JOINT CYBERSECURITY ADVISORY: APT29 HACKERS TARGETING ZIMBRA SERVERS

In a recent joint advisory, cybersecurity agencies from the U.S. and U.K. have issued an urgent warning regarding a surge in malicious activity from APT29, a well-known threat actor linked to Russia’s Foreign Intelligence Service (SVR). APT29 is actively exploiting vulnerabilities in Zimbra servers on a massive scale, using the CVE-2022–27924 vulnerability to infiltrate and compromise systems worldwide.

Exploit Overview: CVE-2022–27924

CVE-2022–27924 is a critical command injection vulnerability [CWE-74] that enables unauthenticated attackers to inject arbitrary memcache commands into a targeted Zimbra instance. This results in the overwriting of cached entries, granting the attackers unauthorized access to user credentials and mailboxes — without any interaction from the victim.

APT29 has exploited this vulnerability to compromise hundreds of Zimbra mail servers across numerous domains, enabling unauthorized access and control of sensitive information. After gaining access, the SVR actors set up additional infrastructure to facilitate ongoing data collection and exploitation of the compromised systems.

The advisory, jointly issued by the NSA, FBI, U.S. Cyber Command’s Cyber National Mission Force (CNMF), and the U.K.’s National Cyber Security Centre (NCSC), stresses the importance of immediate patching of exposed Zimbra servers. Failure to update these systems leaves organizations vulnerable to further exploitation, as APT29 continues to aggressively target unpatched servers.

This campaign serves as a stark reminder of the evolving threat landscape, where cyber actors rapidly exploit known vulnerabilities to establish footholds and conduct further malicious activities. Organizations must remain vigilant, applying security updates promptly and maintaining strong cyber hygiene practices to defend against these persistent threats.

For detailed guidance, read the full advisory here: PDF Link.

Key Takeaways for Defenders:

• Patch vulnerable Zimbra servers immediately.
• Monitor for unusual activity or unauthorized access, especially related to Zimbra services.
• Strengthen monitoring and response capabilities to detect potential footholds by advanced threat actors.

Stay ahead of the threat by proactively securing your systems and fortifying your defenses. The persistent and evolving tactics used by APT29 and other nation-state actors highlight the importance of a strong and adaptive cybersecurity posture.