A zero-day flaw in the Zimbra Collaboration email software was exploited by four different groups in real-world attacks to steal email data, user credentials, and authentication tokens.
“Most of this activity occurred after the initial patch became public on GitHub,” the Google Threat Analysis Group (TAG) said in a report shared with The Hacker News.
The bug, tracked as CVE-2023-37580 (CVSS score: 6.1), is a reflected cross-site scripting (XSS) vulnerability affecting versions prior to 8.8.15 Patch 41. It was fixed by Zimbra as part of patches released on July 25, 2023.
Successful exploitation of the flaw could allow the execution of malicious scripts on victims’ web browsers simply by tricking them into clicking on a specially crafted URL, effectively initiating the XSS request to Zimbra and reflecting the attack back to the user.
Google TAG, whose researcher Clément Lecigne was credited with discovering and reporting the bug, said it detected multiple campaign waves starting on June 29, 2023, at least two weeks before Zimbra issued an announcement.
Three of the four campaigns were observed before the release of the patch, and the fourth campaign was discovered a month after the fixes were published.
The first campaign is said to have targeted a government organization in Greece that sent emails containing exploit URLs to their targets that, when clicked, delivered an email-stealing malware previously observed in a cyberespionage operation called EmailThief in February 2022.
The intrusion kit, which Volexity codenamed as TEMP_HERETIC, also exploited a then zero-day flaw in Zimbra to carry out the attacks.
The other threat actor to exploit CVE-2023-37580 is Winter Vivern, which targeted government organizations in Moldova and Tunisia shortly after a patch for the vulnerability was posted to GitHub on July 5.
It is worth noting that the adversarial collective has been linked to the exploitation of security vulnerabilities in Zimbra Collaboration and Roundcube by Proofpoint and ESET this year.
TAG said it discovered a third, unidentified group that weaponized the flaw before the patch was pushed on July 25 to phish for credentials belonging to a government organization in Vietnam.
“In this case, the exploit URL pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised,” TAG noted.
Finally, a government organization in Pakistan was targeted using the flaw on August 25, which resulted in the Zimbra authentication token being wiped to a remote domain named “ntcpk[.]org.”
Google also pointed out a pattern in which threat actors regularly exploit XSS vulnerabilities in mail servers, necessitating that such applications be thoroughly audited.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the flaw first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” TAG said.
“These campaigns also highlight how attackers monitor open source repositories to opportunistically exploit vulnerabilities where the fix is in the repository but not yet released to users.”
