The US Cybersecurity and Infrastructure Security Agency (CISA) has added to its ‘Must Patch’ list a Zimbra vulnerability exploited by Russian hackers in attacks targeting NATO countries.
The flaw, tracked as CVE-2022-27926 (CVSS score of 6.1), is described as a reflected cross-site scripting (XSS) bug in Zimbra Collaboration version 9.0.
Because of this issue, an endpoint URL may accept parameters without sanitization, which could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code.
While CISA does not provide details on the observed exploitation of CVE-2022-27926, the agency’s warning comes only days after a Proofpoint report on the vulnerability being exploited by Russia-linked advanced persistent threat (ATP) actor Winter Vivern in attacks targeting NATO countries.
Also tracked as TA473, Winter Vivern has been observed launching cyberattacks in support of Russian and/or Belarussian geopolitical goals in the context of the Russia-Ukraine war.
The attacks against NATO countries targeted public Zimbra hosted webmail portals to access email correspondence of military, government, and diplomatic organizations in Europe.
The APT uses scanning tools to identify vulnerable, unpatched webmail portals and then sends phishing emails containing a malicious a URL leading to the execution of JavaScript code that in turns downloads a next stage JavaScript payload to conduct cross-site request forgery (CSRF) attacks and capture victims’ credentials.
According to Proofpoint, Winter Vivern appears to have invested time and resources in analyzing the publicly exposed webmail portals of the targeted organizations in order to create different JavaScript payloads for each of them.
“These labor-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” Proofpoint explains.
Organizations are advised to upgrade to a patched version of the Zimbra Collaboration Suite as soon as possible.
Per Binding Operational Directive (BOD) 22-01, once a vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog, federal agencies have three weeks to apply the relevant patches within their environments.
Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Related: New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
Related: Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks