Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn.
The vulnerability, tracked as CVE-2024-45519, resides in Zimbra's email and collaboration server used by mid-sized and large organizations. When an administrator manually changes the default settings to enable the postjournal service, attackers can execute commands by sending maliciously crafted emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or at least make sure postjournal is disabled.
Easy, yes, but reliable?
On Tuesday, security researcher Ivan Kwiatkowski first reported on the wildlife attacks, which he described as “mass exploitation.” He said the malicious emails were sent via the IP address 79.124.49[.]86 and, when successful, he attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report.
On Wednesday, security researchers provided additional details suggesting that damage from the continued exploitation would likely be limited. As already noted, they said, a default setting needs to be changed, which will likely reduce the number of vulnerable servers.
Security researcher Ron Bowes further reported that the “payload doesn't actually do anything: it downloads a file (to stdout) but does nothing with it.” He said that in the span of about an hour earlier Wednesday, a honeypot server he operated to monitor ongoing threats received about 500 requests. He also reported that the payload is not delivered directly via emails, but rather via a direct connection to the malicious server via SMTP, short for Simple Mail Transfer Protocol.
“That's all we've seen so far. It doesn't seem like a serious attack,” Bowes wrote. “I'll keep an eye on it and see if they try anything else!”
In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely agree that the attacks were unlikely to lead to mass infections that could install ransomware or spy malware. The researcher provided the following information:
- While the exploitation attempts we observed did not discriminate in targeting, we did not see a large number of exploitation attempts
- Based on what we have researched and observed, exploiting this vulnerability is very easy, but we have no information on how reliable the exploitation is
- The exploitation has remained about the same since we first saw it on September 28th
- A PoC is available and the exploit attempts appear opportunistic
- The exploitation is geographically diverse and appears random
- The fact that the attacker uses the same server to send the exploit emails and host the second-stage payloads indicates that the actor does not have a distributed infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and the payload servers to be different entities in a more mature operation.
- Guardians protecting Zimbra devices should keep an eye out for strange CC or To addresses that look wrong or contain suspicious strings, as well as Zimbra server logs that indicate outbound connections to external IP addresses.
Proofpoint explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a web shell-based backdoor on vulnerable Zimbra servers. The entire cc list was packed as a single string and encoded using the base64 algorithm. When they were combined and converted back to plain text, they created a web shell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.