Quick: Manually patch this Zimbra bug that’s under attack

July 17, 2023 TH Author

A vulnerability in Zimbra’s software is being exploited right now by miscreants to compromise systems and attack selected government organizations, experts reckon.

An update to squash the security bug won’t be pushed out until later this month, according to the developer, which for now has “kindly” asked customers to manually apply a fix.

The flaw affects Zimbra Collaboration Suite version 8.8.15, and “could potentially impact the confidentiality and integrity of your data,” according to an advisory from the software maker. In other words, the bug can be exploited to steal or alter information among other things.

Zimbra said it will deliver the fix in an official July software update. However, “we understand that you may want to take action sooner rather than later to protect your data,” the email software provider added. “To maintain the highest level of security, we kindly request your cooperation to apply the fix manually on all of your mailbox nodes.”

That may not be a bad idea since it is believed the flaw is under active exploitation; though that’s limited in scope at the moment, it could widen as the days and weeks go on.

Clément Lecigne, a researcher in Google’s Threat Analysis Group, spotted the vulnerability “being used in-the-wild in a targeted attack,” according to TAG colleague Maddie Stone on Thursday.

Threat actors could steal sensitive user information or execute malicious code on vulnerable systems

And while the Googlers did not provide additional details about who was being targeted and how, EclecticIQ researchers on Monday said it’s possible the bug is being used in cross-site scripting (XSS) attacks targeting government organizations in Ukraine, Spain, Indonesia, and France.

“As part of XSS attacks, threat actors could steal sensitive user information or execute malicious code on vulnerable systems that affects Zimbra Collaboration Suite version 8.8.15,” EclecticIQ analyst Arda Büyükkaya explained today.

Essentially what appears to be happening is this, according to Büyükkaya: someone probably hijacked “government-owned Zimbra and Roundcube email servers and used these to send spearphishing emails to other government entities.” EclecticIQ has high confidence that is happening, and believes with lower confidence that the aforementioned XSS flaw was used to compromise the email servers.

We’re told that EclecticIQ analysts has seen 12 phishing emails sent out in this campaign, which began as early as January 2023.

After getting into the email servers, the intruders used these systems to send phishing emails containing fake Zimbra maintenance notification alerts to their victims, it appears. The emails contained a link that took marks to a fake Zimbra email login page, and allowed the miscreants to collect the users’ credentials.

Smells like Russia

Considering the report finds most of the phishing emails were sent to Zimbra email users in Ukraine — including the National Police in the Kyiv region — it’s not that shocking that EclecticIQ says Russian miscreants are probably responsible for the attacks.

One of the emails specified a Gmail reply-to address that the security team said is “very likely owned or controlled by the threat actor.” It’s similar to another email address tied to an account on Russian-speaking cyber-forum Exploit[dot]in.

“However, as these forums are internationally accessible, it is not definitive proof of the actor’s origin or nationality,” Büyükkaya said.

This reminds us of an alert in March this year that Russian miscreants were exploiting Zimbra bugs to break into government email systems.

At the time Proofpoint analysts said they spotted a pro-Russia spy ring abusing Zimbra flaws to target US elected officials and their staffers in addition to European Union lawmakers.

The snoopers – which Proofpoint tracks as TA473, the Ukrainian CERT has named UAC-0114, and other private security researchers call it Winter Vivern – were clocked by DomainTools in 2021 and have been active since December 2020.

In March 2023, Proofpoint said phishing campaigns targeting European government agencies exploited CVE-2022-27926, a critical XSS vulnerability in Zimbra Collaboration versions 9.0.0 that powers public-facing webmail portals. The vendor patched that hole in March 2022.

And last August, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warned that cybercriminals were actively exploiting five vulnerabilities in the Zimbra Collaboration Suite to break into government and private-sector networks.

Organizations that didn’t immediately patch their Zimbra email systems should assume miscreants found and exploited those bugs, and should start hunting for malicious activity across IT networks, Uncle Sam said at the time. ®