We are working with Zimbra to identify the best method to expediently mitigate the issues raised by the recent report (see references below). This includes applying a patch this coming weekend to our affected systems.
In the meantime, as Zimbra webmail client users, you're safe from this attack as long as you don't click on a link from an unconfirmed sender. This is best practices to follow to avoid this attack today, and generally.
Cloudiance takes security threats, even ones that are only prospective, seriously, and classifies them based on a system that prioritizes vulnerabilities for consideration not only based on likelihood, but also consequences of a successful attack, so that we focus our resources on addressing relevant, high-priority threats for our specific environment. Some of the metrics we use to evaluate threats include, using our own vernacular:
- Scope: affects one person, an organization, or all organizations for whom we manage data?
- Spread: how likely contagious is an attack?
- Sway: what's the likely, and worst-case impact to those affected?
Phishing is part of a class of attacks that fall under the umbrella of "social engineering," requiring the active participation of at least one victim, most typically by clicking on a link, image, or button, received in an email, to activate malicious code.
We expect to make anti-phishing a part of our solution this year, in 2022. Cloudiance has been working on incorporating the latest anti-phishing technology as an option for the advanced anti-spam and anti-virus solution included for all customers. This solution will allow our customers to turn on protection that functionally prevents all phishing attacks by using URL-rewrites, and bringing it to market is consistent with our commitment to offering enterprise-level technology to everyone, no matter the size, or influence of your business.
Cloudiance also confirms its agreement with Zimbra, a strategic partnership maintained since we helped found Zimbra's partner-network, as one of its first certified partners, more than fifteen years ago. We expect to assess and address this, and any future prospective security vulnerabilities, together with them for the foreseeable future, and while we know how seriously they also take security threats, we expect an adequate public response, in a reasonable time-frame, from Zimbra too. Zimbra has responded:
A new Zero-day exploit has been identified that affects Zimbra 8.8.15. Since learning of the reported vulnerability, Zimbra Engineering has verified the issue and produced a hotfix (for 8.8.15 p30).The hotfix will be available to Zimbra customers through Zimbra Support.A durable fix for the issue is undergoing testing and quality review and will be made available as an update to 8.8.15p30. The updated patch is scheduled for availability via our download site on 5 February 2022.
Managing billions of messages annually, we support tens of thousands of people representing the daily collaboration of thousands of organizations around the world. Cloudiance has improved service-reliability over the years, and is committed to maintaining 99.9% or greater up-time, and responsive performance for all of our clients. We have been testing Zimbra 9, the latest version, and have been supporting it in production for some customers for more than a year, expect to gradually upgrade most of our customer-base to it as our experience, demand for it, and continued success with it increases.
Reference:
- https://therecord.media/european-governments-targeted-by-chinese-hackers-with-a-zimbra-webmail-zero-day/
- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
- Avoid Phishing Scams-- Do not click on that offer. Don't do it! (Cloudiance client-only knowledgebase article)
- https://www.sciencedirect.com/science/article/pii/S1071581918303628 (Exploring susceptibility to phishing in the workplace)
- https://www.isaca.org/resources/isaca-journal/issues/2021/volume-6/evidence-based-prioritization-of-cybersecurity-threats
Friday, February 4, 2022