A Russian-based threat group Winter Vivern or TA473 has been targeting a flaw in the Zimbra webmail client to exfiltrate emails from officials in European countries.
Security outfit Proofpoint said the attackers exploit a vulnerability tracked as CVE-2022-27926 on unpatched internet-facing Zimbra Collaboration servers, which it discovered using a vulnerability scanner.
CVE-2022-27926 is described as a “Reflected cross-site scripting (XSS) vulnerability of Zimbra Collaboration 9.0” that “allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.” It was patched by Zimbra in April 2022.
The attackers exploit this vulnerability via tailored phishing techniques, persuading the victim to click on a benign URL link which is hijacked by the threat actors to download a JavaScript injection exploit
In cases observed by Proofpoint, the compromised Zimbra servers are then made to run customised cross-site request forgery (CCRF) JavaScript code which emulates the Zimbra webmail portal but sends the user’s login details and tokens to the attackers. The malicious code then uses these credentials to login to the legitimate webmail portal.
The malicious code is designed to compromise government webmail portals and incorporates a great deal of the legitimate code in the portal through reverse engineering. The fact that the attack is customised to such a granular level suggests a high level of preparatory surveillance work before it is launched.
Over the past two years, TA473 has been observed targeting US and European entities that have been supportive of Ukraine. It has been blamed for attacks against Ukrainian and Polish government targets.
Proofpoint said that organisations running Zimbra Collaboration 9.0 should ensure it is patched and those in targeted entities should also restrict resources on publicly facing webmail portals from the public internet.