CYBLE
Nearly 2,700 Compromised Email Servers Auctioned in Cybercrime Forum
Introduction
In August 2022, Cyble Research & Intelligence Labs (CRIL) discovered and reported an alarming trend of exploitation of the Zimbra Collaborative Suite (ZCS) by cybercriminals.
During our routine monitoring of threat activities in various cybercrime forums to gauge the impact of cyberattacks, we discovered an instance wherein the web shell accesses to multiple email servers operating on Zimbra Collaboration Suite (ZCS) were auctioned in a Russian cybercrime forum. The impacted email servers were allegedly vulnerable to the authentication bypass remote code execution (RCE) vulnerability (CVE-2022-37042) which targets ZCS versions 8.8.15 and 9.0.
Figure 1: Auction thread on the Russian cybercrime forum
How was CVE-2022-37042 exploited for Persistent Access?
As per the TAβs claims in the auction, the 758 compromised Zimbra email servers were vulnerable to CVE-2022-37042, which subsequently allowed unauthorized access to over 100,000 compromised mailboxes from over 2,700 email domains.
CVE-2022-37042 allows TAs to obtain unauthorized access to any vulnerable ZCS instance. According to a notification released by Zimbra, the vulnerability was discovered in the MailboxImportServlet function, which when weaponized with the CVE-2022-27925, allows unauthenticated RCE. The CVE-2022-37042 and CVE-2022-27925 have also been added to the weaponized vulnerability catalog by the United States Cyber Information Security Agency (CISA).
CRIL has published a research blog detailing multiple ZCS vulnerabilities exploited by the TAs.
The TA that initiated the auction also released a weaponized Nuclei template where the titular screenshot of the template manual demonstrated the active exploitation of unidentified email serversβ IP addresses. The alleged web shells were uploaded in the path /public/formatter.jsp.
Figure 2: Titular Screenshot in Exploit Manual of Repository
The analysis of the YAML-based template for Nuclei suggested that it utilizes a Shodan query βhttp.favicon.hash:β1624375939β³β for identifying the exposed assets operating on the vulnerable versions of ZCS. Subsequently, it sends an HTTP POST request to the MailboxImportServlet of the targeted ZCS instance with a specially crafted and encoded .zip file. Next, it drops a payload (shellcode) that allows TAs to gain a shell over the vulnerable asset.
Figure 3: Screenshot of the YAML-based Nuclei Template
As claimed by the TA, the manual provided in the repository includes commands for issuing a hotfix or patch for the CVE-2022-37042 in the compromised servers to maintain exclusive persistence via the shell access. It also specifies instructions to input a command-line script leveraging the Zimbra Slapper to escalate local privileges from the system user to the root.
Figure 4: Tactics from the Exploit Manual Provided on GitHub
Impact Assessment
Based on our research on the auction list, we identified over 2,700 email domains from government and private organizations around the world. The highly impacted regions include Asia, Europe, the Americas, and Australia, along with a few parts of Africa. The list also included over 1,100 .com, .net, and .org email domains.
Figure 5: Geographical map β Impacted Organizations
The GitHub repository shared by TA in his post is publicly accessible and can be leveraged by other TAs to perform similar attacks on vulnerable ZCS that are publicly accessible. Our research indicated that the aforementioned Shodan query βhttp.favicon.hash:β1624375939β revealed over 70,000 exposed ZCS assets.
Figure 6: Map showcasing the Exposed ZCS Instances
A Similar Trend in the Underground from the Recent Past
In a similar case, a dispute among TAs in another cybercrime forum in July 2022 led to the release of web shell access to various remote access points for the domains hosting Software-as-a-Service (SaaS) applications, impacting nearly 40 organizations in various countries around the globe.
It was found that all of the compromised access points hosted virtual applications via the enterprise application management platform β VMware Workspace ONE. A few of the hosts were operating the components of VMware Workspace ONE β VMware Identity Manager version 0.0.1 and VMware Horizon 21.08.0.1. A screenshot from one of the compromised accesses demonstrated that the JSP-based web shell was downloaded by the TAs in the directory, as shown in Figure 7.
Figure 7: A Web Shell Access uploaded in the Vmware directory
An advisory released by CISA on May 18, 2022, shed light on TAs exploiting a series of unpatched vulnerabilities in various VMware-based applications for gaining unauthorized access. According to the advisory, the CVE-2022-22954 enabled TAs with network access to exploit a server-side template injection resulting in RCE, while CVE-2022-22960 enabled TAs with local access to escalate privileges due to improper permissions in the support scripts. Both vulnerabilities impacted several VMware products including Workspace ONE Access β versions 21.08.0.1, 21.08.0.0, 20.10.0.1, and 20.10.0.0.
A report by Palo Alto also unveiled TTPs opted by attackers to compromise infrastructure using VMware products prone to CVE-2022-22954 and CVE-2022-22960.
A close inspection of the timeline of the attacks and similarity in indicators of compromises (IoCs) mentioned in the aforementioned advisory by CISA when combined with our analysis indicated that the compromised application infrastructures were also using outdated versions of VMware products vulnerable to CVE-2022-22954 and CVE-2022-22960.