A computer screen showing personal and financial data being stolen through an unlocked screen.

Winter Vivern used Zimbra’s vulnerability to target European governments

Winter Vivern, a Russian hacking group known as TA473, has been exploiting unpatched Zimbra endpoints since February 2023. The group has been hacking into the emails of government agencies across Europe by exploiting a vulnerability in Zimbra Collaboration software.

Users of the Zimbra Collaboration platform can send and receive emails, manage contacts, calendars, and tasks for business collaboration and email services. It is commonly used by businesses, educational institutions, service providers, and governments, and can be used on-premises or in the cloud.

Sentinel Labs released a report on a recent campaign executed by ‘Winter Vivern’ around a fortnight ago. They designed fake websites spoofing European cybercrime organisations to spread malware disguised as a virus scanner.

This week, Proofpoint issued a new report revealing how a threat actor is attacking CVE-2022-27926 on Zimbra Collaboration servers to get access to NATO-aligned organisations and users’ emails.

How is Winter Vivern Targeting Zimbra?

Winter Vivern attacks start with the threat actor using the Acunetix tool vulnerability scanner to check for unpatched webmail platforms.

Winter Vivern’s operating strategy includes sending phishing emails that spoof employees of the target organisations or their parent organisations with political connections to the government.

Phishing attacks have been detected regularly in both American and European targets. Similar approaches have also been seen in malware distribution, cross-site request forgery (CSRF), and credential harvesting attacks.

Phishing Email Sent by Winter Vivern with Malicious Link
Phishing Email Sent by Winter Vivern with Malicious Link (Proofpoint)

A link present in the emails tricks recipients into clicking on it, which redirects them to a payload hosted on the attacker’s domain or a webpage that steals their login credentials. This method’s effectiveness is further enhanced by the cross-site scripting vulnerability discovered in Zimbra.

The emails also contain a link that exploits the CVE-2022-27926 vulnerability in the target’s compromised Zimbra infrastructure, allowing attackers to inject additional JavaScript payloads into the webpage. As a result, the hackers can steal sensitive information and gain unauthorised access to their targets’ systems.

After uploading the payloads, the attackers use the stolen data to get unauthorised access to email accounts. To achieve this, the attackers collect usernames, passwords, and tokens from the hacked Zimbra endpoint. With this information, the attackers have complete access to the victim’s email accounts.

Attack Chain of CSRF attack
Attack Chain of CSRF attack (Proofpoint)

In the report, Proofpoint clarifies:

These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets. In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well.

The focus on detail shows that the threat actors carry out in-depth pre-attack reconnaissance to find the gateway of their target and generate phishing emails in response. They also modify the landing page feature to maximise the attack’s effectiveness.

Proofpoint researchers advise patching all versions of Zimbra Collaboration used in public webmail portals, particularly in European government entities. They also suggest limiting access to resources on public webmail portals to prevent groups like TA473 from creating custom scripts to steal credentials and access users’ webmail accounts.

By following the recommendations, organisations can enhance their cybersecurity posture and reduce the risk of falling victim to phishing attacks. It is crucial to take proactive measures to protect sensitive information from malicious actors who are constantly looking for vulnerabilities to exploit.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.

Recent posts