Executive Summary

Analysis and Attribution

Information from the Post

• CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor, sharing access to the internal web server of Bamboozle, a leading Cloud and IT Services provider in the UAE.
• The following information was sharded:
  • Free access to a Middle east company for cloud and VM management.
  • Web shell access is provided, to control the whole mailbox server.
  • Web shell URL link : https[:]//mail[.]bamboozlewebservices[.]com/zimbraAdmin/cmd[.]jsp?cmd=echo+breached.co

Tactics, Techniques, and Procedures (TTPs)

• The URL mail service, Bamboozle realMail, is powered by Zimbra Collaboration Suite (ZCS). Given that Bamboozle provides realMail service, it is reasonable to assume that use the service for internal communication as well.
• The threat actor possibly exploited one of the following CVEs to gain the alleged access:
  • CVE-2022-27925 was disclosed by Zimbra on 10 May 2022, as an authenticated directory traversal vulnerability. This vulnerability allowed attackers to exploit the ZCS email servers of multiple organisations without having authenticated access to the ZCS instances.
  • The authentication bypass directory traversal and RCE vulnerability, was assigned CVE-2022-37042 with a CVSS V3 score of 9.8, as it was possible to bypass authentication, which led to several in turn ZCS servers to be compromised and backdoored. (For more information, read CloudSEK’s Advisory)

Threat Actor Activity and Rating

Impact & Mitigation

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• https://bamboozle.at/enterprise-collaboration/business-email/
• Zimbra Collaboration Suite Actively Exploited Via an Authentication Bypass Vulnerability CVE-2022-37042
• Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 | Volexity