Hackers target Greece, Tunisia, Moldova, Vietnam and Pakistan with Zimbra zero-day

Hackers exploited a vulnerability in Zimbra’s email product to attack government agencies in Greece, Tunisia, Moldova, Vietnam and Pakistan, Google researchers have discovered.

Google’s Threat Analysis Group (TAG) first discovered the bug, classified as CVE-2023-37580, in June. Beginning that month, four different groups exploited the zero-day to target Zimbra Collaboration, an email server many organizations use to host their email.

The bug is a cross-site scripting (XSS) vulnerability, which allows hackers to inject malicious scripts into a victim website.

Google said the attacks on government organizations in Greece occurred on June 29, while Moldova and Tunisia were targeted on July 11. Vietnam and Pakistan were attacked on July 20 and August 25, respectively.

The hackers stole email information, user credentials and authentication tokens. Zimbra released a hotfix for the issue on GitHub on July 5 and published an advisory with remediation guidance on July 13. An official patch was pushed out by July 25.

“TAG observed three threat groups exploiting the vulnerability prior to the release of the official patch, including groups that may have learned about the bug after the fix was initially made public on Github,” Google officials said.

“TAG discovered a fourth campaign using the XSS vulnerability after the official patch was released. Three of these campaigns began after the hotfix was initially made public highlighting the importance of organizations applying fixes as quickly as possible.”

The attack on Greece began with an email carrying a malicious link. When clicked during a logged-in Zimbra session, the hacker was given access to the user’s emails and attachments. Hackers could also use it to set up an auto-forwarding rule to an attacker-controlled email address.

The second campaign targeting governments in Moldova and Tunisia was attributed to Winter Vivern, a notorious hacking group with suspected ties to Russia. The group has previously been accused of targeting organizations in Ukraine, Poland and India.

Last month, the group was caught exploiting a zero-day vulnerability affecting another popular webmail service used by governments across Europe.

In the attacks on Moldova and Tunisia, the malicious URLs in the email “contained a unique official email address for specific organizations in those governments.”

A third campaign targeting a government organization in Vietnam involved attempts to phish for user credentials.

“In this case, the exploit url pointed to a script that displayed a phishing page for users’ webmail credentials and posted stolen credentials to a url hosted on an official government domain that the attackers likely compromised,” Google said.

The fourth attack, on a government organization in Pakistan, involved an attempt to steal Zimbra authentication tokens.

Google said the hacks were examples of how attackers monitor open-source repositories where fixes for vulnerabilities are posted but not yet released to users.

The researchers added that this is the second vulnerability affecting Zimbra mail servers that has been used in attacks on governments, following exploitation in 2022 of another XSS vulnerability, CVE-2022-24682.

“The regular exploitation of XSS vulnerabilities in mail servers also shows a need for further code auditing of these applications, especially for XSS vulnerabilities,” they said.

“We urge users and organizations to apply patches quickly and keep software fully up-to-date for their full protection.”