Volexity Warns of ‘Active Exploitation’ of Zimbra Zero-Day

Malware hunters at Volexity are elevating the alarm for a Chinese risk actor seen exploiting a zero-day flaw within the Zimbra e mail platform to contaminate media and authorities targets in Europe.

The assaults, which begin with a sequence of focused spear phishing emails, embrace the use of an exploit for a still-unpatched cross-site scripting (XSS) flaw within the open-source Zimbra e mail platform, Volexity stated in an advisory launched late Thursday.  

The assaults, described as ongoing and “energetic,” are concentrating on media and authorities organizations in Europe.

“At the time of writing, this exploit has no out there patch, nor has it been assigned a CVE,” the corporate stated. “This is a zero-day vulnerability.”

In a technical evaluation, Volexity stated the Chinese hackers launched the campaigns in a number of waves throughout two assault phases: 

The preliminary section was geared toward reconnaissance and concerned emails designed to easily monitor if a goal obtained and opened the messages. The second section got here in a number of waves that contained e mail messages luring targets to click on a malicious attacker-crafted hyperlink. For the assault to achieve success, the goal must go to the attacker’s hyperlink whereas logged into the Zimbra webmail consumer from an internet browser. 

Successful exploitation leads to the attacker having the ability to run arbitrary JavaScript within the context of the consumer’s Zimbra session.  Volexity’s researchers additionally noticed the attacker trying to load JavaScript to steal consumer mail information and attachments. 

“While Volexity solely noticed [the threat actor] trying e mail and attachment theft, the vulnerability may simply permit an attacker to carry out different actions within the context of the consumer’s Zimbra webmail session, together with the exfiltration of cookies to permit persistent entry to a mailbox and the flexibility to current a immediate to obtain malware within the context of a trusted web site.

[ READ: Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant ]

Volexity researchers Steven Adair and Thomas Lancaster stated the latest variations of Zimbra — 8.8.15 P29 & P30 — stay weak to session cookie theft. 

Based on BinaryEdge information, roughly 33,000 servers are working the Zimbra e mail server, though the true quantity is prone to be greater.  Zimbra boasts that about 200,000 companies, and over 1,000  authorities and monetary establishments use the software program.

The firm stated it was unable to attribute this assault to a beforehand identified risk actor however discovered artifacts to counsel it’s the work of a nation-state backed operator.

“Based on the focused group and particular people of the focused group, and given the stolen information would don’t have any monetary worth, it’s doubtless the assaults have been undertaken by a Chinese APT actor,” Volexity stated.

The firm launched indicators of compromise data to assist defenders handle blocking on the gateway and community stage and urged Zimbra customers to research historic referrer information for suspicious entry and referrers. 

“Users of Zimbra ought to contemplate upgrading to model 9.0.0, as there may be at the moment no safe model of 8.8.15,” the corporate stated.

Related: Vulnerabilities Allow Hacking of Zimbra Webmail Servers With Single Email

Related: Poisoned Installers Found in SolarWinds Hackers Toolkit

Related: Microsoft: Exchange Server Zero-Days Under Attack by Chinese APT Group

Related: Prolific Chinese APT Caught Using ‘MoonBounce’ UEFI Firmware Implant