A Comprehensive Analysis of the Zimbra Vulnerability CVE-2022-30333

Summary

An RCE vulnerability in Zimbra webmail servers being actively exploited to target multiple organizations worldwide. The exploit was used to launch a spear phishing campaign against Europe.
 
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-30333 CVSS:3.0 Score: 7.5

Executive Summary

THREAT IMPACT MITIGATION
  • An RCE vulnerability in Zimbra webmail servers being actively exploited to target multiple organizations worldwide.
  • The exploit was used to launch a spear phishing campaign against Europe.
  • Successful exploitation will enable access to every single email sent and received on the compromised server.
  • Stolen credentials of an organization's users can be used to escalate access and install backdoors.
  • Update Zimbra webmail servers to binary version 6.12.
  • Conduct user-awareness training against phishing campaigns.

Analysis

  • CloudSEK’s contextual AI digital risk platform XVigil has identified multiple threat actors exploiting CVE-2022-30333, to target vulnerable Zimbra webmail servers.
  • CVE-2022-30333 is a path traversal vulnerability in RarLab’s UnRAR binary that can lead to remote code execution (RCE) on Zimbra webmail and potentially affect others.
  • Zimbra is a well-known webmail service used by several businesses and government organizations, hence the vulnerability poses a high risk of exploitation.
  • The UnRAR 6.17 and earlier versions of the following software are affected by this vulnerability:
  • Zimbra 9.0.0 patch 24 and earlier
  • Zimbra 8.8.15 patch 31 and earlier

Information from Cybercrime Forums

  • A significant amount of chatter was observed on cybercrime forums and channels regarding CVE-2022-30333.
  • Threat actors were seen selling the exploits for this vulnerability at USD 4,000.
  • Multiple threat actors were seen posting about exploiting the Zimbra vulnerability to gain access to Government mail servers.
Sale of exploit for the Zimbra vulnerability on cybercrime forum
Sale of exploit for the Zimbra vulnerability on cybercrime forum
 

Information from OSINT

  • Multiple threat actors are actively exploiting and sharing the PoCs of this vulnerability.
  • CVE-2022-30333 has been exploited to successfully launch a spear phishing campaign against the European government and agencies.
  • Attackers are using this vulnerability to send out email messages and lure victims to click on specially crafted malicious links.
  • The emails sent out in the spear-phishing campaign were frequently formatted as follows:
    • <firstname>_<lastname><numbers>@outlook.com
    • <firstname><lastname><numbers>@outlook.com
  • A significant surge has been observed in the number of tweets mentioning CVE-2022-30333 over the past month.
Rise in exploits using Zimbra vulnerability (Source: CVE STALKER)
Rise in exploits using Zimbra vulnerability (Source: CVE STALKER)
 

Technical Details

  • An attacker uses maliciously crafted RAR archives, that can contain symbolic links pointing outside of the extraction directory, for de-referencing with a second file.
  • Threat actors are using DosSlashToUnix() function to convert backslashes (\) to forward slashes (/) in order to ensure that a RAR archive created on Windows can be extracted on a Unix system.
  • The exploit gives threat actors freedom to write and read a file anywhere on the victim’s system.

Proof of Concept (PoC)

  • The following code snippet is publicly available PoC (on GitHub) for CVE-2022-30333.
  • The attacker provides a target along with some file data as input.
  • The code generates a .rar that will exploit the vulnerability and extract the file to that location.
PoC for the Zimbra vulnerability
PoC for the Zimbra vulnerability
 

Impact & Mitigation

Impact Mitigation
  • Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
  • The above access can be exploited for
    • Stealing user credentials
    • Privilege escalation
    • Installing backdoors
  • Update Zimbra webmail servers to binary version 6.12.
  • User-awareness training must be conducted to allow individuals to distinguish between an authentic domain and its phishing counterpart.

Indicators of Compromise (IoCs)

Based on the phishing campaign exploiting the Zimbra Vulnerability, the following are the IOCs.
Email
<firstname>_<lastname><numbers>@outlook.com <firstname><lastname><numbers>@outlook.com
URLs
hxxp://fireclaws.spiritfield[.]ga/.jpeg?[integer] hxxp://feralrage.spiritfield[.]ga/.jpeg?[integer] hxxp://oaksage.spiritfield[.]ga/.jpeg?[integer] hxxp://claygolem.spiritfield[.]ga/.jpeg?[integer]
IP Address
108.160.133.32 172.86.75.158 206.166.251.141 206.166.251.166
Infrastructure
Amazon-check[.]cf Bruising-intellect[.]ml Chargedboltsentry.spiritfield[.]tk Mail.bruising-intellect[.]ml Tigerstrike.iceywindflow[.]ml
SubDomain
hxxps://update.secretstep[.]tk/.jpeg?u=[integer]&t=[second_integer]

References

Appendix

Zimbra Vulnerability exploited in order to get access to email accounts of government agencies
Zimbra Vulnerability exploited in order to get access to email accounts of government agencies
 
A sample email used in the spear phishing campaign
A sample email used in the spear phishing campaign
 
DosSlashToUnix() function is used to exploit the vulnerability and bypass validation steps
DosSlashToUnix() function is used to exploit the vulnerability and bypass validation steps
   

Table of Contents

Request an easy and customized demo for free