H-ISAC TLP White Threat Bulletin: Threat Actors Exploiting Multiple Vulnerabilities Against Zimbra Collaboration Suite

August 16, 2022

On August 16, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information and Analysis Center (MS-ISAC) released a Joint Cybersecurity Advisory (AA22-228A) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against the enterprise cloud-hosted collaboration software and email platform, Zimbra Collaboration Suite (ZCS) 

The CVEs currently being exploited against Zimbra Collaboration Suite include: 

  • CVE-2022-24682 
  • CVE-2022-27924 
  • CVE-2022-27925 chained with CVE-2022-37042 
  • CVE-2022-30333 

Cyber threat actors are potentially targeting unpatched Zimbra Collaboration Suite instances in both government and private sector networks. CISA and the MS-ISAC 

strongly urge users and administrators to apply the guidance provided in the Recommendations section of the alert to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section if their ZCS instances were not immediately updated upon patch release, or the instances were exposed to the internet. Additionally, organizations that detect potential compromise should apply the steps in the Incident Response section of the alert.  

All members are encouraged to review AA22-228A: Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite for the technical details provided, detection methods, and incident response recommendations.

View the detailed report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272