Hackers Exploit Zimbra Vulnerability

It has been observed by Proofpoint researchers that TA473, a newly minted APT actor, abuses publicly facing Zimbra-hosted webmail portals by exploiting a vulnerability found in Zimbra, which has been tracked as CVE-2022-27926.

The sole goal of this activity is to gain unauthorized access to the following organizations that are involved in the Russia-Ukrainian War:-

  • Military
  • Government
  • Diplomatic

For targeting the victims, the threat actors identify vulnerable webmail portals and possible methods with the help of Acunetix.

The phishing emails disguised as the threat actors deliver confidential government resources following initial scanning reconnaissance. 

While these phishing emails contain hyperlinks to malicious URLs utilized by the threat actors to abuse the known vulnerabilities to execute JavaScript payloads within the webmail portals of the victim.

TA473 Hacker Group

Publicly TA473 is also known by Winter Vivern and UAC-0114, which the following security vendors appoint:-

  • DomainTools
  • Lab52
  • Sentinel One
  • Ukrainian CERT

PowerShell and JavaScript payloads have historically been delivered via phishing campaigns by this threat actor. Further, it also conducts repeated phishing campaigns for harvesting credentials.

Several active phishing campaigns targeting European governments, military, and diplomatic entities have been observed by Proofpoint since 2021.

Apart from this, several phishing campaigns have been observed since late 2022, and these campaigns are mainly targeting the following entities in the United States:-

  • Elected officials
  • Staffers

Technical Analysis

Since 2021, the phishing campaigns of TA473 have evolved a lot as to target its victims; it employs opportunistic exploits.

A recurring set of phishing techniques is used most frequently by this threat actor in all of its email campaigns. While here below, we have mentioned the TTPs used by the group:-

  • Emails are sent via compromised email addresses by TA473, and in most cases, these emails originated from unpatched and insecure WordPress-hosted domains.
  • To disguise as a user at the targeted organization and a relevant peer organization involved in global politics, the TA473 spoofs the “from field” of the email.
  • In the body of the TA473 email, the attacker incorporates a sensitive URL that disguises itself as from either a targeted organization or a peer organization.
  • Then, hyperlinking the sensitive URLs with actor-controlled or compromised infrastructure, a first-stage payload is delivered, or credentials are harvested.
  • In some cases, encrypted or plaintext versions of a benign URL hyperlinked in the initial email to targets are used instead of structured URI paths that indicate a hashed value for the targeted individual.

A malicious URL is embedded into the body of a phishing email that primarily exploits the CVE-2022-27926. The use of these payloads then steals the following information:-

  • Usernames
  • Passwords
  • CSRF Tokens from cookies
  • Caches the stolen values to the actor-controlled server
  • Attempts login to the legitimate mail portal with active tokens
  • Displays Pop3 and IMAP instructions hosted on an actor-controlled server
  • Attempts logins to legitimate webmail portal via the native URL

After gaining access to this data, threat actors can access their targets’ email accounts freely with this information.

Identifying the target’s portal before crafting phishing emails and setting the landing page indicates how active and dynamic the threat actors are in pre-attack reconnaissance.

The malicious JavaScript code of ‘Winter Vivern’ uses 3 layers of base64 obfuscation and includes legit code from the webmail portal to evade detection.

This allows the threat actor to monitor communications via a hold on the compromised webmail accounts, thereby gaining access to sensitive information.

Aside from that, the hackers can further infiltrate target organizations by using breached accounts to conduct lateral phishing attacks.

While in Zimbra Collaboration 9.0.0 P24, the CVE-2022-27926 was fixed and released in April 2022. TA473 shows persistence, focus, and a consistent process for compromising high-profile European targets, despite not being the most sophisticated APT threat.

Building Your Malware Defense Strategy – Download Free E-Book

Related Article:

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.