Close to 900 servers were recently hacked employing critical vulnerability in Zimbra Collaboration Suite, which had a zero-day status without a security patch for around six weeks.

The known vulnerability (CVE-2022-41352) is a remote code execution (RCE) flaw that enables threat operators to transmit an email with a malicious attachment that deploys a web shell in the Zimbra Collaboration Suite server, while also concurrently bypassing dedicated antivirus scans.

According to expert cybersecurity firm Kaspersky, many different Advanced Persistent Threat (APT) groups exploited the critical flaw after it was first reported on Zimbra forums.

The cybersecurity company commented that it had detected 876 servers that were being compromised by advanced level attackers leveraging the weakness before the vulnerability was widely publicised and received its designated CVE tracking identifier.

Actively exploited

Weeks ago, a report from software company Rapid7 warned users of the active exploitation by hackers of CVE-2022-41352 and encouraged admins to deploy the available workarounds as a security update was not yet available at the time.

However, as the warning was issued, a proof of concept was uploaded by threat operators that empowered even the most low-skill hackers to use the vulnerability to launch effective assaults against unprotected servers.

As a result, Zimbra has released a dedicated security fix included in its Zimbra Collaboration Suite version 9.0.0 P27, swapping out the vulnerable component with Pax and extracting the weak element that was making exploitation possible for attackers.

Unfortunately, by this time the malicious exploitation activity had picked up speed, and multiple threat operators had already begun unleashing opportunistic attacks on vulnerable servers.

Incident response specialists Volexity reported recently that its expert analysts had identified around 1,600 Zimbra Collaboration Suite servers that were compromised by threat operators, leveraging the critical vulnerability to plant web shells.

Employed by sophisticated hacking groups

During a conversation with computer help site BleepingComputer, cybersecurity firm Kaspersky commented that an unknown Advanced Persistence Threat group taking advantage of the critical vulnerability had likely assembled a working exploit by using the information first posted on the Zimbra forums.

The initial attacks began in September and targeted vulnerable Zimbra servers based in India along with some located in Turkey. This first wave of cyberattacks was most likely a testing wave aimed at low-interest victims to evaluate how effective the attack could be in a largescale campaign. It was Kaspersky’s assessment that the threat operators compromised a total of 44 servers in this first attack wave.

Once the critical flaw became known to the public, the hackers shifted gears and started to perform widescale targeting in the hope of compromising as many servers around the world as possible before administrators acted and patched systems to shut out intruders.

The second wave unleashed had a greater effect, infecting a total of 832 servers with harmful web shells. However, these attacks were far more random in nature than the previous assault in wave one.

Zimbra Collaboration Suite admins are advised to apply the available security update immediately.