Zimbra Collaboration carried a zero-day vulnerability for more than a month, offering hackers a real field day that resulted in nearly 900 servers (Opens in a new tab) are hacked.
Kaspersky researchers noticed the vulnerability reported on the Zimbra forum, after which all kinds of Advanced Persistent Threat (APT) groups took advantage of the hacking of countless servers.
Kaspersky has classified the flaw as a remote code execution vulnerability that allows threatening actors to send an email containing a malicious file that spreads Webshell to a Zimbra server without triggering an antivirus alert. It is now tracked as CVE-2022-41352. Some researchers claim that as many as 1,600 servers have already been hacked as a result.
pull cpio file
The researchers later said that at least 876 servers were compromised before a workaround was shared, and a patch was released. However, about two months after the initial report, and while Zimbra was about to release a fix, Volexity said it had counted around 1,600 compromised servers.
Zimbra then launched the patch, and brought her cooperation (Opens in a new tab) Suite up to version 9.0.0 p27. In it, the company replaced the defective component (cpio) with Pax, and removed the exploitable code.
The first attacks began in September 2022, and targeted servers in India and Turkey. The first raids were carried out against “low-interest” targets, which led the researchers to conclude that the hackers were only testing the capabilities of the flaw, before moving on to more profitable targets. However, after public disclosure of the vulnerability, threat actors accelerated it, in order to use it as much as possible, before Zimbra released a patch.
System administrators unable to immediately apply the patch are urged to at least seek installation for a workaround, as the number of threat actors actively exploiting the vulnerability in the wild remains high.
Across: Computer (Opens in a new tab)