Since April 2023 [1] [2] [3] [4] [5] [8], a social engineering campaign has been targeting users of the Zimbra Collaboration email server [1] [2] [3] [5] [8]. This campaign primarily focuses on small and medium-sized enterprises and governmental entities [2] [4], with a particular emphasis on Poland, Ecuador [1] [2] [4] [5] [8], Italy [1] [2] [4] [5] [8], Mexico [1] [5] [8], and Russia [1] [5] [8].

Description

The attackers behind this campaign send phishing emails to victims, pretending to be the victim organization’s administrator [7]. They claim that the email server is about to be updated and instruct the recipients to open an attached HTML file for instructions [7]. However, the attachment is actually a fake Zimbra login page designed to steal login credentials [7]. When victims open the HTML file [4], they are presented with a tailored Zimbra login page [4], with their email address already filled in [3]. The attackers collect the victims’ login credentials and send them to their own servers.

What sets this campaign apart is its ability to propagate further by leveraging the compromised accounts of previously targeted companies [3]. The attackers may also use compromised admin accounts to create new accounts for distributing phishing emails [7]. Despite its lack of technical sophistication, the campaign has been successful in bypassing anti-spam policies due to the use of legitimate code in the HTML attachments [3]. The popularity of Zimbra Collaboration servers among organizations with limited IT budgets makes them an attractive target for threat actors.

This campaign has not been attributed to any known threat actor or group [1] [5]. However, previous campaigns have targeted Zimbra Collaboration vulnerabilities. The APT group Winter Vivern exploited vulnerabilities in Zimbra Collaboration to target webmail portals of military, government [1] [2] [4] [5] [6] [8], and diplomatic entities in European countries [6]. Another group called TEMP_Heretic also exploited vulnerabilities in Zimbra Collaboration to extract emails from European government and media organizations. Recently, researchers have discovered a similar campaign where the fraudulent Zimbra login page was directly embedded within the email itself [6].

Conclusion

This ongoing social engineering campaign targeting Zimbra Collaboration email server users has significant implications. It highlights the need for increased awareness and vigilance among organizations, especially small and medium-sized enterprises and governmental entities [2] [4] [5] [8]. Mitigations should include educating users about phishing techniques and implementing multi-factor authentication. Additionally, organizations should regularly update and patch their Zimbra Collaboration servers to protect against known vulnerabilities. The success of this campaign underscores the importance of proactive cybersecurity measures and the constant evolution of threat actors’ tactics.

References

[1] https://thehackernews.com/2023/08/new-wave-of-attack-campaign-targeting.html
[2] https://securityaffairs.com/149649/cyber-crime/zimbra-collaboration-phishing-campaign.html
[3] https://thehackernews.com/2023/08/new-wave-of-attack-campaign-targeting.html?ref=blog.netmanageit.com
[4] https://www.infosecurity-magazine.com/news/phishing-spree-targets-zimbra/
[5] https://patabook.com/technology/2023/08/20/new-wave-of-attack-campaign-targeting-zimbra-email-users-for-credential-theft/
[6] https://cyware.com/news/ongoing-phishing-campaign-targets-zimbra-credentials-91ac29f0/
[7] https://www.techradar.com/pro/security/users-of-collaboration-tool-zimbra-have-their-accounts-stolen
[8] https://gixtools.net/2023/08/new-wave-of-attack-campaign-targeting-zimbra-email-users-for-credential-theft/