Sources

https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

Risks

Threat actors are actively exploiting CVE-2022-27925 in the wild. The vulnerability affects the Zimbra Collaboration Suite (aka ZCS) versions 8.8.15 and 9.0.
 
Originally an attacker needed access to valid administrative credentials to exploit CVE-2022-27925. Volexity found a new vulnerability, to exploit CVE-2022-27925 without valid administrative credentials. The authentication bypass vulnerability is referenced as CVE-2022-37042.
 
Zimbra patched both issues in its 9.0.0P26 and 8.8.15P33 releases at the end of July.
 
If your organization runs Zimbra Collaboration Suite and did not apply patches 8.8.15P31 or 9.0.0P24 before the end of May 2022, you should consider your ZCS instance may be compromised.
 
The Centre for Cyber security Belgium recommends system administrators patch vulnerable systems as soon as possible and analyse system and network logs for any suspicious activity.
This report has instructions to help your organisation.
 
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Recommended Actions

Scope
 
Create an inventory that includes all the software from your organisation and check per entry if it is vulnerable.
 
Vulnerable software:  CVE-2022-27925 (CVSS score: 7.2), impacts the following versions of the Zimbra Collaboration Suite:

• Zimbra Collaboration Suite < 9.0.0 Patch 26 < 8.8.15 Patch 33.

Patch
 
Zimbra patched both issues in its 9.0.0P26 and 8.8.15P33 releases at the end of July.
 
Monitor/Detect
 
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.
 
Identify a potential Compromise & Webshells
 
Volexity observed a variety of webshells deployed by different attackers exploiting this vulnerability. None of these webshells deployed used particularly novel techniques, the majority of the webshells were available on GitHub.
 
Recommended Actions

• Perform a memory acquisition to preserve any memory-resident traces of attacker activity.
• Investigate logs for any requests with 40x-based status codes related to the vulnerable servlet /service/extension/backup/mboximport.
• Inspect the Zimbra “users” directory (usually /opt/Zimbra/) to find possible webshells and any other evidence of exploitation.
• Run the Yara rules from Volexity to find suspicious behaviour: https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925
• Investigate inbound requests to your ZCS server to JSP files matching paths not listed in the corresponding 8.8.15 and 9.0.0 valid JSP files: https://github.com/volexity/threat-intel/tree/main/2022/2022-08-10%20Mass%20exploitation%20of%20(Un)authenticated%20Zimbra%20RCE%20CVE-2022-27925

Remark: Patching Zimbra Collaboration Suite instances to the newest version may remove webshells placed in some directories. However, if an attacker installed any second-stage or persistent malware (run via cron), then patching your Zimbra Collaboration Suit instance is insufficient to remediate the compromise.
 
Rebuild Server (Optional)
 
If your organization is not able to perform incident response, or if you are not able to engage a third party for incident response, then Volexity recommends the following:

• Rebuild your ZCS instance using the latest patch
• Import Mail from the old server to the new server.

Reference Zimbra guide: https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server