[bitfolk] Security incident: Customer's Zimbra install compromised, VPS used for cryptocurrency mining

Author: Andy Smith
Date:
To: users
Subject: [bitfolk] Security incident: Customer's Zimbra install compromised, VPS used for cryptocurrency mining

gpg: Signature made Wed May 8 13:42:46 2019 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]

Hi,

Today a customer informed us that their install of Zimbra fell
victim to CVE-2019-9670, a remote code execution vulnerability
disclosed in March of this year:

    https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
    https://lorenzo.mile.si/zimbra-cve-2019-9670-being-actively-exploited-how-to-clean-the-zmcat-infection/961/

Since some time in April the attacker had used their VPS as a
cryptocurrency miner, using two cores of the BitFolk host's Xeon
E5-1680v4 at 100% each.

If you run Zimbra and haven't patched this vulnerability you should
check that you haven't been compromised, as automated scanning and
compromise has been taking place for over a month now.

If you discover compromise you will probably need to reinstall.

About this email:
https://tools.bitfolk.com/wiki/Security_incident_postings

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

This message is part of the following thread:
	the complete thread tree sorted by date

[bitfolk] Security incident: Customer's Zimbra install compr…