|Category: Adversary Intelligence||Industry: IT & Technology||Region: Middle East||Source*: C3|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor, sharing access to the internal web server of Bamboozle, a leading Cloud and IT Services provider in the UAE.
- The following information was sharded:
- Free access to a Middle east company for cloud and VM management.
- Web shell access is provided, to control the whole mailbox server.
- Web shell URL link : https//mail[.]bamboozlewebservices[.]com/zimbraAdmin/cmd[.]jsp?cmd=echo+breached.co
- The URL mail service, Bamboozle realMail, is powered by Zimbra Collaboration Suite (ZCS). Given that Bamboozle provides realMail service, it is reasonable to assume that use the service for internal communication as well.
- The threat actor possibly exploited one of the following CVEs to gain the alleged access:
- CVE-2022-27925 was disclosed by Zimbra on 10 May 2022, as an authenticated directory traversal vulnerability. This vulnerability allowed attackers to exploit the ZCS email servers of multiple organisations without having authenticated access to the ZCS instances.
- The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8, as it was possible to bypass authentication, which led to several in turn ZCS servers to be compromised and backdoored. (For more information, read CloudSEK’s Advisory)
|Threat Actor Profiling|
|Active since||Aug 2022|
|Reputation||Medium (Few complaints and concerns on the forum)|
|Rating||C3 (C: Fairly Reliable; 3: Possibly true)|
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Zimbra Collaboration Suite Actively Exploited Via an Authentication Bypass Vulnerability CVE-2022-37042
- Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 | Volexity