 #CVE-2022-37042 #CVE-2022-30333 #CVE-2022-24682 #CISA #MSISAC
#Zimbra #CVE-2022-27924 #CVE-2022-27925 #CVE-2022-37042 #CVE-2022-30333 #CVE-2022-24682 #CISA #MSISAC
Keypoints
- CISA/MS-ISAC alert on active exploitation of multiple CVEs against Zimbra Collaboration Suite (CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, CVE-2022-30333).
- Attackers may target unpatched ZCS instances across government and private networks; patching and detection are urgently advised.
- For CVE-2022-27924, unauthenticated actors can inject memcache commands, steal credentials in cleartext, and may open webshells for persistence.
- CVE-2022-27925 with CVE-2022-37042 involve mboximport directory traversal and authentication bypass, enabling file uploads and access.
- CVE-2022-30333 involves directory traversal via RAR extraction; Zimbra switched to 7zip to mitigate; a Metasploit module and a cross-site scripting market exist.
- IOCs include specific IPs and a Cobalt Strike C2 domain; Snort signatures and YARA-based detection are recommended, with additional MARs providing more IOCs.
- Mitigations emphasize patching, validating configurations, zero-trust principles, MFA, vulnerability management, and incident response planning.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β The actor exploits ZCS CVEs to gain access and persistence. βThe actor can then steal ZCS email account credentials in cleartext form without any user interaction.β
- [T1566.001] Phishing: Spearphishing β After obtaining credentials, attackers can perform spear phishing, social engineering, and BEC against the organization.
- [T1078] Valid Accounts β Attackers may use valid account credentials to log in and later open webshells to maintain persistence.
- [T1505.003] Web Shell β Malicious actors could use webshells to maintain persistent access to compromised ZCS instances.
Indicators of Compromise
- [IP Addresses] 62.113.255[.]70, 185.112.83[.]77, 207.148.76[.]235, 209.141.56[.]190 β noted as actively used by actors during exploitation windows.
- [Domain] A Cobalt Strike C2 domain β referenced as used by cyber actors for C2.
- [HTTP URI] /public/jsp/runas.jsp?pwd=zim&i=/opt/zimbra/bin/zmlocalconfig|3a|-s β example of a targeted URI in detection content.
- [HTTP URI] /service/extension/backup/mboximport β detection related to mboximport path in POST requests.
- [HTTP Header] QIHU 360SE β client HTTP header observed in related activity.
Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a