CrowdStrike Services observed that an unidentified threat actor compromised an outdated Zabbix instance to gain initial access to a portion of the network of a U.S.-based company in August 2022. The Zabbix monitoring system is used for gathering, analyzing and visualizing infrastructure metrics and statistics, among other functions.

The specific exploit leveraged during this incident could not be determined; however, the compromise was consistent with at least two distinct exploit techniques that have been publicly known for more than six years: CVE-2016-9140 and CVE-2016-10134. CrowdStrike Intelligence does not currently attribute this incident to any known adversary.

CrowdStrike Intelligence assesses that some threat actors will likely continue to target outdated Zabbix instances by exploiting previously disclosed vulnerabilities—particularly those with publicly available proof-of-concept (POC) exploits—regardless of CVE status.

Impact

Exploiting outdated Zabbix instances is an attractive option for threat actors looking for initial access into a victim’s network, as well as potentially enabling persistence and lateral movement.

This incident demonstrates how threat actors can exploit outdated Zabbix devices for known vulnerabilities, regardless of whether the vulnerabilities met necessary vendor-defined requirements to receive an official CVE identifier. Both targeted intrusion and opportunistic cybercrime actors routinely target remote IT management and monitoring software such as Zabbix. Such tooling serves as an initial access vector and potentially enables persistence and lateral movement.

DXC perspective

Continuously updating IT management and monitoring software is essential to securing and monitoring the infrastructure, including endpoints.