Hackers Exploiting Zimbra 0-day to Attack

Zimbra Collaboration is an open-source solution software suite with an email server and web client for collaboration. 

Over 5,000 companies and public sector users, along with hundreds of millions of end-users in more than 140 countries, utilize this solution.

Google TAG (Threat Analysis Group) found an in-the-wild 0-day exploit in June 2023 targeting Zimbra Collaboration (CVE-2023-37580). 

In total, there are four distinct groups that exploited this bug, stealing the following data:-

• Email data
• User credentials
• Authentication tokens

Flaw Profile

• CVE ID: CVE-2023-37580
• Description: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
• Base Score: 6.1 
• Severity: MEDIUM
• Vulnerability Name: Required Action Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability.

Hackers Exploiting Zimbra 0-day

Most of the activity took place after the initial fix went public on GitHub. TAG highlights staying protected by keeping software up-to-date and promptly applying security updates.

Free Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Register for Free

TAG found a critical XSS flaw in Zimbra’s email server (CVE-2023-37580), which was actively exploited in June. Zimbra released a hotfix on July 5, 2023, and an advisory on July 13, 2023.

Besides this, researchers also identified three threat groups exploiting it before the official patch, and a fourth campaign emerged after the fix.

Zimbra’s URL vulnerability led to a reflected XSS, allowing the injection of malicious scripts into web pages.

Campaigns

Here below we have mentioned all the campaigns:-

• Campaign 1: First known exploitation leads to email-stealing framework
• Campaign 2: Winter Vivern exploitation after hotfix pushed to Github
• Campaign 3: Exploit used for credential phishing
• Campaign 4: N-day exploit used for stealing authentication token

The discovery of four CVE-2023-37580 campaigns underscores the urgency for prompt mail server fixes. Attackers exploit vulnerabilities post-Github fix, pre-public advisory. 

This follows CVE-2022-24682 exploitation and precedes CVE-2023-5631. Regular XSS exploits highlight the need for rigorous mail server code audits.

IoCs

• https://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js
• https://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js
• https://applicationdevsoc[.]com/tndgt/auth.js
• ntcpk[.]org

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.