H-ISAC TLP White Threat Update - Threat Actors Exploiting Multiple Vulnerabilities Against Zimbra Collaboration Suite

The following document is an updated version of the previously shared alert AA22-228A, distributed by Health-ISAC. The previously distributed alert is available for review here. The major updates shared are the Malware Analysis Reports linked below under the heading Update September 27, 2022.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:

• CVE-2022-24682
• CVE-2022-27924
• CVE-2022-27925 chained with CVE-2022-37042
• CVE-2022-30333

Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section to help secure their organization’s systems against malicious cyber activity.

Organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, are encouraged to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of the CSA. Organizations that detect potential compromise should apply the steps provided in the Incident Response section. Update September 27, 2022:

The CSA has been updated with additional IOCs which have been provided by the following Malware Analysis Reports (MARs) below:

• MAR-10400779-1
• MAR-10400779-2
• MAR-10401765-1

View the detailed report below.