Hackers exploited Zimbra messaging platform’s 0-Day vulnerability to spy on users


A malicious actor, likely of Chinese origin, is actively trying to exploit a zero-day vulnerability in the open-source messaging platform Zimbra in spear-phishing campaigns that began in December 2021.

The spying operation – codenamed “EmailThief” – was detailed by cybersecurity firm Volexity in a technical report released on Thursday, noting that successful exploitation of the cross-site scripting (XSS) vulnerability could result in the execution arbitrary JavaScript code in the context of the user’s Zimbra session.

Automatic GitHub backups

Volexity attributed the intrusions, which began on December 14, 2021, to a previously undocumented hacking group it tracks as TEMP_HERETIC, with the assaults targeting European government and media entities. The zero-day bug affects the most recent open source edition of Zimbra running version 8.8.15.

Vulnerability in the Zimbra messaging platform

The attacks are believed to have occurred in two phases; the first step was to recognize and distribute emails designed to keep tabs on whether a target received and opened the messages. In the next stage, multiple waves of emails were released to trick recipients into clicking on a malicious link.

A total of 74 unique outlook.com email addresses were created by the attacker to send the missives over a two-week period, among which the initial acknowledgment messages contained generic subject lines ranging from invitations to charity auctions refunds of airline tickets.

“For the attack to succeed, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser,” noted Steven Adair and Thomas Lancaster. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”

Vulnerability in the Zimbra messaging platform

The unpatched flaw, if weaponized, could be exploited to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to spread the infection and even facilitate the downloading additional malware.

Prevent data breaches

“None of the infrastructures identified […] exactly matches the infrastructure used by previously classified threat groups,” the researchers said. “However, based on the targeted organization and specific individuals within the targeted organization, and given that the data stolen would have no financial value, it is likely that the attacks were carried out by a Chinese APT actor.”

“Zimbra users should consider upgrading to 9.0.0, as there is currently no secure version of 8.8.15,” the company added.


About Author

Comments are closed.