Over 900 servers have been hacked thanks to a Zimbra zero-day

Zimbra took its time with the patch, and hackers took advantage

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Zimbra Collaboration Suite carried a zero-day vulnerability for more than a month, presenting hackers with a real field day that resulted in almost 900serversbeing  hacked.

Researchers at Kaspersky noted the vulnerability being reported on the Zimbra forum, after which all kinds of advanced persistent threat (APT) groups leveraged it to compromise countless servers.

Kaspersky labeled the flaw as a remote code execution vulnerability that allows threat actors to send an email with a malicious file that deploys a webshell in the Zimbra server without triggering an antivirus alarm. It is now tracked as CVE-2022-41352. Some researchers claim as many as 1,600 servers were actually compromised, as a result.

Retiring cpio

The researchers later said at least 876 servers were compromised before a workaround was shared, and a patch was issued. However, almost two months after the initial report, and just as Zimbra was set to release a fix, Volexity said it counted some 1,600 compromised servers.

Zimbra then released the patch, bringing itscollaborationsuite up to version 9.0.0 P27. In it, the company replaced the flawed component (cpio) with Pax, and removed the exploitable code.

Slack and Microsoft Teams have some rather worrying security flaws>Collaboration tools are more popular than ever, but they have an insidious side>Here’s our rundown of the best malware removal tools out there

The first attacks started in September 2022, targeting servers in India and Turkey. The first raids were done against “low-interest” targets, prompting researchers to conclude that hackers were merely testing out the flaw’s capabilities, before moving on to more lucrative targets. However, after the public disclosure of the vulnerability, threat actors picked up the pace, in order to use it as much as possible, before Zimbra issues a patch.

System admins who are unable to apply the patch immediately are urged to at least aim to install for the workaround, as the number of threat actors actively exploiting the vulnerability in the wild is still high.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics