APTs Swarm Zimbra Zero-Day to Steal Government Info Worldwide

At least four separate cyberattack groups have used a former zero-day security vulnerability in the Zimbra Collaboration Suite (ZCS) to steal email data, user credentials, and authentication tokens from government organizations globally.

ZCS is an email server, calendaring, and chat and video platform, used by "thousands" of companies and "hundreds of millions" of individuals, according to the Zimbra website. Its client organizations are as diverse as the Japan Advanced Institute of Science and Technology, Germany's Max Planck Institute, and Gunung Sewu, a top business incubator in Southeast Asia.

The bug (CVE-2023-37580) is a reflected cross-site scripting (XSS) vulnerability in the Zimbra email server that was patched on July 25, with a hotfix rolling out to its public GitHub repository on July 5. According to a report by Google's Threat Analysis Group (TAG) shared with Dark Reading, the zero-day exploitation started in June, before Zimbra offered remediation.

Four Separate Cyberattacks on World Governments

Google TAG has disclosed details on the government campaigns, which include:

"The initial in-the-wild discovery of the zero-day vulnerability was a campaign targeting a government organization in Greece," according to Google TAG researchers. "The attackers sent emails containing exploit URLs to their targets."

If a target clicked the link during a logged-in Zimbra session, the URL loaded a framework that steals users' emails and attachments; and, it set up an auto-forwarding rule to an attacker-controlled email address.

The Winter Vivern campaign meanwhile went on for two weeks after beginning on July 11.

"TAG identified multiple exploit URLs that targeted government organizations in Moldova and Tunisia; each URL contained a unique official email address for specific organizations in those governments," according to the TAG analysis.

The third zero-day campaign, by an unidentified group, was part of a phishing expedition against a government organization in Vietnam.

"In this case, the exploit URL pointed to a script that displayed a phishing page for users' webmail credentials, and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised," Google researchers explained.

The fourth campaign employed an N-day exploit to steal Zimbra authentication tokens from a government organization in Pakistan.

"The discovery of at least four campaigns exploiting CVE-2023-37580 … demonstrates the importance of organizations applying fixes to their mail servers as soon as possible," the advisory concluded. “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users."

Cyberattackers Target Juicy Mail Servers

There has been ongoing exploitation of vulnerabilities in mail servers, so organizations should prioritize patching them.

Zimbra alone has been plagued by security incidents, including a remote code execution bug exploited as a zero-day in October 2022 and an infostealing campaign by the nation of North Korea that preyed on unpatched servers. And in January, CISA warned that threat actors were exploiting multiple CVEs against ZCS.

Meanwhile, last month Winter Vivern was exploiting a zero-day flaw in Roundcube Webmail servers, with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

According to TAG: "The regular exploitation of XSS vulnerabilities in mail servers also shows a need for further code auditing of these applications, especially for XSS vulnerabilities."