CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suite.
This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Two Eight Alpha.
Original release date: August Sixteenth, twenty twenty two.
CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. Five CVEs are currently being exploited against Zimbra Collaboration Suite. These five vulnerabilities are listed in the alert documentation and include high severity vulnerabilities that allow for arbitrary code execution, malicious code injection, directory traversal, cross site scripting, and data exfiltration.
Cyber threat actors may be targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of the alert documentation to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their Zimbra instances upon patch release, or whose Zimbra instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of the alert documentation. Organizations that detect potential compromise should apply the steps in the Incident Response section of this alert.
All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at firstname.lastname@example.org or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.