Email servers are a prime target for hackers, as compromising them provides access to sensitive corporate communications and customer data. A recently disclosed vulnerability in the popular Zimbra Collaboration email server software has allowed multiple cyber threat groups to do just that.
Zimbra Zero-Day Actively Exploited in the Wild
In June 2023, Google's Threat Analysis Group (TAG) discovered threat actors actively exploiting a zero-day vulnerability in Zimbra Collaboration, an open-source email and collaboration platform used by many organizations to host enterprise email services.
The flaw, a reflected cross-site scripting (XSS) vulnerability now tracked as CVE-2023-37580, allowed attackers to inject malicious scripts into the Zimbra web interface. If an authenticated user clicked a specially crafted link, the malicious script would execute in their browser, enabling the hackers to steal sensitive data like emails, attachments, and login credentials.
Multiple Campaigns Leverage Vulnerability Before and After Patch
Zimbra released a hotfix for the vulnerability on July 5 on GitHub and published an initial advisory with remediation guidance on July 13, 2023. However, TAG observed three separate threat groups exploiting the flaw before an official patch was made available on July 25.
Most concerningly, TAG discovered a fourth campaign that successfully exploited the vulnerability even after the official patch was released. This highlights the need for organizations to urgently apply security updates as soon as they become available.
The earliest attack was attributed to a known actor targeting a government organization in Greece to deploy a JavaScript-based malware framework designed to steal emails and forwarding rules.
The second campaign was traced to the APT group Winter Vivern, which targeted government entities in Moldova and Tunisia in mid-July.
The third campaign targeted a government agency in Vietnam to distribute a phishing page harvesting login credentials.
In August 2023, after the patch for CVE-2023-37580 was released, TAG discovered a fourth campaign using the vulnerability against a government organization in Pakistan. The exploit was used to steal the Zimbra authentication token.
Mitigating Ongoing Risks
The repeated targeting of the Zimbra bug underscores the risks of delaying patch deployment. It also demonstrates how quickly threat actors identify and weaponize publicly reported flaws.
To mitigate risks, organizations using vulnerable versions of Zimbra should immediately apply the latest patch. Enforcing multi-factor authentication, prompt patch management, and limiting access to the Zimbra control panel can also reduce the attack surface.
The exploitation of Zimbra comes after similar XSS bugs were discovered in the past year in Zimbra and Roundcube webmail platforms. This points to the need for increased security auditing and code hardening efforts by email software vendors.
By reporting the vulnerability details and campaigns, Google's TAG aims to promote timely patching and help secure the wider email ecosystem against sophisticated cyber threats.