Web Shell Access to UAE Based Cloud & IT Service Provider, Bamboozle

Summary

Web shell access to Zimbra powered Webmail service of Bamboozle shared over cybercrime forum. Possible ZCS vulnerability exploited to gain access.
Category: Adversary Intelligence Industry: IT & Technology Region: Middle East Source*: C3

Executive Summary

THREAT IMPACT MITIGATION
  • Web shell access to Zimbra powered Webmail service of Bamboozle shared over cybercrime forum.
  • Possible ZCS vulnerability exploited to gain access.
  • All the internal emails and web services can be affected.
  • Access could leak credentials, databases, and other critical information.
  • Update ZCS to the following patches:
    • 9.0.0P26
    • 8.8.15P33

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor, sharing access to the internal web server of Bamboozle, a leading Cloud and IT Services provider in the UAE.
  • The following information was sharded:
    • Free access to a Middle east company for cloud and VM management.
    • Web shell access is provided, to control the whole mailbox server.
    • Web shell URL link : https//mail[.]bamboozlewebservices[.]com/zimbraAdmin/cmd[.]jsp?cmd=echo+breached.co
Threat Actor’s post on a cybercrime forum
Threat Actor’s post on a cybercrime forum

Tactics, Techniques, and Procedures (TTPs)

  • The URL mail service, Bamboozle realMail, is powered by Zimbra Collaboration Suite (ZCS). Given that Bamboozle provides realMail service, it is reasonable to assume that use the service for internal communication as well.
  • The threat actor possibly exploited one of the following CVEs to gain the alleged access:
    • CVE-2022-27925 was disclosed by Zimbra on 10 May 2022, as an authenticated directory traversal vulnerability. This vulnerability allowed attackers to exploit the ZCS email servers of multiple organisations without having authenticated access to the ZCS instances.
    • The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8, as it was possible to bypass authentication, which led to several in turn ZCS servers to be compromised and backdoored. (For more information, read CloudSEK’s Advisory)

Threat Actor Activity and Rating

Threat Actor Profiling
Active since Aug 2022
Reputation Medium (Few complaints and concerns on the forum)
Current Status Active
History Unknown
Rating C3 (C: Fairly Reliable; 3: Possibly true)

Impact & Mitigation

Impact Mitigation
  • Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
  • The above access can be exploited for
    • Stealing user credentials
    • Privilege escalation
    • Installing backdoors
  • Update Zimbra Collaboration Suite to the following patched versions:
    • 9.0.0P26
    • 8.8.15P33

References

Bamboozle mail service being powered by Zimbra Enterprise Collaboration
Bamboozle mail service being powered by Zimbra Enterprise Collaboration

Table of Contents

Request an easy and customized demo for free