Researchers have spotted a phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114 exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.
Winter Vivern’s mode of operation includes sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.
These emails are sent from email IDs having compromised domains or hosted on vulnerable WordPress websites. The email message includes a link to a resource of the target organization’s official website.
Winter Vivern is targeting the medium severity Zimbra vulnerability tracked as CVE-2022-27926, which Zimbra already patched in version 9.0.0 Patch 24, one year ago. The XSS flaws can allow threat actors to create links with appended code, which execute malware inside the browser when opened.
- Attackers can now steal the victims’ usernames, passwords, and active CSRF tokens obtained from a cookie and transfer the information to their server.
Researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations.
To prevent such attacks, it is important to restrict resources on publicly available webmail portals. It’s highly recommended to update to the latest Zimbra as per the advisory.
This research was documented by researchers from Proofpoint