Hackers Used a Zimbra Email Platform 0-Day Vulnerability to Spy on Users

Hackers Used a Zimbra Email Platform 0-Day Vulnerability to Spy on Users

Short News:- 

An unknown threat actor has been actively trying to exploit a zero-day vulnerability in Zimbra. Successful exploitation could lead to the execution of JavaScript code that could be used to hijack a user's session. The attacks, which began on December 14, 2021, targeted the European government and media organizations.

Detailed News:- 

Since the beginning of the year 2021, an unknown threat actor using spear-phishing tactics has been actively trying to exploit a zero-day vulnerability in Zimbra, a popular open-source email platform.

According to a technical report published Thursday by cybersecurity company Volexity, successful exploitation of the cross-site scripting (XSS) vulnerability could lead to the execution of JavaScript code that could be used to hijack a user's Zimbra session if the user's credentials were compromised.

It was determined by Volexity that the attacks, which began on December 14, 2021, were carried out by a previously unidentified hacking group operating under the codename TEMP HERETIC, and targeted the European government and media organizations. Version 8.8.15 of the open-source Zimbra is affected by the zero-day vulnerability.

An email campaign was launched in the first phase of the attacks in order to gather information about the target's email habits and track whether or not they clicked on a link contained in the email. The next step was to send out multiple waves of email messages in an attempt to trick recipients into clicking on a malicious link.

In total, 74 Outlook.com email addresses were created by the attacker to send out the missives over a two-week period, among which the initial recon messages contained generic subject lines ranging from invitations to charitable auctions to refunds for airline tickets.

It is necessary for the victim to be logged in to the Zimbra webmail client from a web browser in order for this attack to succeed, according to Steven Adair and Thomas Lancaster. Thunderbird or Outlook, for example, could be used to open the link itself.

Assuming this unpatched flaw is weaponized, the compromised email account could be used to exfiltrate cookies and download additional malware, or it could be used to send phishing emails and spread the infection further.

The researchers concluded that "none of the infrastructures identified [...] exactly matches infrastructure used by previously classified threat groups.". Based on the targeted organization and the targeted individuals, as well as the fact that the stolen data would have no financial value, it is likely that the attacks were carried out by a Chinese APT actor. "

"Zimbra users should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15," the company said.