www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:88d::447a
Public Scan
Submitted URL: https://www.cisa.gov/uscert/ncas/alerts/aa22-228a
Effective URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
Submission: On May 23 via api from US — Scanned from DE
Effective URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-228a
Submission: On May 23 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
Locally
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Contact Us
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
THREAT ACTORS EXPLOITING MULTIPLE CVES AGAINST ZIMBRA COLLABORATION SUITE
Last Revised
January 27, 2023
Alert Code
AA22-228A
SUMMARY
Actions for ZCS administrators to take today to mitigate malicious cyber
activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
Updated November 10, 2022: This product was written by the Cybersecurity and
Infrastructure Security Agency (CISA) and the Multi-State Information Sharing
and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of
Investigation (FBI).
CISA and the MS-ISAC are publishing this joint Cybersecurity Advisory (CSA) in
response to active exploitation of multiple Common Vulnerabilities and Exposures
(CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted
collaboration software and email platform. CVEs currently being exploited
against ZCS include:
* CVE-2022-24682
* CVE-2022-27924
* CVE-2022-27925 chained with CVE-2022-37042
* CVE-2022-30333
Cyber threat actors may be targeting unpatched ZCS instances in both government
and private sector networks. CISA and the MS-ISAC strongly urge users and
administrators to apply the guidance in the Recommendations section of this CSA
to help secure their organization’s systems against malicious cyber activity.
CISA and the MS-ISAC encourage organizations who did not immediately update
their ZCS instances upon patch release, or whose ZCS instances were exposed to
the internet, to assume compromise and hunt for malicious activity using the
third-party detection signatures in the Detection Methods section of this CSA.
Organizations that detect potential compromise should apply the steps in the
Incident Response section of this CSA.
Updated November 10, 2022:
This CSA has been updated with additional IOCs. For a downloadable copy of the
IOCs, see the following Malware Analysis Reports (MARs):
* MAR-10400779-1
* MAR-10400779-2
* MAR-10401765-1
* MAR-10398871-1
* New, November 10, 2022: MAR-10410305-1.v1 JSP Webshell
Update End
Download the PDF version of this report: pdf, 480 kb
Download the IOCs: .stix 12.2 kb
TECHNICAL DETAILS
CVE-2022-27924
CVE-2022-27924 is a high-severity vulnerability enabling an unauthenticated
malicious actor to inject arbitrary memcache commands into a targeted ZCS
instance and cause an overwrite of arbitrary cached entries. The actor can then
steal ZCS email account credentials in cleartext form without any user
interaction. With valid email account credentials in an organization not
enforcing multifactor authentication (MFA), a malicious actor can use spear
phishing, social engineering, and business email compromise (BEC) attacks
against the compromised organization. Additionally, malicious actors could use
the valid account credentials to open webshells and maintain persistent access.
On March 11, 2022, researchers from SonarSource announced the discovery of this
ZCS vulnerability. Zimbra issued fixes for releases 8.8.15 and 9.0 on May 10,
2022. Based on evidence of active exploitation, CISA added this vulnerability to
the Known Exploited Vulnerabilities Catalog on August 4, 2022. Due to ease of
exploitation, CISA and the MS-ISAC expect to see widespread exploitation of
unpatched ZCS instances in government and private networks.
CVE-2022-27925 AND CVE-2022-37042
CVE-2022-27925 is a high severity vulnerability in ZCS releases 8.8.15 and 9.0
that have mboximport functionality to receive a ZIP archive and extract files
from it. An authenticated user has the ability to upload arbitrary files to the
system thereby leading to directory traversal.[1] On August 10, 2022,
researchers from Volexity reported widespread exploitation—against over 1,000
ZCS instances—of CVE-2022-27925 in conjunction with CVE-2022-37042.[2(link is
external)] CISA added both CVEs to the Known Exploited Vulnerabilities Catalog
on August 11, 2022.
CVE 2022 37042 is an authentication bypass vulnerability that affects ZCS
releases 8.8.15 and 9.0. CVE 2022 37042 could allow an unauthenticated malicious
actor access to a vulnerable ZCS instance. According to Zimbra, CVE 2022 37042
is found in the MailboxImportServlet function.[3][4(link is external)] Zimbra
issued fixes in late July 2022.
CVE-2022-30333
CVE-2022-30333 is a high-severity directory traversal vulnerability in RARLAB
UnRAR on Linux and UNIX allowing a malicious actor to write to files during an
extract (unpack) operation. A malicious actor can exploit CVE-2022-30333 against
a ZCS server by sending an email with a malicious RAR file. Upon email receipt,
the ZCS server would automatically extract the RAR file to check for spam or
malware.[5(link is external)] Any ZCS instance with unrar installed is
vulnerable to CVE-2022-30333.
Researchers from SonarSource shared details about this vulnerability in June
2022.[6(link is external)] Zimbra made configuration changes to use the 7zip
program instead of unrar.[7(link is external)] CISA added CVE-2022-3033 to the
Known Exploited Vulnerabilities Catalog on August 9, 2022. Based on industry
reporting, a malicious cyber actor is selling a cross-site scripting (XSS)
exploit kit for the ZCS vulnerability to CVE 2022 30333. A Metasploit module is
also available that creates a RAR file that can be emailed to a ZCS server to
exploit CVE-2022-30333.[8(link is external)]
CVE-2022-24682
CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail
clients running releases before 8.8.15 patch 30 (update 1), which contain a
cross-site scripting (XSS) vulnerability allowing malicious actors to steal
session cookie files. Researchers from Volexity shared this vulnerability on
February 3, 2022[9(link is external)], and Zimbra issued a fix on February 4,
2022.[10(link is external)] CISA added this vulnerability to the Known Exploited
Vulnerabilities Catalog on February 25, 2022.
DETECTION METHODS
Note: CISA and the MS-ISAC will update this section with additional IOCs and
signatures as further information becomes available.
CISA recommends administrators, especially at organizations that did not
immediately update their ZCS instances upon patch release, to hunt for malicious
activity using the following third-party detection signatures:
* Updated September 27, 2022: Hunt for IOCs including:
IP Addresses
Note
62.113.255[.]70
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while
attempting to exploit CVE-2022-27925 and CVE-2022-37042
185.112.83[.]77
New September 27, 2022: Used by cyber actors during August 15-26, 2022 while
attempting to exploit CVE-2022-27925 and CVE-2022-37042
207.148.76[.]235
A Cobalt Strike command and control (C2) domain
209.141.56[.]190
New September 27, 2022
* Updated August 23, 2022: Deploy Snort signatures to detect malicious
activity:
alert tcp any any -> any any (msg:"ZIMBRA: HTTP POST content data '.jsp' file'";
sid:x; flow:established,to_server; content:"POST"; http_method;
content:"|2f|service|2f|extension|2f|backup|2f|mboximport"; nocase; http_uri;
content:"file|3a|"; nocase; http_client_body; content:"|2e|jsp";
http_client_body; fast_pattern; classtype:http-content;
reference:cve,2022-30333;)
alert tcp any any -> any any (msg:"ZIMBRA: Client HTTP Header 'QIHU 360SE'";
sid:x; flow:established,to_server; content:"POST"; http_method;
content:"|2f|service|2f|extension|2f|backup|2f|mboximport"; nocase; http_uri;
content:"QIHU|20|360SE"; nocase; http_header; fast_pattern;
classtype:http-header; reference:cve,2022-30333;)
alert tcp any any -> any any (msg:"ZIMBRA:HTTP GET URI for Zimbra Local Config";
sid:x; flow:established,to_server;
content:"/public/jsp/runas.jsp?pwd=zim&i=/opt/zimbra/bin/zmlocalconfig|3a|-s";
http_uri; classtype:http-uri; reference:cve,2022-30333;)
* Deploy third-party YARA rules to detect malicious activity:
* See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE:
CVE-2022-27925(link is external)
MITIGATIONS
CISA and the MS-ISAC recommend organizations upgrade to the latest ZCS releases
as noted on Zimbra Security – News & Alerts(link is external) and Zimbra
Security Advisories(link is external).
See Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE:
CVE-2022-27925(link is external) for mitigation steps.
Additionally, CISA and the MS-ISAC recommend organizations apply the following
best practices to reduce risk of compromise:
* Maintain and test an incident response plan.
* Ensure your organization has a vulnerability management program in place and
that it prioritizes patch management and vulnerability scanning of known
exploited vulnerabilities. Note: CISA’s Cyber Hygiene Services (CyHy) are
free to all state, local, tribal, and territorial (SLTT) organizations, as
well as public and private sector critical infrastructure organizations:
cisa.gov/cyber-hygiene-services.
* Properly configure and secure internet-facing network devices.
* Do not expose management interfaces to the internet.
* Disable unused or unnecessary network ports and protocols.
* Disable/remove unused network services and devices.
* Adopt zero-trust principles and architecture, including:
* Micro-segmenting networks and functions to limit or block lateral
movements.
* Enforcing phishing-resistant (MFA) for all users and virtual private
network (VPN) connections.
* Restricting access to trusted devices and users on the networks.
INCIDENT RESPONSE
If an organization’s system has been compromised by active or recently active
threat actors in their environment, CISA and the MS-ISAC recommend the following
initial steps:
1. Collect and review artifacts, such as running processes/services, unusual
authentications, and recent network connections.
2. Quarantine or take offline potentially affected hosts.
3. Reimage compromised hosts.
4. Provision new account credentials.
5. Report the compromise to CISA via CISA’s 24/7 Operations Center
(report@cisa.gov(link sends email) or 888-282-0870). SLTT government
entities can also report to the MS-ISAC (SOC@cisecurity.org(link sends
email) or 866-787-4722).
See the joint CSA from the cybersecurity authorities of Australia, Canada, New
Zealand, the United Kingdom, and the United States on Technical Approaches to
Uncovering and Remediating Malicious Activity for additional guidance on hunting
or investigating a network, and for common mistakes in incident handling. CISA
and the MS-ISAC also encourage government network administrators to see CISA’s
Federal Government Cybersecurity Incident and Vulnerability Response Playbooks.
Although tailored to federal civilian branch agencies, these playbooks provide
detailed operational procedures for planning and conducting cybersecurity
incident and vulnerability response activities.
ACKNOWLEDGEMENTS
CISA and the MS-ISAC would like to thank Volexity and Secureworks for their
contributions to this advisory.
DISCLAIMER
The information in this report is being provided “as is” for informational
purposes only. CISA and the MS-ISAC do not provide any warranties of any kind
regarding this information. CISA and the MS-ISAC do not endorse any commercial
product or service, including any subjects of analysis. Any reference to
specific commercial products, processes, or services by service mark, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring.
REFERENCES
[1] CVE-2022-27925 detail
[2] Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925(link is
external)
[3] CVE-2022-37042 detail
[4] Authentication bypass in MailboxImportServlet vulnerability(link is
external)
[5] CVE-2022-30333 detail
[6] UnRAR vulnerability exploited in the wild, likely against Zimbra
servers(link is external)
[7] Zimbra Collaboration Kepler 9.0.0 patch 25 GA release(link is external)
[8] Zimbra UnRAR path traversal(link is external)
[9] Operation EmailThief: Active exploitation of zero-day XSS vulnerability in
Zimbra(link is external)
[10] Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra
8.8.15(link is external)
REVISIONS
August 16, 2022: Initial Version|August 22, 2022: Added Snort Signatures|August
23, 2022: Updated Detection Methods Snort Signatures|October 19, 2022: Added new
Malware Analysis Report|November 10, 2022: Added new Malware Analysis Report
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
May 16, 2023
Cybersecurity Advisory | AA23-136A
#STOPRANSOMWARE: BIANLIAN RANSOMWARE GROUP
May 11, 2023
Cybersecurity Advisory | AA23-131A
MALICIOUS ACTORS EXPLOIT CVE-2023-27350 IN PAPERCUT MF AND NG
May 09, 2023
Cybersecurity Advisory | AA23-129A
HUNTING RUSSIAN INTELLIGENCE “SNAKE” MALWARE
Apr 18, 2023
Cybersecurity Advisory | AA23-108
APT28 EXPLOITS KNOWN VULNERABILITY TO CARRY OUT RECONNAISSANCE AND DEPLOY
MALWARE ON CISCO ROUTERS
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback