Google’s Threat Analysis Group (TAG) revealed on Thursday that a Zimbra Collaboration Suite zero-day was exploited earlier this year to steal email data from government organizations in several countries.
The existence of the vulnerability, tracked as CVE-2023-37580, became public in mid-July, when Zimbra notified customers of its email server solution.
The flaw, described as a reflected cross-site scripting (XSS) bug, allows an attacker to execute malicious code by sending emails containing specially crafted URLs to the targeted organization.
In order for the exploit to be successfully executed, the targeted user needs to click on the malicious link while they are authenticated to a Zimbra session.
Shortly after Zimbra announced an official patch on July 25, Google’s TAG warned that in-the-wild exploitation had been observed, but did not share any information about the attacks.
The internet giant has now revealed that it saw the first campaign exploiting CVE-2023-37580 on June 29. This campaign was aimed at a government organization in Greece and the attacker leveraged a previously documented framework to steal emails and attachments. The framework can also be used to automatically forward emails to addresses controlled by the attacker.
Roughly one week after Google spotted this campaign, on July 5, Zimbra published a hotfix for the vulnerability to its GitHub repository, but an official patch had yet to be released.
Then, on July 11, Google observed a second campaign exploiting the Zimbra zero-day, this time targeting government organizations in Moldova and Tunisia. The company linked the attacks to Winter Vivern, a Russian APT known for using Zimbra exploits, including in attacks aimed at NATO countries.
Zimbra published a security advisory on July 13 to warn customers about the vulnerability. However, before the official patch was released on July 25, Google came across a third campaign, which targeted a government organization in Vietnam. In this case, the attacker leveraged the exploit to take users to a phishing page that instructed them to enter their webmail credentials.
After the patch was released by Zimbra, Google spotted a fourth campaign, targeting a government organization in Pakistan.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google said.
It added, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”
CISA’s Known Exploited Vulnerabilities Catalog includes seven other Zimbra Collaboration Suite flaws, a majority discovered in 2022.