Category: Vulnerability Intelligence	Vulnerability Class: Remote Code Execution	CVE ID: CVE-2022-30333	CVSS:3.0 Score: 7.5

Executive Summary

THREAT	IMPACT	MITIGATION
An RCE vulnerability in Zimbra webmail servers being actively exploited to target multiple organizations worldwide. The exploit was used to launch a spear phishing campaign against Europe.	Successful exploitation will enable access to every single email sent and received on the compromised server. Stolen credentials of an organization's users can be used to escalate access and install backdoors.	Update Zimbra webmail servers to binary version 6.12. Conduct user-awareness training against phishing campaigns.

Analysis

• CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
• CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
• Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
• The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
• Zimbra 9.0.0 patch 24 and earlier
• Zimbra 8.8.15 patch 31 and earlier

Information from Cybercrime Forums

• A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
• Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
• Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.

[caption id="attachment_20314" align="aligncenter" width="1027"] Sale of exploit for the Zimbra vulnerability on cybercrime forum[/caption]  

Information from OSINT

• Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
• CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
• Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
• The emails sent out in the spear-phishing campaign were frequently formatted as follows:
  • <firstname>_<lastname><numbers>@outlook.com
  • <firstname><lastname><numbers>@outlook.com
• A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.

[caption id="attachment_20315" align="aligncenter" width="788"] Rise in exploits using Zimbra vulnerability (Source: CVE STALKER)[/caption]  

Technical Details

• An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
• Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
• The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.

Proof of Concept (PoC)

• The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
• The attacker provides a target along with some file data as input.
• The code generates a .rar that will exploit the vulnerability and extract the file to that location.

[caption id="attachment_20316" align="aligncenter" width="1504"] PoC for the Zimbra vulnerability[/caption]  

Impact & Mitigation

Impact	Mitigation
Successful exploit gives an attacker access to every single email sent and received on a compromised email server. The above access can be exploited for Stealing user credentials Privilege escalation Installing backdoors	Update Zimbra webmail servers to binary version 6.12. User-awareness training must be conducted to allow individuals to distinguish between an authentic domain and its phishing counterpart.

Indicators of Compromise (IoCs)

Based on the phishing campaign exploiting the Zimbra Vulnerability, the following are the IOCs.

Email
<firstname>_<lastname><numbers>@outlook.com <firstname><lastname><numbers>@outlook.com
URLs
hxxp://fireclaws.spiritfield[.]ga/[filename].jpeg?[integer] hxxp://feralrage.spiritfield[.]ga/[filename].jpeg?[integer]	hxxp://oaksage.spiritfield[.]ga/[filename].jpeg?[integer] hxxp://claygolem.spiritfield[.]ga/[filename].jpeg?[integer]
IP Address
108.160.133.32 172.86.75.158	206.166.251.141 206.166.251.166
Infrastructure
Amazon-check[.]cf Bruising-intellect[.]ml Chargedboltsentry.spiritfield[.]tk	Mail.bruising-intellect[.]ml Tigerstrike.iceywindflow[.]ml
SubDomain
hxxps://update.secretstep[.]tk/[filename].jpeg?u=[integer]&t=[second_integer]

References

• #Traffic Light Protocol - Wikipedia
• Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra | Volexity
• CVE STALKER -The most viral CVE(vulnerability) ranking chart-
• Unrar Path Traversal Vulnerability affects Zimbra Mail (sonarsource.com)

Appendix

[caption id="attachment_20317" align="alignnone" width="1181"] Zimbra Vulnerability exploited in order to get access to email accounts of government agencies[/caption]   [caption id="attachment_20318" align="aligncenter" width="669"] A sample email used in the spear phishing campaign[/caption]   [caption id="attachment_20319" align="aligncenter" width="933"] DosSlashToUnix() function is used to exploit the vulnerability and bypass validation steps[/caption]