The US cyber security authority CISA has included a vulnerability in the groupware Zimbra in the Known Exploited Vulnerabilities Catalog (KEV). The IT security service provider Proofpoint reports that the attackers would use this to attack webmail portals of governments that belong to the NATO alliance. The suspected cyber gang “Winter Vivern” has connections to Russia and Belarus.
The exploited vulnerability is found in Zimbra prior to version 9.0.0 Patch 24 from April last year. This is a so-called reflected cross-site scripting vulnerability. It allows unauthenticated attackers from the network to inject and execute any script code or HTML using prepared request parameters (CVE-2022-27926, CVSS 6.1Risk “middle“). Since it is apparently currently being actively abused by attackers, CISA has included it in the KEV catalog – US authorities have to close the gap by April 24th.
IT security researchers provide attack details
Proofpoint’s IT researchers have observed attacks by a group they call Advanced Persistent Threat (APT) TA473. It is also known by the name “Winter Vivern” or the acronym UAC-0114. Your first activities in the area go back to 2021. They explain the details in a blog post.
The cybergang attacks publicly accessible Zimbra webmail portals. The aim is to gain access to e-mails from the military, government and diplomatic organizations in Europe involved in the Russia-Ukraine war. Since the end of 2022, Proofpoint has also been monitoring attacks on US officials. The group uses tools like Acunetix to track down unpatched webmail portals. After the initial investigation, the cyber criminals then send targeted phishing emails to potential victims, claiming to contain relevant government content. However, the body of the e-mail contains malicious links that execute multiple Base64 obfuscated JavaScript in the victims’ webmail portals, thereby exploiting the vulnerability in Zimbra.
The scripts are each customized for the targeted organization and allow the cybercriminals to steal usernames, passwords, active session tokens and CSRF tokens. They can then use this to register themselves on the webmail portal and access e-mails without authorization and, if necessary, to nest and spread further. Proofpoint still lists some URLs as “Indicator Of Compromise” (IOCs), i.e. indications of an infection. IT managers can use them to check the emails for occurrences.
In any case, administrators should now apply the available Zimbra patches as soon as possible to prevent potential damage and unwanted information leakage. Ideally, the update should be up to date, but at least the attacked security gap should be sealed with the Zimbra 9.0.0 Patch 24 release.
Zimbra vulnerabilities are often attacked by cybercriminals in a timely manner. In the middle of last year, attackers linked about two vulnerabilities to compromise thousands of Zimbra instances.
(dmk)
