The US cyber security authority CISA has included a vulnerability in the groupware Zimbra in the Known Exploited Vulnerabilities Catalog (KEV). The IT security service provider Proofpoint reports that the attackers would use this to attack webmail portals of governments that belong to the NATO alliance. The suspected cyber gang “Winter Vivern” has connections to Russia and Belarus.
The exploited vulnerability is found in Zimbra prior to version 9.0.0 Patch 24 from April last year. This is a so-called reflected cross-site scripting vulnerability. It allows unauthenticated attackers from the network to inject and execute any script code or HTML using prepared request parameters (CVE-2022-27926, CVSS 6.1Risk “middle“). Since it is apparently currently being actively abused by attackers, CISA has included it in the KEV catalog – US authorities have to close the gap by April 24th.
IT security researchers provide attack details
Proofpoint’s IT researchers have observed attacks by a group they call Advanced Persistent Threat (APT) TA473. It is also known by the name “Winter Vivern” or the acronym UAC-0114. Your first activities in the area go back to 2021. They explain the details in a blog post.
The scripts are each customized for the targeted organization and allow the cybercriminals to steal usernames, passwords, active session tokens and CSRF tokens. They can then use this to register themselves on the webmail portal and access e-mails without authorization and, if necessary, to nest and spread further. Proofpoint still lists some URLs as “Indicator Of Compromise” (IOCs), i.e. indications of an infection. IT managers can use them to check the emails for occurrences.
In any case, administrators should now apply the available Zimbra patches as soon as possible to prevent potential damage and unwanted information leakage. Ideally, the update should be up to date, but at least the attacked security gap should be sealed with the Zimbra 9.0.0 Patch 24 release.
Zimbra vulnerabilities are often attacked by cybercriminals in a timely manner. In the middle of last year, attackers linked about two vulnerabilities to compromise thousands of Zimbra instances.