Zimbra exploited: advice from CISA.
N2K logoOct 20, 2022

CISA updates its quidance on mitigating Zimbra vulnerabilities.

Zimbra exploited: advice from CISA.

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its advisory concerning the exploitation of several vulnerabilities in Zimbra:

“CISA received a benign 32-bit Windows executable file, a malicious dynamic-link library (DLL) and an encrypted file for analysis from an organization where cyber actors exploited vulnerabilities against Zimbra Collaboration Suite (ZCS). Four CVEs are currently being leveraged against ZCS: CVE-2022-24682, CVE-2022-27924, CVE-2022-27925 chained with CVE-2022-37042, and CVE-2022-30333. The executable file is designed to side-load the malicious DLL file. The DLL is designed to load and Exclusive OR (XOR) decrypt the encrypted file. The decrypted file contains a Cobalt Strike Beacon binary. The Cobalt Strike Beacon is a malicious implant on a compromised system that calls back to the command and control (C2) server and checks for additional commands to execute on the compromised system.”

CISA provides a list of best practices to help defend against this threat:

  • “Maintain up-to-date antivirus signatures and engines.
  • “Keep operating system patches up-to-date.
  • “Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • “Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • “Enforce a strong password policy and implement regular password changes.
  • “Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • “Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • “Disable unnecessary services on agency workstations and servers.
  • “Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • “Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • “Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • “Scan all software downloaded from the Internet prior to executing.
  • “Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).”