| Category:
Vulnerability Intelligence |
Vulnerability Class:
Remote Code Execution |
CVE ID:
CVE-2022-30333 |
CVSS:3.0 Score:
7.5 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- An RCE vulnerability in Zimbra webmail servers being actively exploited to target multiple organizations worldwide.
- The exploit was used to launch a spear phishing campaign against Europe.
|
- Successful exploitation will enable access to every single email sent and received on the compromised server.
- Stolen credentials of an organization's users can be used to escalate access and install backdoors.
|
- Update Zimbra webmail servers to binary version 6.12.
- Conduct user-awareness training against phishing campaigns.
|
Analysis
- CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
- CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
- Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
- The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
- Zimbra 9.0.0 patch 24 and earlier
- Zimbra 8.8.15 patch 31 and earlier
Information from Cybercrime Forums
- A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
- Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
- Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.
[caption id="attachment_20314" align="aligncenter" width="1027"]
Sale of exploit for the Zimbra vulnerability on cybercrime forum[/caption]
Information from OSINT
- Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
- CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
- Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
- The emails sent out in the spear-phishing campaign were frequently formatted as follows:
- <firstname>_<lastname><numbers>@outlook.com
- <firstname><lastname><numbers>@outlook.com
- A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.
[caption id="attachment_20315" align="aligncenter" width="788"]
Rise in exploits using Zimbra vulnerability (Source: CVE STALKER)[/caption]
Technical Details
- An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
- Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
- The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.
Proof of Concept (PoC)
- The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
- The attacker provides a target along with some file data as input.
- The code generates a .rar that will exploit the vulnerability and extract the file to that location.
[caption id="attachment_20316" align="aligncenter" width="1504"]
PoC for the Zimbra vulnerability[/caption]
Impact & Mitigation
| Impact |
Mitigation |
- Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
- The above access can be exploited for
- Stealing user credentials
- Privilege escalation
- Installing backdoors
|
- Update Zimbra webmail servers to binary version 6.12.
- User-awareness training must be conducted to allow individuals to distinguish between an authentic domain and its phishing counterpart.
|
Indicators of Compromise (IoCs)
Based on the phishing campaign exploiting the Zimbra Vulnerability, the following are the IOCs.
| Email |
| <firstname>_<lastname><numbers>@outlook.com
<firstname><lastname><numbers>@outlook.com |
| URLs |
| hxxp://fireclaws.spiritfield[.]ga/[filename].jpeg?[integer]
hxxp://feralrage.spiritfield[.]ga/[filename].jpeg?[integer] |
hxxp://oaksage.spiritfield[.]ga/[filename].jpeg?[integer]
hxxp://claygolem.spiritfield[.]ga/[filename].jpeg?[integer] |
| IP Address |
| 108.160.133.32
172.86.75.158 |
206.166.251.141
206.166.251.166 |
| Infrastructure |
| Amazon-check[.]cf
Bruising-intellect[.]ml
Chargedboltsentry.spiritfield[.]tk |
Mail.bruising-intellect[.]ml
Tigerstrike.iceywindflow[.]ml |
| SubDomain |
| hxxps://update.secretstep[.]tk/[filename].jpeg?u=[integer]&t=[second_integer] |
References
Appendix
[caption id="attachment_20317" align="alignnone" width="1181"]
Zimbra Vulnerability exploited in order to get access to email accounts of government agencies[/caption]
[caption id="attachment_20318" align="aligncenter" width="669"]
A sample email used in the spear phishing campaign[/caption]
[caption id="attachment_20319" align="aligncenter" width="933"]
DosSlashToUnix() function is used to exploit the vulnerability and bypass validation steps[/caption]
