CISA issues warning about Zimbra bug being used in attacks against NATO nations.

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted federal agencies to fix a vulnerability in Zimbra Collaboration (ZCS) that has been exploited by Russian hackers. The security loophole has allowed the hackers to obtain emails through cross-site scripting, which the hackers used to conduct attacks on NATO nations.

A Russian hacker group by the name Winter Vivern and TA473 targeted several webmail portals of NATO-aligned governments, misusing the weakness (CVE-2022-27926) to infiltrate the email inboxes of diplomats, officials, military personnel, and governments.

Winter Vivern's assaults commence with hackers exploiting the Acunetix tool's vulnerability scanner to detect insecure ZCS servers. The assailants then proceed to deceive recipients by sending phishing emails that mimic the identities of people they know.

Every email led the victims to servers that are controlled by the attacker. These servers either take advantage of the security vulnerability CVE-2022-27926 or use tactics to deceive the people receiving the emails into providing their login details.

If someone aims to exploit the system, the website links will have a code that will bring in a harmful program designed to initiate a Cross-Site Request Forgery (CSRF). The aim of this type of cyber attack is to obtain the login information and CSRF tokens of Zimbra users.

The offenders utilized the stolen login information to access confidential data from the compromised webmail accounts, or to persistently monitor and observe the exchanged emails. These actions were conducted in a series of procedures.

The cybercriminals could also take advantage of the hacked accounts to initiate further phishing attempts and widen their access to specific companies.

Federal Agencies Must Complete Patching by April 24th

Today, the CISA's KEV catalog was updated to include a newly discovered vulnerability that is currently being exploited in the wild. This catalog is a collection of known security flaws that are being actively targeted by cybercriminals.

In November 2021, the U.S. cybersecurity agency released a directive called BOD 22-01, which requires all Federal Civilian Executive Branch Agencies (FCEB) to address any security vulnerabilities present in their network systems. These vulnerabilities are related to the KEV list and must be patched to ensure the security of these systems.

The CISA provided a three-week deadline until April 24th to FCEB agencies. Their mission is to safeguard their networks from potential attacks that could exploit the CVE-2022-27926 vulnerability.

Even though BOD 22-01 is targeted at FCEB agencies, CISA has recommended that all organizations give serious attention to fixing these vulnerabilities to prevent any future exploitation attempts.

CISA issued a warning today about how these specific vulnerabilities are commonly targeted by cyber attackers with harmful intentions, and as a result, they present a major threat to the federal infrastructure.

Last Thursday, CISA directed government institutions to fix security weaknesses that were exploited by attackers in recent zero-day incidents. These attacks were aimed at planting commercial spyware onto mobile devices running on Android and iOS systems. The Google Threat Analysis Group (TAG) made this known to the public.