IT & Technology
- Web shell access to Zimbra powered Webmail service of Bamboozle shared over cybercrime forum.
- Possible ZCS vulnerability exploited to gain access.
- All the internal emails and web services can be affected.
- Access could leak credentials, databases, and other critical information.
- Update ZCS to the following patches:
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor, sharing access to the internal web server of Bamboozle, a leading Cloud and IT Services provider in the UAE.
- The following information was sharded:
- Free access to a Middle east company for cloud and VM management.
- Web shell access is provided, to control the whole mailbox server.
- Web shell URL link : https[:]//mail[.]bamboozlewebservices[.]com/zimbraAdmin/cmd[.]jsp?cmd=echo+breached.co
[caption id="attachment_21510" align="aligncenter" width="1405"]
Threat Actor’s post on a cybercrime forum[/caption]
Tactics, Techniques, and Procedures (TTPs)
- The URL mail service, Bamboozle realMail, is powered by Zimbra Collaboration Suite (ZCS). Given that Bamboozle provides realMail service, it is reasonable to assume that use the service for internal communication as well.
- The threat actor possibly exploited one of the following CVEs to gain the alleged access:
- CVE-2022-27925 was disclosed by Zimbra on 10 May 2022, as an authenticated directory traversal vulnerability. This vulnerability allowed attackers to exploit the ZCS email servers of multiple organisations without having authenticated access to the ZCS instances.
- The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8, as it was possible to bypass authentication, which led to several in turn ZCS servers to be compromised and backdoored. (For more information, read CloudSEK’s Advisory)
Threat Actor Activity and Rating
|Threat Actor Profiling
||Medium (Few complaints and concerns on the forum)
||C3 (C: Fairly Reliable; 3: Possibly true)
Impact & Mitigation
- Successful exploit gives an attacker access to every single email sent and received on a compromised email server.
- The above access can be exploited for
- Stealing user credentials
- Privilege escalation
- Installing backdoors
- Update Zimbra Collaboration Suite to the following patched versions:
[caption id="attachment_21511" align="alignnone" width="1312"]
Bamboozle mail service being powered by Zimbra Enterprise Collaboration[/caption]