Exploit of Zimbra Email Platform Vulnerability Results in Theft of European Government Emails

Recent reports by cybersecurity experts from Proofpoint have uncovered a latest phishing scheme carried out by the notorious Winter Vivern, TA473, and UAC-0114, a Russian APT group. Through the exploitation of a weakness in the Zimbra Collaboration software, the group has successfully compromised the email accounts of government institutions located in various European nations.

Despite lacking solid evidence, cybersecurity experts speculate that this hacking group is likely aligned with the objectives of Belarus and Russia.

Zimbra Collaboration is a platform that enables people to work together and exchange electronic messages. It also provides features like contact management, scheduling, and task organization. This service can be accessed both on-premises and through cloud computing. It is frequently used by governmental organizations, schools, companies, and service providers.

How do groups target their victims?

During the winter season, Vivern employs a specific method of operation by dispatching fraudulent emails that mimic the identity of the intended entity or their parent company's staff members. The emails may suggest someone in a specific governmental position is affiliated with the target organization.

The emails that are being sent come from email addresses that have domains that have been compromised or are hosted on WordPress websites that are vulnerable. Inside the email, there's usually a link to the official website of the organization that's being targeted.

Nevertheless, this is a fraudulent link that will direct the receiver to either a dangerous payload situated on the attacker's domain or a page that steals their credentials. The effectiveness of this method has now been enhanced as a result of a security flaw found in Zimbra.

"Zimbra Vulnerability Being Exploited by APT Group"

According to its website, Zimbra is a business collaboration and email platform that is open-source, available on-premises and in the Cloud, and has millions of users in 140 countries. It is used by a wide range of organizations, including governments, educational institutions, service providers, and small and medium-sized businesses.

The team from Proofpoint has observed that Winter Vivern is focusing on a Zimbra vulnerability with a medium level of severity, named CVE-2022-27926. However, this issue has already been resolved by Zimbra themselves in version 9.0.0 Patch 24, which happened a year ago. The vulnerabilities, which are cross-site scripting (XSS) flaws, could permit attackers to construct links with harmful code attachments. These links can then infect your computer with malware once you open them within your browser.

Operations Mode and Potential Hazards

Hackers are currently focusing on attacking government agencies by taking advantage of weak Zimbra installations and web interfaces. They do this by sending phishing emails that contain links which exploit the XSS flaw, resulting in the execution of encoded JavaScript. Once this JavaScript is executed by the browser, a more extensive payload is downloaded from the attackers' server and something called a cross-site request forgery attack takes place. This causes the payload to be executed on the targeted website.

Perpetrators have the ability to pilfer the user's login credentials, usernames, as well as live CSRF tokens derived from a cookie and transport these details to their own server. Once they have the login credentials and tokens in hand, they can take control of the email gateway by enforcing predetermined URLs through manipulative JavaScript.

According to a report by Proofpoint, researchers have noticed that TA473 is concentrating on RoundCube webmail request tokens in some cases. This implies that TA473 is conducting a thorough investigation before sending phishing emails to European government organizations. Proofpoint's report shows TA473's detailed attention to which webmail platform is being utilized by the targeted entities.

Proofpoint pointed out that through the use of personalized payloads that require a lot of hard work, hackers can obtain login details, such as usernames, passwords, and active session and CSRF tokens from cookies. This enables them to illegally access publicly available webmail portals that are owned by organizations that are in alignment with NATO.

If a company hasn't updated their Zimbra products within the last 12 months, they are susceptible to being attacked by TA473. It's crucial to take measures to avoid these types of attacks by limiting accessible resources on public webmail portals. By doing so, advanced persistent threat (APT) groups won't be able to create tailored scripts that could potentially swipe login credentials and infiltrate a user's webmail account.

The Victims of Winter's Wrath: A Look into the History of Winter Storms

The previous people affected by this group of hackers came from various countries such as India, Vietnam, Lithuania, Slovakia, and the Vatican. In March, Sentinel Labs stated that their latest focus has been on institutions such as the Italian and Ukrainian Foreign Affairs ministries, government departments in Poland, Indian government personnel, as well as telecommunications companies that offer their assistance to Ukraine during the conflict.

As per prior research conducted by Proofpoint, this group specifically aimed at elected officials of the US government and their aides.