Coupon Technology Over 900 servers have been hacked thanks to a Zimbra zero-day

Over 900 servers have been hacked thanks to a Zimbra zero-day
Audio player loading…

Zimbra Collaboration Suite carried a zero-day vulnerability for more than a month, presenting hackers with a real field day that resulted in almost 900 servers (opens in new tab) being  hacked. 

Researchers at Kaspersky noted the vulnerability being reported on the Zimbra forum, after which all kinds of advanced persistent threat (APT) groups leveraged it to compromise countless servers. 

Kaspersky labeled the flaw as a remote code execution vulnerability that allows threat actors to send an email with a malicious file that deploys a webshell in the Zimbra server without triggering an antivirus alarm. It is now tracked as CVE-2022-41352. Some researchers claim as many as 1,600 servers were actually compromised, as a result.

Retiring cpio

The researchers later said at least 876 servers were compromised before a workaround was shared, and a patch was issued. However, almost two months after the initial report, and just as Zimbra was set to release a fix, Volexity said it counted some 1,600 compromised servers.

Zimbra then released the patch, bringing its collaboration (opens in new tab) suite up to version 9.0.0 P27. In it, the company replaced the flawed component (cpio) with Pax, and removed the exploitable code. 

The first attacks started in September 2022, targeting servers in India and Turkey. The first raids were done against “low-interest” targets, prompting researchers to conclude that hackers were merely testing out the flaw’s capabilities, before moving on to more lucrative targets. However, after the public disclosure of the vulnerability, threat actors picked up the pace, in order to use it as much as possible, before Zimbra issues a patch. 

System admins who are unable to apply the patch immediately are urged to at least aim to install for the workaround, as the number of threat actors actively exploiting the vulnerability in the wild is still high. 

Via: BleepingComputer (opens in new tab)

Adblock test (Why?) All the latest technology news: Cheapest-Tech

Post a Comment

Previous Post Next Post