Thousands of Zimbra mail servers backdoored in large scale attack

Researchers at Volexity have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.

An incomplete fix

Zimbra is a brand owned by Synacor. Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.

The initial investigations showed evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.

The description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Zimbra patched the vulnerability, but, in the company’s own words, it would turn out to be an "incomplete fix for CVE-2022-27925".

Mass exploitation

It is uncommon for a vulnerability that requires administrator rights to be used in a large-scale attack. Firstly, because it is usually a lot of work for a cybercriminal to obtain valid administrator credentials. But also because once they have administrator credentials there are a lot more options open to them. Although in this case, uploading zip files that will be auto-magically extracted sounds like a good way to establish a foothold.

So how did it come about that a serious, yet hard to exploit vulnerability got involved in a larger attack rather than a targeted one? The researchers did a lot of digging and found that the threat actors were chaining the known vulnerability with a zero-day path traversal vulnerability. The authentication bypass vulnerability was assigned CVE-2022-37042 after sharing their findings with Zimbra. A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access.

The underlying problems was that the authentication check, after sending an error message to the unauthenticated attacker, continued executing the subsequent code. So, even though the attackers received an error message the web shell was planted on the server anyway. These web shells were a malicious script used by the attacker with the intent to escalate and maintain persistent access. In other words, a backdoor.

Knowing the paths to which the attacker had installed web shells, and the behavior of ZCS when contacting a URL that did not exist, the researchers performed a scan of ZCS instances in the wild to identify third-party compromises using the same web shell names. This scan yielded over 1,000 infected ZCS instances worldwide. The real number of infected instances is probably a lot higher since the scan only looked for shell paths known to the researchers.

Mitigation

Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.

In order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found on GitHub for the latest version of 8.8.15 and of 9.0.0.

Stay safe, everyone!