Google Says 4 Attack Campaigns Exploited Zimbra Zero-Day

See Also: OnDemand | Ransomware in the Cloud: Challenges and Security Best Practices

Researchers at Google’s Threat Analysis Group in June discovered a zero-day vulnerability, tracked as CVE-2023-37580, being actively exploited in the wild.

Most of the exploit activity occurred after Zimbra had posted a hotfix onto its public GitHub site on July 5. The company published remediation guidance on July 13 but didn’t release a patch until July 25.
“Three of these campaigns began after the hotfix was initially made public highlighting the importance of organizations applying fixes as quickly as possible,” Google said. Zimbra has been the object of a slew of hacker attacks this year.

One of the four threat actors exploiting the Zimbra flaw was Winter Vivern, a group first publicly detailed in April 2021 by DomainTools and suspected to have ties with Russia or Belarus. Researchers from SentinelOne earlier reported that after appearing to go quiet – or else unnoticed – for much of 2021 and 2022, the group reappeared later last year with campaigns targeting Ukraine. During the first months of this year, it exploited another Zimbra cross-site scripting vulnerability, tracked as CVE-2022-27926 (see: Phishing Campaign Tied to Russia-Aligned Cyberespionage).

Four Campaigns

The cross-site scripting exploit highlighted by Google allowed hackers to inject malicious scripts through a maliciously crafted URL.

Google’s data shows that the first known exploitation was in an email-stealing campaign targeting a government agency in Greece. If a user clicked on the link, the script loaded the same malware framework for Zimbra documented by Volexity in February.

Winter Vivern was quick to exploit the vulnerability once Zimbra had released a hotfix, mounting what Google said was the second campaign to use the zero-day flaw. It targeted government agencies in Moldova and Tunisia.

Days before Zimbra released its official patch, Google observed a third unidentified group exploiting the vulnerability as part of a campaign that phished for credentials belonging to a government organization in Vietnam.

“In this case, the exploit URL pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised,” the researchers said.

The fourth campaign observed stole authentication tokens from a government agency in Pakistan.

“These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users,” the researchers said.