In recent months, several cyber researchers have put attention andwarned of attacks being carried out on Zimbra Collaboration environments. These involve exploiting (old) vulnerabilities that allow attackers to steal sensitive information or take over systems completely. Persistent phishing campaigns are also taking place through which attackers try to obtain login credentials for Zimbra Collaboration email servers.
The Digital Trust Center (DTC) warned about a critical vulnerability (CVE-2022-27924), among others, which is being widely exploited in 2022. Because of the ease with which the vulnerability could be abused, the National Cyber Security Centre (NCSC) raised the security advisory's rating to a High/High vulnerability at the time. This means that there is a high probability of this vulnerability being exploited and the damage could be extensive.
Recently, the DTC again received lists of IP addresses with Zimbra Systems in the Netherlands that may still be vulnerable. The DTC is notifying the companies that are traceable based on this list. Some Zimbra vulnerabilities are already actively abused and receive a CVSS score of 9.8 which means they are very critical vulnerabilities.
What can I do?
Keeping software up-to-date is very important to prevent abuse of existing vulnerabilities. When software is directly accessible from the internet, as is often the case with Zimbra installations, the likelihood of abuse increases. The advice is therefore to provide Zimbra installations with the latest available updates as soon as possible.
In addition, it is good practice to configure and secure systems in a way that minimises the risk of misuse. For example, by not opening up a management interface over the internet. In the case of Zimbra, the so-called 'Memcache service' is still sometimes made directly accessible to the internet. In most cases, this is a configuration error and the advice is to close it by blocking traffic to the Memcache service (port 11211). If the Memcache service has been made directly accessible from the internet, we recommend checking the Zimbra environment (or having it checked) for possible misuse. Read more about Memcache misuse.
