Researchers have spotted a phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114 exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.
Winter Vivern’s mode of operation includes sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.
These emails are sent from email IDs having compromised domains or hosted on vulnerable WordPress websites. The email message includes a link to a resource of the target organization’s official website.
Winter Vivern is targeting the medium severity Zimbra vulnerability tracked as CVE-2022-27926, which Zimbra already patched in version 9.0.0 Patch 24, one year ago. The XSS flaws can allow threat actors to create links with appended code, which execute malware inside the browser when opened.
Campaign details
- The hackers target government agencies through vulnerable Zimbra installations/web interfaces and send phishing emails with links that exploit the XSS flaw and execute encoded JavaScript.
- Once executed by the browser, a larger JavaScript payload is fetched from the attackers’ server and executed on the website in what’s called a cross-site request forgery attack.
- Attackers can now steal the victims’ usernames, passwords, and active CSRF tokens obtained from a cookie and transfer the information to their server.
- After obtaining login credentials and tokens, the malicious JavaScript uses hardcoded URLs to hijack the email portal.
Researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations.
To prevent such attacks, it is important to restrict resources on publicly available webmail portals. It’s highly recommended to update to the latest Zimbra as per the advisory.
This research was documented by researchers from Proofpoint
