Mass Exploitation of Internet Facing Services - This Time Zimbra
Zimbra is a widely used email and collaboration platform that requires organizations to expose incoming ports on the public internet. This includes both email (SMTP) services to accept incoming messages and web (HTTPS) services to allow employees to access a web application for collaboration.
Attack surface risk management? Join us for the upcoming webinar!
In mid-September, Zimbra published a patch for a vulnerability identified as CVE-2024-45519, specifically affecting its SMTP service. CVE-2024-45519 makes it easy to gain control of the server without any authentication, just by interacting with the vulnerable SMTP service: the attackers can scan the public internet searching for Zimbra servers and remotely launch the attack (no user interaction required!), typically by installing a reverse shell during exploitation.
A proof-of-concept quickly emerged and the vulnerability began to be exploited en masse. Starting on September 28, email security vendor Proofpoint began observing attempts to exploit the vulnerability by using emails spoofing Gmail sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute them as commands. The vulnerability is now listed in CISA's Known Exploited Vulnerabilities Catalog.
It's now clear CVE-2024-45519 enables attackers to easily gain full access to a vulnerable Zimbra server (a Linux machine), allowing internal network reconnaissance and discovery via lateral movement. Ultimately this may lead to ransomware or other malicious software deployment.
Business Email Compromise Enabler
But perhaps the most realistic scenario is that attackers will use the exploited server to access user inboxes and send fully impersonated emails to other parties, such as the company's customers and partners.
This makes it easier to send malware or attempt phishing. Still, most importantly it enables many Business Email Compromise (BEC) scenarios, where the attackers monitor email correspondence and insert themselves in legitimate business transactions - typically directing customers to pay invoices to a different IBAN than intended by the sender. This type of BEC compromise, supplier invoicing fraud, is very popular in the Adriatic region, costing many businesses (SMBs especially) a substantial amount of money.
It is largely enabled by email solutions such as Roundcube, Horde or Zimbra, popular choices with low cost shared hosting providers in the region, and used by many companies as a core tool for business correspondence and collaboration.
We've written earlier on how attackers use specifically Roundcube in the Adriatics region to subvert legitimate email communications and send phishing campaigns. This latest Zimbra vulnerability will give attackers another powerful tool to further amplify phishing and BEC attacks, as well as other malicious activity.
How prevalent is Zimbra in the Adriatics?
To give you an idea of the attack surface, it's enough to perform a quick Shodan search of the public internet in the wider region spanning Slovenia to Albania. Such a query reveals that Zimbra is a popular solution used by many organizations: at least 800 publicly exposed servers in the region can be targeted by attackers.
The hope is that all of them are now patched, as it's been a month since the fix has been released. However, reality shows many internet-facing assets do not get patched in time, as seen in this example from the region we've covered here. What's more, many internet-facing services such as VPN or other remote access devices reveal a worrying trend: many are exploited for weeks or months before the vendor is even aware of the vulnerability, let alone a patch is released - see here some examples from this year.
Publicly exposed assets such as Zimbra will therefore remain an attractive target for attackers. That is especially true for self-hosted remote access (whether on-premises or in the cloud), where the organization is not fully aware of its attack surface and the current vulnerabilities and does not have multifactor authentication to protect identities.
That's why it's important to introduce a risk management approach to protect the attack surface of an organization.
Join us on the upcoming webinar "Attack Surface Risk Management Made Simple", on Oct 25th, 10h a.m. CEST and discover how modern attack surface risk management solutions can help you manage and reduce these types of risks.
