CISA, the cybersecurity division of the US Department of Defense, issued an advisory highlighting how Zimbra, cloud-hosted collaboration software and email platform is vulnerable to multiple threats. CISA provided a detailed report about various ways hackers can spy and steal data from the system of Zimbra. The advisory released by CISA mentioned 5 Common Vulnerabilities and Exposures (CVEs) in Zimbra Collaboration Suite (ZCS) that could be exploited by cybercriminals.
Details on the Zimbra vulnerabilities
The vulnerability CVE-2022-27924 could be exploited to inject a command in Zimbra which would overwrite the original system file. This would enable stealing email account login credentials in cleartext. Furthermore, the user will have no knowledge of this hack as the overwriting activity will have no interaction with the end user. This puts the user at risk of spear phishing campaigns and other social engineering attacks. Furthermore, it exposes organizations to risk with business email compromise (BEC) attacks which can result in huge data loss and loss of privacy.
CVE-2022-27925 and CVE-2022-37042
The combination of CVEs including CVE-2022-27925 and CVE-2022-37042 leaves room for maligning zipped files in the system of Zimbra. This CVE allows maliciously accessing zipped files where cybercriminals can upload their own files to the system creating a vulnerability called directory traversal.
CVE-2022-30333 is also a high severity directory traversal vulnerability in Zimbra that allows cybercriminals to write to files while extracting zipped files. This vulnerability puts user data at risk if users open a malicious RAR file sent by hackers. The CISA Advisory also stated that a cross-site scripting exploit kit is sold by cybercriminals to make use of the CVE-2022-30333 vulnerability.
The last, CVE-2022-24682 is considered a medium severe vulnerability that accesses Zimbra webmail clients and steals cookies from the users’ devices. Researchers from Volexity threw light on this vulnerability that impacts webmail clients who are using versions made before 8.8.15 patch 30.
Finding based on research by SonarSource and Volexity
Researchers from SonarSource and Volexity found these Common Vulnerabilities and Exposures (CVEs) in Zimbra. The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released the advisory observing the five ZCS vulnerabilities. Fixes made by Zimbra for all these vulnerabilities are also mentioned in the advisory. However, CISA stressed targeting unpatched ZCS instances by hackers in the future. As this can impact both government and private sector users.
Incident response suggested by CISA and MS-ISAC experts
In case of observing any breach, CISA advised organizations to collect and review processes and verify recent network connections. They are also asked to quarantine and disconnect affected hosts. And then, go for reimaging the compromised hosts and offering new account credentials to the hosts. Reporting the incident to CISA on their operation center at 888-282-0870 or [email protected] is also suggested. They also provided separate contact details for SLTT government bodies which are 866-787-4722 and [email protected].
Suggested measures to detect vulnerabilities
CISA and MS-ISAC encouraged users to update their ZCS accounts for those who haven’t after the patch release. They urged organizations to be on the lookout for malicious third-party detection signatures to monitor any compromise in their security. They offered a few steps to take as ‘Incident Response’ after detecting threats to their systems. The Third-party YARA rules were also suggested to be deployed to keep an eye on malicious activities. Looking for IOCs like 207.148.76[.]235 – a Cobalt Strike command and control (C2) domain is also recommended.
Mitigation measures by CISA and MS-ISAC
Some of the mitigation measures suggested by the CISA are maintaining and testing incident response plans and putting a vulnerability management program in place that offers regular vulnerability scanning. Furthermore, it urged configuring and securing all the internet-facing network devices and removing unused network services. And finally, adopting a zero-trust principle that includes micro segmenting networks to limit lateral movements, enforcing phishing-resistant multifactor authentication, and restricting access to trusted devices. It also offered the Cyber Hygiene Services (CyHy) which is a resource that is available to all state, local, tribal and territorial organizations and the general public.