Hackers Exploit Zimbra and Roundcube Email Servers to Attack Government Organizations

An alarming spear-phishing campaign has been uncovered, specifically aimed at government organizations. This attack preys on the vulnerabilities of Zimbra and Roundcube email servers.

It is crucial that immediate action is taken to secure these servers and prevent any further breaches. Investigations by EclecticIQ revealed that the initial campaigns date back to January of 2023.

These emails evaded government organizations’ anti-spam filters, which state that the threat actors used several evasion techniques to bypass spam detections.

However, the originating IP in the email headers suggests that the threat actor used VPN services to hide his identity.

Zimbra Maintenance Mail for Phishing Campaign

Around 12 phishing emails were analyzed, and none had their sender address spoofed.

This means all these emails were from legitimate compromised government email servers that bypassed anti-spam filters.

Furthermore, all the organizations in the sender addresses were using Zimbra or Roundcube as their email servers.  

Though the emails were having the context as a fake Zimbra maintenance alert notification, the language changed for each recipient aligned with their spoken language.

Once the victims fall for this email, they are redirected to a fake Zimbra login page for credential stealing.

Threat actors have used legitimate web services like Google Firebase, Mailchimp, Chilipepper(.)io, and Webflow(.)io to steal this information.

It is assumed that threat actors have been exploiting known vulnerabilities CVE-2020-35730 and CVE-2020-12641 in RoundCube versions 1.4.10 and 1.4.11. Ukraine was one of the countries targeted during these phishing campaigns.

 EclecticIQ has published a complete investigation report that reveals all the techniques, methods, and tactics used by the threat actors for stealing credentials.

It is recommended that Zimbra users update to the latest version (8.8.15) to prevent it from getting exploited.