Volexity’s cybersecurity researchers have revealed mass exploitation of Zimbra Collaboration’s mail server due to a zero-day vulnerability with the previously discovered RCE exploit. Here is how the Zimba hack took place, how many were affected worldwide, how the Zimba hack works, and how you can keep yourself safe.
Cybersecurity researchers at Volexity have released a thorough advisory underlining that Zimbra’s ZCS (Zimbra Collaboration Suite) email servers are under attack. Threat actors exploited an RCE (Remote Code Execution) vulnerability and a zero day. The report was shocking, shedding prior incomprehension and indicating that cybercriminals can exploit Zimbra’s email servers without valid administrative credentials.
Tracked as CVE-2022-27925, the ZCS Arbitrary File Upload Vulnerability, and the CVE-2022-37042, the ZCS Authentication Bypass Vulnerability by the NIST (National Institute of Standards and Technology), here is everything you need to know about the exploit that has affected over 1000 email users and how you can protect yourself.
What is Zimbra, and What is the ZCS Vulnerability?
Zimbra Collaboration is a software suite that delivers a web client and email server. Volexity, one of the top incident response and cybersecurity enterprises, analyzed multiple incidents in July 2022, reporting that the ZCS email servers partook in a significant breach by unknown threat actors. The vulnerability, tracked as the CVE-2022-27925, was an RCE vulnerability, a flaw patched by Zimbra in March 2022 in software patches 8.8.15P31 and 9.0.0P24.
The NIST described the CVE-2022-27925 as an MBOXIMPORT functionality that received ZIP files and allowed authenticated users with admin privileges to upload arbitrary files enabling them to traverse the directory.
Volexity’s Latest ZCS Findings: RCE and Zero Day Causing Menace at Zimbra
Volexity did not find any public exploit code. However, the NIST’s characterization clearly declares it as a vulnerability that requires valid admin credentials, which indicated that the threat actors could not breach Zimbra easily, making mass exploitation improbable.
On closer examination and testing, Volexity could determine that threat actors can exploit the same vulnerability by bypassing authentication, making the CVE-2022-27925 more dangerous than Volexity believed. Cybersecurity researchers assigned it as CVE-2022-37042 and believe it has been mass exploited since the end of June 2022. How threat actors bypass authentication is consistent with 2021’s findings about the Microsoft Exchange Server zero-day vulnerabilities that included espionage actors joined by cybercriminals, resulting in a mass exploit.
How Many People Have Been Affected by the ZCS Vulnerability?
Internet-wide scans to identify the Zimbra users and instances revealed that over 1000 ZCS worldwide were compromised due to the hack. These 1000 were not limited to individuals but spanned multiple sectors, including international businesses, government departments, ministries, military, and smaller organizations without experienced staff to remediate the consequences of the Zimbra hack. Here is Volexity’s global chart depicting the compromised Zimbra servers.
(Zimbra Compromised Servers Worldwide, Source: Volexity)
As seen above, the top compromised servers belonged to the United States at 148, Italy at 107, Germany at 90, France at 88, and India at 66.
The threat actors deployed numerous web shells to gain continued Zimbra server access, each of which created new server files and a URL (Uniform Resource Locator) that they could access to interact with said file.
Such web shells do not have the logic to handle “404 Not Found” case responses if requests to fake URLs are made which are not according to the web shell’s design logic, leading to a “200” status code for OK for succeeded requests. Since Volexity did not find valid paths and Zimbra’s contacting behavior to any URLs, Volexity only scanned known web shell paths in the case of ZCS, which means that the number of compromised Zimbra servers worldwide might be more than 1000.
Zimbra Hack’s Root Cause
The primary causality of the Zimbra email server hack is RCE exploitation. On close examination of the affected systems, Volexity found that all affected servers were not up to date and were behind on software patches. Furthermore, the compromised web server logs in most affected cases showed that the vulnerability often occurred before a web shell was written to the disk.
Close inspection of the logs, memory samples and affected server data revealed that the threat actors had access to valid admin credentials, but the source of these credentials was unexplored. On testing further instances, two write-ups published on Chinese websites were uncovered, with the first one published in June 2022, before Volexity observed the exploit, and the second one providing a thorough account of exploiting the ZCS RCE vulnerability, published in July 2022, after the Zimbra hack cases became prominent.
How was Zimbra Compromised: What Was the Cause of CVE-2022-37042?
The Zimbra vulnerability that Volexity investigated was carried out under the following parameters.
- Setting up a vulnerable ZCS instance
- Crafting a ZIP file with a file name containing a relative path to the correct directory
- Sending a POST request via HTTP to the Zimbra instance’s MailboxImport servlet, with the ZIP files as a body attached to the POST request.
- And using an authentication token for an administrator account already logged in. Volexity specified this in the correct HTTP header so it would authenticate with the server.
Following the above steps, Volexity tested the vulnerability without utilizing the authentication token. An HTTP response was received, which indicated a failed request. However, the program placed the web shell content in the intended path without any issues. While observing the logs for the same, Volexity observed that the threat actors received status code 401 (Unauthorized response). The status code 401 usually indicates that the request has not been completed due to the source’s lack of valid authentication credentials.
However, Volexity found that the source code for the MailboxImport servlet was not complete. The POST request function, “doPost,” is called when the URL is hit and verifies if the user’s authentication lacks a return statement. So the authentication is checked, and the error message is displayed; however, the rest of the code is executed irrespective of the authentication state.
This is how the Zimbra hack’s threat actors could easily exploit the vulnerability, as they only needed adequate parameters in the URL. Even after Zimbra’s initial software patches were released, the threat actors could overwrite the client mailbox as they only fixed the directory traversal and not the authentication issue, a vulnerability that Zimba has successfully patched.
How to Protect and Check for the Zimbra Hack?
For now, you can stay safe by downloading the latest ZCS software patches, 8.8.15P31 or 9.0.0P24, to protect your email server from the Zimbra hack.
However, if you did not apply these patches before the end of May 2022, you should examine your Zimbra server to review if your ZCS instance is compromised. You can do so by:
- Performing initial memory acquisition to preserve memory-resident traces of threat or suspicious activity.
- Checking the logs for any 40x-based requests to vulnerable servlet (/service/extension/backup/mboximport).
- Inspect the Zimbra users directory (/opt/zimbra/) for exploitation evidence or web shells.
- Check for inbound ZCS server requests to JSP file paths that do not match the ones listed on Volexity’s threat intel for CVE-2022-27925.
Final Words
The Zimbra hack, a consequence of the original RCE exploit, combined with a single bug, became a significant vulnerability that allowed threat actors to compromise multiple servers worldwide. Though the RCE and zero day vulnerability has been patched and was listed with a medium severity, the incident has brought to light an issue that even the most straightforward thing, like a missing return statement, can have major repercussions for security.
Cybercriminals are adept at finding vulnerabilities in services to carry out their malicious purposes, which is why organizations and individuals must implement the best cybersecurity measures and keep software updated.