The Zimbra Collaboration Suite (ZCS) [1] [4] [6] [8], a widely used email server [8], calendaring [8], and chat and video platform [8], was targeted by multiple cyberattack groups [6]. These groups exploited a former zero-day vulnerability (CVE-2023-37580) in the Zimbra email server to steal email data, user credentials [2] [4] [5] [6] [7] [8], and authentication tokens from government organizations worldwide [4] [6] [8].
Description
The vulnerability, known as a reflected cross-site scripting (XSS) vulnerability [2] [4] [7] [8], allowed malicious actors to inject scripts through URL parameters [1], enabling unauthorized commands [1]. It affected versions before 8.8.15 Patch 41 and was addressed by Zimbra on July 25, 2023 [2] [7]. The attacks began in June and targeted government organizations in Greece, Moldova [1] [2] [4] [5] [7], Tunisia [1] [2] [3] [4] [5] [7], Vietnam [1] [2] [3] [4] [5] [7], and Pakistan [1] [2] [3] [4] [5] [7].
Google’s Threat Analysis Group (TAG) identified four distinct government-targeted campaigns exploiting the vulnerability [6]. The first campaign delivered email-stealing malware to a government organization in Greece. Winter Vivern [2] [5], a known threat actor with ties to Russia or Belarus [5], targeted government organizations in Moldova and Tunisia [1] [2] [3] [4] [7]. Another unidentified group launched a phishing campaign to steal credentials from a government organization in Vietnam. Lastly [2], a government organization in Pakistan had its Zimbra authentication token exfiltrated.
These campaigns involved various activities, including pilfering emails and attachments [6], establishing auto-forwarding rules [1] [6], and launching phishing expeditions [6]. The discovery of these campaigns highlights the importance of promptly applying fixes to mail servers and auditing applications for XSS vulnerabilities [2] [4] [6]. It is worth noting that Zimbra has previously experienced security incidents, such as a remote code execution bug and an infostealing campaign by North Korea [4]. These incidents further emphasize the criticality of organizations prioritizing patching and maintaining robust security practices, including staying updated with security patches and advisories [1].
The exploit activity increased after Zimbra posted a hotfix on its public GitHub site [5], with three of the campaigns beginning after the hotfix was made public [5]. This underscores the importance of promptly applying fixes to vulnerabilities. Winter Vivern [2] [5], one of the threat actors involved [5], has previously targeted Ukraine and has ties to Russia or Belarus. The exploit allowed hackers to inject malicious scripts through a crafted URL [5]. The first known exploitation targeted a government agency in Greece [5], while subsequent campaigns targeted government agencies in Moldova [5], Tunisia [1] [2] [3] [4] [5] [7], Vietnam [1] [2] [3] [4] [5] [7], and Pakistan [1] [2] [3] [4] [5] [7]. These campaigns also demonstrate how attackers monitor open-source repositories to exploit vulnerabilities before they are released to users [5].
Conclusion
The cyberattacks on the Zimbra Collaboration Suite highlight the significant impacts that can result from exploiting vulnerabilities in widely used email servers. Promptly applying fixes and regularly auditing applications for vulnerabilities are crucial in mitigating such attacks. The incidents involving Zimbra also serve as a reminder for organizations to prioritize patching and maintain robust security practices. Additionally, the increased exploit activity following the public release of a hotfix emphasizes the importance of promptly addressing vulnerabilities. As threat actors continue to monitor open-source repositories, it is essential for developers and users to stay vigilant and proactive in addressing security vulnerabilities.
References
[1] https://siliconangle.com/2023/11/16/google-reveals-details-zimbra-vulnerability-used-target-government-organizations/
[2] https://www.redpacketsecurity.com/zero-day-flaw-in-zimbra-email-software-exploited-by-four-hacker-groups/
[3] https://duo.com/decipher/four-threat-groups-targeted-zimbra-collaboration-flaw
[4] https://www.darkreading.com/attacks-breaches/apts-swarm-zimbra-zero-day-to-steal-government-info-worldwide
[5] https://www.bankinfosecurity.com/google-says-4-attack-campaigns-exploited-zimbra-zero-day-a-23607
[6] https://vulnera.com/newswire/global-government-data-breaches-multiple-apts-exploit-zimbra-zero-day/
[7] https://thehackernews.com/2023/11/zero-day-flaw-in-zimbra-email-software.html
[8] https://ciso2ciso.com/apts-swarm-zimbra-zero-day-to-steal-government-info-worldwide-source-www-darkreading-com/