Four Hacker Groups Exploit Zero-Day Vulnerability in Zimbra Email Software

Four different threat groups exploited a zero-day vulnerability in Zimbra Collaboration, a popular email software, to conduct attacks aimed at stealing email data, user credentials, and authentication tokens.

Google's Threat Analysis Group (TAG) revealed in a report that most of these attacks occurred after the initial patch for the flaw was made public on GitHub. The vulnerability, identified as CVE-2023-37580 with a CVSS score of 6.1, is a reflected cross-site scripting (XSS) issue affecting versions before 8.8.15 Patch 41. Zimbra released patches to fix this issue on July 25, 2023.

The vulnerability could be exploited by tricking victims into clicking on a specially crafted URL. This action would execute malicious scripts in the victims' web browser, initiating an XSS request to Zimbra and reflecting the attack back to the user.

Google TAG, whose researcher Clément Lecigne reported the bug, noted multiple attack campaigns exploiting this flaw starting June 29, 2023, which is at least two weeks before Zimbra even issued an advisory regarding the vulnerability.

Of the four distinct campaigns exploiting this flaw, three occurred before the patch was released, with the fourth detected a month after the fix was published. The initial campaign targeted a Greek government organization, with attackers sending emails that included URLs exploiting the vulnerability. Clicking these links resulted in the deployment of an email-stealing malware, previously seen in the cyber espionage operation known as EmailThief in February 2022.

This same campaign, labeled TEMP_HERETIC by Volexity, had also exploited another zero-day flaw in Zimbra to conduct its attacks. This series of events underscores the need for organizations to remain vigilant about patching software vulnerabilities and monitoring for potential exploitation attempts.

The exploitation of the CVE-2023-37580 vulnerability in Zimbra Collaboration software has been linked to four distinct threat actors, each conducting targeted attacks against various government organizations.

One such group, known as Winter Vivern, utilized the flaw to attack government entities in Moldova and Tunisia. This activity occurred shortly after a patch for the vulnerability was uploaded to GitHub on July 5. Notably, Winter Vivern has previously been associated with exploiting vulnerabilities in Zimbra Collaboration and Roundcube, as identified by Proofpoint and ESET earlier this year.

A third, yet-to-be-identified threat group also exploited CVE-2023-37580 before the patch's release on July 25. This group aimed at phishing for credentials from a Vietnamese government organization. The attackers set up a deceptive script that lured users into entering their webmail credentials on a phishing page, later transmitting the stolen credentials to a compromised official government domain.

Furthermore, on August 25, another government organization in Pakistan fell victim to an attack exploiting the same vulnerability. This incident involved the theft of Zimbra authentication tokens, which were sent to a remote domain named "ntcpk[.]org."

Google's TAG emphasized the recurring exploitation of XSS vulnerabilities in mail servers by various threat actors, underscoring the critical need for thorough auditing of these applications. The widespread exploitation of CVE-2023-37580, particularly after the bug's details became public, highlights the urgency for organizations to promptly apply fixes to their mail servers.

These incidents also reveal a concerning trend of attackers actively monitoring open-source repositories. They exploit vulnerabilities opportunistically, particularly when fixes are available in repositories but have not yet been broadly released to users. This tactic underscores the importance of rapid and efficient patch management within organizations to mitigate the risk of such attacks.