AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite
href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
Update November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI).
CISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:
- CVE-2022-24682
- CVE-2022-27924
- CVE-2022-27925 chained with CVE-2022-37042
- CVE-2022-30333
Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.
Update November 10, 2022:
This CSA has been updated with additional IOCs. For a downloadable copy of the IOCs, see the following Malware Analysis Reports (MARs):
- MAR-10400779-1
- MAR-10400779-2
- MAR-10401765-1
- MAR-10398871-1
- New, November 10, 2022: MAR-10410305-1.v1 JSP Webshell
Download the PDF version of this report: pdf, 480 kb
Download the IOCs: .stix 12.2 kb
Technical Details
CVE-2022-27924
CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary
On March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.
CVE-2022-27925 and CVE-2022-37042
CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have
CVE 2022 37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042 is found in the
CVE-2022-30333
CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[5] Any ZCS instance with
Researchers from SonarSource shared details about this vulnerability in June 2022.[6] Zimbra made configuration changes to use the
CVE-2022-24682
CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[9], and Zimbra issued a fix on February 4, 2022.[10] CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on February 25, 2022.
DETECTION METHODS
Note: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available.
CISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:
- Update September 27, 2022: Hunt for IOCs including:
IP Addresses |
Note |
62.113.255[.]70 |
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 |
185.112.83[.]77 |
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 |
207.148.76[.]235 |
A Cobalt Strike command and control (C2) domain |
209.141.56[.]90 |
New September 27, 2022 |
- Update August 23, 2022: Deploy Snort signatures to detect malicious activity:
- Deploy third-party YARA rules to detect malicious activity:
Mitigations
CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories.
See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps.
Additionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:
- Maintain and test an incident response plan.
- Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: cisa.gov/cyber-hygiene-services.
- Properly configure and secure internet-facing network devices.
- Do not expose management interfaces to the internet.
- Disable unused or unnecessary network ports and protocols.
- Disable/remove unused network services and devices.
- Adopt zero-trust principles and architecture, including:
- Micro-segmenting networks and functions to limit or block lateral movements.
- Enforcing phishing-resistant (MFA) for all users and virtual private network (VPN) connections.
- Restricting access to trusted devices and users on the networks.
INCIDENT RESPONSE
If an organization’s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:
- Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
- Quarantine or take offline potentially affected hosts.
- Reimage compromised hosts.
- Provision new account credentials.
- Report the compromise to CISA via CISA’s 24/7 Operations Center ( or 888-282-0870). SLTT government entities can also report to the MS-ISAC ( or 866-787-4722).
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide detailed operational procedures for planning and conducting cybersecurity incident and vulnerability response activities.
ACKNOWLEDGEMENTS
CISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
References
- [1] CVE-2022-27925 detail
- [2] Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925
- [3] CVE-2022-37042 detail
- [4] Authentication bypass in MailboxImportServlet vulnerability
- [5] CVE-2022-30333 detail
- [6] UnRAR vulnerability exploited in the wild, likely against Zimbra servers
- [7] Zimbra Collaboration Kepler 9.0.0 patch 25 GA release
- [8] Zimbra UnRAR path traversal
- [9] Operation EmailThief: Active exploitation of zero-day XSS vulnerability in Zimbra
- [10] Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15
Revisions
- August 16, 2022: Initial Version
- August 22, 2022: Added Snort Signatures
- August 23, 2022: Updated Detection Methods Snort Signatures
- October 19, 2022: Added new Malware Analysis Report
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: August 16, 2022 | Last revised: November 10, 2022
Summary
Actions for ZCS administrators to take today to mitigate malicious cyber activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
Update November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI).
CISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:
- CVE-2022-24682
- CVE-2022-27924
- CVE-2022-27925 chained with CVE-2022-37042
- CVE-2022-30333
Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.
Update November 10, 2022:
This CSA has been updated with additional IOCs. For a downloadable copy of the IOCs, see the following Malware Analysis Reports (MARs):
- MAR-10400779-1
- MAR-10400779-2
- MAR-10401765-1
- MAR-10398871-1
- New, November 10, 2022: MAR-10410305-1.v1 JSP Webshell
Download the PDF version of this report: pdf, 480 kb
Download the IOCs: .stix 12.2 kb
Technical Details
CVE-2022-27924
CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated malicious actor to inject arbitrary
On March 11, 2022, researchers from SonarSource announced the discovery of this ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10, 2022. Based on evidence of active exploitation, CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to ease of exploitation, CISA and the MS-ISAC expect to see widespread exploitation of unpatched ZCS instances in government and private networks.
CVE-2022-27925 and CVE-2022-37042
CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0 that have
CVE 2022 37042 is an authentication bypass vulnerability that affects ZCS releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042 is found in the
CVE-2022-30333
CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB UnRAR on Linux and UNIX allowing a malicious actor to write to files during an extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against a ZCS server by sending an email with a malicious RAR file. Upon email receipt, the ZCS server would automatically extract the RAR file to check for spam or malware.[5] Any ZCS instance with
Researchers from SonarSource shared details about this vulnerability in June 2022.[6] Zimbra made configuration changes to use the
CVE-2022-24682
CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. Researchers from Volexity shared this vulnerability on February 3, 2022[9], and Zimbra issued a fix on February 4, 2022.[10] CISA added this vulnerability to the Known Exploited Vulnerabilities Catalog on February 25, 2022.
DETECTION METHODS
Note: CISA and the MS-ISAC will update this section with additional IOCs and signatures as further information becomes available.
CISA recommends administrators, especially at organizations that did not immediately update their ZCS instances upon patch release, to hunt for malicious activity using the following third-party detection signatures:
- Update September 27, 2022: Hunt for IOCs including:
IP Addresses |
Note |
62.113.255[.]70 |
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 |
185.112.83[.]77 |
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while attempting to exploit CVE-2022-27925 and CVE-2022-37042 |
207.148.76[.]235 |
A Cobalt Strike command and control (C2) domain |
209.141.56[.]90 |
New September 27, 2022 |
- Update August 23, 2022: Deploy Snort signatures to detect malicious activity:
- Deploy third-party YARA rules to detect malicious activity:
Mitigations
CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases as noted on Zimbra Security – News & Alerts and Zimbra Security Advisories.
See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 for mitigation steps.
Additionally, CISA and the MS-ISAC recommend organizations apply the following best practices to reduce risk of compromise:
- Maintain and test an incident response plan.
- Ensure your organization has a vulnerability management program in place and that it prioritizes patch management and vulnerability scanning of known exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations: cisa.gov/cyber-hygiene-services.
- Properly configure and secure internet-facing network devices.
- Do not expose management interfaces to the internet.
- Disable unused or unnecessary network ports and protocols.
- Disable/remove unused network services and devices.
- Adopt zero-trust principles and architecture, including:
- Micro-segmenting networks and functions to limit or block lateral movements.
- Enforcing phishing-resistant (MFA) for all users and virtual private network (VPN) connections.
- Restricting access to trusted devices and users on the networks.
INCIDENT RESPONSE
If an organization’s system has been compromised by active or recently active threat actors in their environment, CISA and the MS-ISAC recommend the following initial steps:
- Collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
- Quarantine or take offline potentially affected hosts.
- Reimage compromised hosts.
- Provision new account credentials.
- Report the compromise to CISA via CISA’s 24/7 Operations Center ( or 888-282-0870). SLTT government entities can also report to the MS-ISAC ( or 866-787-4722).
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and the MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide detailed operational procedures for planning and conducting cybersecurity incident and vulnerability response activities.
ACKNOWLEDGEMENTS
CISA and the MS-ISAC would like to thank Volexity and Secureworks for their contributions to this advisory.
DISCLAIMER
The information in this report is being provided “as is” for informational purposes only. CISA and the MS-ISAC do not provide any warranties of any kind regarding this information. CISA and the MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.
References
- [1] CVE-2022-27925 detail
- [2] Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925
- [3] CVE-2022-37042 detail
- [4] Authentication bypass in MailboxImportServlet vulnerability
- [5] CVE-2022-30333 detail
- [6] UnRAR vulnerability exploited in the wild, likely against Zimbra servers
- [7] Zimbra Collaboration Kepler 9.0.0 patch 25 GA release
- [8] Zimbra UnRAR path traversal
- [9] Operation EmailThief: Active exploitation of zero-day XSS vulnerability in Zimbra
- [10] Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15
Revisions
- August 16, 2022: Initial Version
- August 22, 2022: Added Snort Signatures
- August 23, 2022: Updated Detection Methods Snort Signatures
- October 19, 2022: Added new Malware Analysis Report
This product is provided subject to this Notification and this Privacy & Use policy.
- Vues : 485