Zimbra Patched the Cross-Site Scripting Vulnerability on July 25
A cross-site scripting zero-day flaw in the Zimbra Collaboration email server proved to be a bonanza for hackers as four distinct threat actors exploited the bug to steal email data and user credentials, said Google.
Most of the exploit activity occurred after Zimbra had posted a hotfix onto its public GitHub site on July 5. The company published remediation guidance on July 13 but didn’t release a patch until July 25.
“Three of these campaigns began after the hotfix was initially made public highlighting the importance of organizations applying fixes as quickly as possible,” Google said. Zimbra has been the object of a slew of hacker attacks this year.
One of the four threat actors exploiting the Zimbra flaw was Winter Vivern, a group first publicly detailed in April 2021 by DomainTools and suspected to have ties with Russia or Belarus. Researchers from SentinelOne earlier reported that after appearing to go quiet – or else unnoticed – for much of 2021 and 2022, the group reappeared later last year with campaigns targeting Ukraine. During the first months of this year, it exploited another Zimbra cross-site scripting vulnerability, tracked as CVE-2022-27926 (see: Phishing Campaign Tied to Russia-Aligned Cyberespionage).
The cross-site scripting exploit highlighted by Google allowed hackers to inject malicious scripts through a maliciously crafted URL.
Google’s data shows that the first known exploitation was in an email-stealing campaign targeting a government agency in Greece. If a user clicked on the link, the script loaded the same malware framework for Zimbra documented by Volexity in February.
Winter Vivern was quick to exploit the vulnerability once Zimbra had released a hotfix, mounting what Google said was the second campaign to use the zero-day flaw. It targeted government agencies in Moldova and Tunisia.
Days before Zimbra released its official patch, Google observed a third unidentified group exploiting the vulnerability as part of a campaign that phished for credentials belonging to a government organization in Vietnam.
“In this case, the exploit URL pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised,” the researchers said.
The fourth campaign observed stole authentication tokens from a government agency in Pakistan.
“These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users,” the researchers said.