Phishing Attack Targets Hundreds of Zimbra Customers in 4 Continents

Despite its simplicity, a phishing campaign targeting customers of the Zimbra Collaboration software suite has spread to hundreds of organizations in over a dozen countries.

Zimbra is a collaborative software suite, which includes an email server and Web client. It is a niche alternative to traditional enterprise email solutions with a small fraction of the market, according to user figures tracked by Enlyft and 6sense.

Zimbra has been beset by security incidents all year, including a remote code execution bug, a cross-site scripting zero-day, and an infostealing campaign by the nation of North Korea.

According to researchers at ESET, since April 2023, an unidentified threat actor has been using scattershot phishing emails to cull credentials for privileged Zimbra accounts. The primary targets have been small-to-midsized businesses (the open-core software's primary customer base), though some government organizations were swept up in the campaign, as well.

"Hundreds of different organizations were targeted by this campaign," claims Anton Cherepanov, senior malware researcher for ESET. However, "the extent of damage is hard to say," because most of the attacks were rooted out before they took hold.

Phishing Zimbra Users

Each attack starts the same — a general phishing email, purporting to come from Zimbra itself, relaying some kind of urgent message about, say, a server update, or account deactivation. For example, the following note titled "Important information from Zimbra Security Service":

Starting today 3/7/2023 Your Zimbra web client login page will change. We are preparing for an email update. However, to avoid deactivation and loss of access to your email account, preview the download of the attachment.

The email is signed "Zimbra Boss — Administration."

Attached is an HTML file, directing the user to a generic Zimbra login page with some identifying elements customized for the particular target organization. The page opens in the user's browser, despite being a local file path, and prefills the username field, in order to give the impression of a legitimate Zimbra login page.

The Impact to Customers

Of course, any user who types in their password into the fake login page will be sending the sensitive information straight to the attackers.

"The worst-case outcome is that attackers could gain Zimbra Administrator's privileges, and then potentially root privileges on the server itself. But it depends on many factors such as potential password re-use, configuration used, etc," Cherepanov says.

The country most affected by this campaign is Poland, followed by Ecuador and Italy, with attacks also reaching as far and wide as Mexico, Kazakhstan, and the Netherlands. Targets share nothing in common aside from their use of Zimbra.

To avoid compromise, Cherepanov recommends standard security hygiene: using strong passwords, multi-factor authentication, and updating to the most recent version of Zimbra.