Description

According to the Proofpoint report, Russian hacking group TA473, aka Winter Vivern, has been exploiting vulnerable Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats. The attack initiates with threat actors scanning for unpatched webmail platforms using Acunetix tool vulnerability scanner, then a phishing email is sent from a compromised address, which appears to come from someone the target knows or is related to the target's business. The email content consists of a link to help exploit CVE-2022-27926 in the target's compromised Zimbra infrastructure and inject JavaScript payloads into the webpage, which are used to steal usernames, passwords, and tokens from compromised Zimbra cookies. Threat actors can easily access the targets' email accounts with this information. The server that hosts a vulnerable webmail instance executes these CSRF JavaScript code blocks. Also, TA473 has been observed to specifically target RoundCube webmail request tokens in some instances. Additionally, Winter Vivern incorporated parts of legitimate JavaScript running in a native webmail portal, blending with normal operations and reducing the likelihood of detection, along with the three layers of base64 obfuscation applied to the malicious JavaScript. Compromised webmail accounts can be accessed to monitor communications and access sensitive information and can also be used to carry out lateral phishing attacks, which could permit them to further infiltrate target organizations. Moreover, Zimbra Collaboration 9.0.0 P24, released in April 2022, fixed a vulnerability that was previously announced as CVE-2022-27926.