Four distinct groups exploited a zero-day vulnerability in the Zimbra Collaboration email software in real-world attacks, aiming to illicitly acquire email data, user credentials, and authentication tokens.
Zimbra Zero-Day Exploited
“After the initial fix became public on GitHub, the majority of this activity took place,” stated Google Threat Analysis Group (TAG) in a report provided to The Hacker News.
The identified vulnerability, assigned CVE-2023-37580 with a CVSS score of 6.1, is a reflected cross-site scripting (XSS) flaw that affects versions preceding 8.8.15 Patch 41. Zimbra promptly addressed this issue through patches released on July 25, 2023.
Exploiting this vulnerability successfully could enable the execution of malicious scripts on the victims’ web browsers by luring them into clicking on a specially crafted URL. This action effectively triggers the XSS request to Zimbra, reflecting the attack back to the user.
Google TAG, with researcher Clément Lecigne credited for discovering and reporting the bug, revealed that it identified multiple campaign waves commencing on June 29, 2023—at least two weeks prior to Zimbra issuing an advisory.
Three out of the four campaigns were observed before the patch release, while the fourth campaign was detected a month after the fixes were published.
The initial campaign is reported to have focused on a government organization in Greece. It involved sending emails with exploit URLs to the targets, and upon clicking, it delivered email-stealing malware previously identified in a cyber espionage operation known as EmailThief in February 2022.
The intrusion set, codenamed TEMP_HERETIC by Volexity, leveraged a zero-day flaw in Zimbra as part of its tactics in conducting the attacks.
Winter Vivern, identified as the second threat actor exploiting CVE-2023-37580, aimed its attacks at government organizations in Moldova and Tunisia shortly after the vulnerability patch was made available on GitHub on July 5.
It is noteworthy that this adversarial collective has been associated with the exploitation of security vulnerabilities in Zimbra Collaboration and Roundcube, as reported by Proofpoint and ESET earlier this year.
TAG also reported the identification of a third, unnamed group that weaponized the bug before the patch was released on July 25. This group focused on phishing attempts to obtain credentials from a government organization in Vietnam.
“In this instance, the exploit URL led to a script showing a phishing page for users’ webmail credentials. The stolen credentials were then posted to a URL hosted on an official government domain, likely compromised by the attackers,” highlighted TAG.
Additionally, a government organization in Pakistan fell victim to the flaw on August 25, leading to the exfiltration of the Zimbra authentication token to a remote domain named “ntcpk[.]org.”
Google emphasized a recurring pattern wherein threat actors exploit XSS vulnerabilities in mail servers, underscoring the importance of comprehensive audits for such applications.
TAG emphasized the significance of organizations promptly applying fixes to their mail servers by pointing out the discovery of at least four campaigns exploiting CVE-2023-37580, with three of them surfacing after the bug was initially disclosed to the public.
Indicators of compromise (IoCs)