A new cyber-espionage group has been seen abusing a zero-day vulnerability in the Zimbra collaboration suite to gain access to the email inboxes. This is exploited from china
The attackers began exploiting this zero-day on December 14, when its researchers spotted the initial attacks on some of its customers. Its been noted the attacks were split into two stages. In first stage, the hackers sent a benign email meant to perform reconnaissance and determine if accounts were active and if users would be willing to open strange emails from unknown entities.
Zimbra webmail clients running versions 8.8.15 P29 & P30 and would allow the attackers to steal the Zimbra session cookie files . Allowing the attackers to connect to a Zimbra account, from where they would gain access to emails, send additional phishing messages to a user’s contacts, and even prompt users to download malware.
There are currently more than 33,000 Zimbra servers connected to the internet. Since most of the server version are latest, the attack surface was not large as expected.
A detailed report has been published by the research team volexity. IT team managing Zimbra servers can look at the report to validate the if they are affected ot not.