Web Shell Access to UAE Based Cloud & IT Service Provider, Bamboozle

Web shell access to Zimbra powered Webmail service of Bamboozle shared over cybercrime forum. Possible ZCS vulnerability exploited to gain access.
Updated on
April 19, 2023
Published on
November 2, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: IT & Technology Region: Middle East Source*: C3

Executive Summary

  • Web shell access to Zimbra powered Webmail service of Bamboozle shared over cybercrime forum.
  • Possible ZCS vulnerability exploited to gain access.
  • All the internal emails and web services can be affected.
  • Access could leak credentials, databases, and other critical information.
  • Update ZCS to the following patches:
    • 9.0.0P26
    • 8.8.15P33

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor, sharing access to the internal web server of Bamboozle, a leading Cloud and IT Services provider in the UAE.
  • The following information was sharded:
    • Free access to a Middle east company for cloud and VM management.
    • Web shell access is provided, to control the whole mailbox server.
    • Web shell URL link : https[:]//mail[.]bamboozlewebservices[.]com/zimbraAdmin/cmd[.]jsp?cmd=echo+breached.co
[caption id="attachment_21510" align="aligncenter" width="1405"]Threat Actor’s post on a cybercrime forum Threat Actor’s post on a cybercrime forum[/caption]

Tactics, Techniques, and Procedures (TTPs)

  • The URL mail service, Bamboozle realMail, is powered by Zimbra Collaboration Suite (ZCS). Given that Bamboozle provides realMail service, it is reasonable to assume that use the service for internal communication as well.
  • The threat actor possibly exploited one of the following CVEs to gain the alleged access:
    • CVE-2022-27925 was disclosed by Zimbra on 10 May 2022, as an authenticated directory traversal vulnerability. This vulnerability allowed attackers to exploit the ZCS email servers of multiple organisations without having authenticated access to the ZCS instances.
    • The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8, as it was possible to bypass authentication, which led to several in turn ZCS servers to be compromised and backdoored. (For more information, read CloudSEK’s Advisory)

Threat Actor Activity and Rating

Threat Actor Profiling
Active since Aug 2022
Reputation Medium (Few complaints and concerns on the forum)
Current Status Active
History Unknown
Rating C3 (C: Fairly Reliable; 3: Possibly true)

Impact & Mitigation

Impact Mitigation
  • Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
  • The above access can be exploited for
    • Stealing user credentials
    • Privilege escalation
    • Installing backdoors
  • Update Zimbra Collaboration Suite to the following patched versions:
    • 9.0.0P26
    • 8.8.15P33


[caption id="attachment_21511" align="alignnone" width="1312"]Bamboozle mail service being powered by Zimbra Enterprise Collaboration Bamboozle mail service being powered by Zimbra Enterprise Collaboration[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations