It has been observed by Proofpoint researchers that TA473, a newly minted APT actor, abuses publicly facing Zimbra-hosted webmail portals by exploiting a vulnerability found in Zimbra, which has been tracked as CVE-2022-27926.
The sole goal of this activity is to gain unauthorized access to the following organizations that are involved in the Russia-Ukrainian War:-
For targeting the victims, the threat actors identify vulnerable webmail portals and possible methods with the help of Acunetix.
The phishing emails disguised as the threat actors deliver confidential government resources following initial scanning reconnaissance.
TA473 Hacker Group
Publicly TA473 is also known by Winter Vivern and UAC-0114, which the following security vendors appoint:-
- Sentinel One
- Ukrainian CERT
Several active phishing campaigns targeting European governments, military, and diplomatic entities have been observed by Proofpoint since 2021.
Apart from this, several phishing campaigns have been observed since late 2022, and these campaigns are mainly targeting the following entities in the United States:-
- Elected officials
Since 2021, the phishing campaigns of TA473 have evolved a lot as to target its victims; it employs opportunistic exploits.
A recurring set of phishing techniques is used most frequently by this threat actor in all of its email campaigns. While here below, we have mentioned the TTPs used by the group:-
- Emails are sent via compromised email addresses by TA473, and in most cases, these emails originated from unpatched and insecure WordPress-hosted domains.
- To disguise as a user at the targeted organization and a relevant peer organization involved in global politics, the TA473 spoofs the “from field” of the email.
- In the body of the TA473 email, the attacker incorporates a sensitive URL that disguises itself as from either a targeted organization or a peer organization.
- Then, hyperlinking the sensitive URLs with actor-controlled or compromised infrastructure, a first-stage payload is delivered, or credentials are harvested.
- In some cases, encrypted or plaintext versions of a benign URL hyperlinked in the initial email to targets are used instead of structured URI paths that indicate a hashed value for the targeted individual.
A malicious URL is embedded into the body of a phishing email that primarily exploits the CVE-2022-27926. The use of these payloads then steals the following information:-
- CSRF Tokens from cookies
- Caches the stolen values to the actor-controlled server
- Attempts login to the legitimate mail portal with active tokens
- Displays Pop3 and IMAP instructions hosted on an actor-controlled server
- Attempts logins to legitimate webmail portal via the native URL
After gaining access to this data, threat actors can access their targets’ email accounts freely with this information.
Identifying the target’s portal before crafting phishing emails and setting the landing page indicates how active and dynamic the threat actors are in pre-attack reconnaissance.
This allows the threat actor to monitor communications via a hold on the compromised webmail accounts, thereby gaining access to sensitive information.
Aside from that, the hackers can further infiltrate target organizations by using breached accounts to conduct lateral phishing attacks.
While in Zimbra Collaboration 9.0.0 P24, the CVE-2022-27926 was fixed and released in April 2022. TA473 shows persistence, focus, and a consistent process for compromising high-profile European targets, despite not being the most sophisticated APT threat.
Building Your Malware Defense Strategy – Download Free E-Book
- Zimbra Auth Security Flaw Used to Exploit Over 1,000 Govt. & Financial Orgs Servers
- Hackers Exploiting High-Severity Zimbra Flaw to Steal Email Account Credentials
- Zimbra Email Flaw Let Attackers Steal Credentials via Memcache Injection
- Zimbra Zero-day XSS Vulnerability Actively Exploited by Attackers to Steal Sensitive Data
- New Flaw Let Hackers Take Over Zimbra Server Sending Malicious Email