A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to pilfer email data, user credentials, and authentication tokens.
“Most of this activity occurred after the initial fix became public on GitHub,” Google Threat Analysis Group (TAG) said in a report shared with The Hacker News.
The flaw, tracked as CVE-2023-37580 (CVSS score: 6.1), is a reflected cross-site scripting (XSS) vulnerability impacting versions before 8.8.15 Patch 41. It was addressed by Zimbra as part of patches released on July 25, 2023.
Successful exploitation of the shortcoming could allow execution of malicious scripts on the victims’ web browser simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user.
Google TAG, whose researcher Clément Lecigne was credited with discovering and reporting the bug, said it discovered multiple campaign waves starting June 29, 2023, at least two weeks before Zimbra issued an advisory.
Three of the four campaigns were observed prior to the release of the patch, with the fourth campaign detected a month after the fixes were published.
The first campaign is said to have targeted a government organization in Greece, sending emails containing exploit URLs to their targets that, when clicked, delivered an email-stealing malware previously observed in a cyber espionage operation dubbed EmailThief in February 2022.
The intrusion set, which Volexity codenamed as TEMP_HERETIC, also exploited a then-zero-day flaw in Zimbra to carry out the attacks.
The second threat actor to exploit CVE-2023-37580 is Winter Vivern, which targeted government organizations in Moldova and Tunisia shortly after a patch for the vulnerability was pushed to GitHub on July 5.
It’s worth noting that the adversarial collective has been linked to the exploitation of security vulnerabilities in Zimbra Collaboration and Roundcube by Proofpoint and ESET this year.
TAG said it spotted a third, unidentified group weaponizing the bug before the patch was pushed on July 25 to phish for credentials belonging to a government organization in Vietnam.
“In this case, the exploit URL pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised,” TAG noted.
Lastly, a government organization in Pakistan was targeted using the flaw on August 25, resulting in the exfiltration of the Zimbra authentication token to a remote domain named “ntcpk[.]org.”
Google further pointed out a pattern in which threat actors are regularly exploiting XSS vulnerabilities in mail servers, necessitating that such applications are audited thoroughly.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” TAG said.
“These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users.”
