It has been observed by Proofpoint researchers that TA473, a newly minted APT actor, abuses publicly facing Zimbra-hosted webmail portals by exploiting a vulnerability found in Zimbra, which has been tracked as CVE-2022-27926.
The sole goal of this activity is to gain unauthorized access to the following organizations that are involved in the Russia-Ukrainian War:-
For targeting the victims, the threat actors identify vulnerable webmail portals and possible methods with the help of Acunetix.
The phishing emails disguised as the threat actors deliver confidential government resources following initial scanning reconnaissance.
Publicly TA473 is also known by Winter Vivern and UAC-0114, which the following security vendors appoint:-
Several active phishing campaigns targeting European governments, military, and diplomatic entities have been observed by Proofpoint since 2021.
Apart from this, several phishing campaigns have been observed since late 2022, and these campaigns are mainly targeting the following entities in the United States:-
Since 2021, the phishing campaigns of TA473 have evolved a lot as to target its victims; it employs opportunistic exploits.
A recurring set of phishing techniques is used most frequently by this threat actor in all of its email campaigns. While here below, we have mentioned the TTPs used by the group:-
A malicious URL is embedded into the body of a phishing email that primarily exploits the CVE-2022-27926. The use of these payloads then steals the following information:-
After gaining access to this data, threat actors can access their targets’ email accounts freely with this information.
Identifying the target’s portal before crafting phishing emails and setting the landing page indicates how active and dynamic the threat actors are in pre-attack reconnaissance.
This allows the threat actor to monitor communications via a hold on the compromised webmail accounts, thereby gaining access to sensitive information.
Aside from that, the hackers can further infiltrate target organizations by using breached accounts to conduct lateral phishing attacks.
While in Zimbra Collaboration 9.0.0 P24, the CVE-2022-27926 was fixed and released in April 2022. TA473 shows persistence, focus, and a consistent process for compromising high-profile European targets, despite not being the most sophisticated APT threat.
Building Your Malware Defense Strategy – Download Free E-Book
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…