Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Zimbra Zero-Day Exploited to Hack Government Emails

Google says a Zimbra zero-day from earlier this year, CVE-2023-37580, was exploited in several campaigns to hack government emails.

SubdoMailing

Google’s Threat Analysis Group (TAG) revealed on Thursday that a Zimbra Collaboration Suite zero-day was exploited earlier this year to steal email data from government organizations in several countries. 

The existence of the vulnerability, tracked as CVE-2023-37580, became public in mid-July, when Zimbra notified customers of its email server solution. 

The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization. 

In order for the exploit to be successfully executed, the targeted user needs to click on the malicious link while they are authenticated to a Zimbra session.

Shortly after Zimbra announced an official patch on July 25, Google’s TAG warned that in-the-wild exploitation had been observed, but did not share any information about the attacks. 

The internet giant has now revealed that it saw the first campaign exploiting CVE-2023-37580 on June 29. This campaign was aimed at a government organization in Greece and the attacker leveraged a previously documented framework to steal emails and attachments. The framework can also be used to automatically forward emails to addresses controlled by the attacker.

Roughly one week after Google spotted this campaign, on July 5, Zimbra published a hotfix for the vulnerability to its GitHub repository, but an official patch had yet to be released.

Then, on July 11, Google observed a second campaign exploiting the Zimbra zero-day, this time targeting government organizations in Moldova and Tunisia. The company linked the attacks to Winter Vivern, a Russian APT known for using Zimbra exploits, including in attacks aimed at NATO countries. 

Advertisement. Scroll to continue reading.

Zimbra published a security advisory on July 13 to warn customers about the vulnerability. However, before the official patch was released on July 25, Google came across a third campaign, which targeted a government organization in Vietnam. In this case, the attacker leveraged the exploit to take users to a phishing page that instructed them to enter their webmail credentials.

After the patch was released by Zimbra, Google spotted a fourth campaign, targeting a government organization in Pakistan.

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google said. 

It added, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

CISA’s Known Exploited Vulnerabilities Catalog includes seven other Zimbra Collaboration Suite flaws, a majority discovered in 2022. 

Related: Russia-Linked APT ‘Winter Vivern’ Targeting Governments in Europe, Asia 

Related: CISA Urges Organizations to Patch Actively Exploited Zimbra XSS Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights