In a recent revelation by the Google Threat Analysis Group (TAG), a critical zero-day flaw in the Zimbra Collaboration email software has become the focal point of real-world cyber attacks. Exploited by four distinct threat actors, these attacks aimed at pilfering sensitive email data, user credentials, and authentication tokens have raised concerns among cybersecurity experts.
The CVE-2023-37580 Vulnerability
Tracked as CVE-2023-37580, the flaw is a reflected cross-site scripting (XSS) vulnerability affecting Zimbra versions before 8.8.15 Patch 41. Discovered and reported by TAG researcher Clément Lecigne, the vulnerability was addressed by Zimbra through patches released on July 25, 2023.
How the Flaw Works
The vulnerability allows for the execution of malicious scripts on victims’ web browsers by tricking them into clicking on a specially crafted URL. This triggers an XSS request to Zimbra, reflecting the attack back to the user and potentially enabling the attacker to execute malicious actions.
Timeline of Attacks
Google TAG uncovered multiple campaign waves based on CVE-2023-37580 starting from June 29, 2023, two weeks before Zimbra issued an advisory. Three of the four campaigns were initiated before the release of the patch, emphasizing the urgency of timely updates. The fourth campaign was detected a month after the fixes were made public.
- TEMP_HERETIC: The first campaign targeted a government organization in Greece, sending emails containing exploit URLs leading to the delivery of email-stealing malware.
- Winter Vivern: This threat actor focused on government organizations in Moldova and Tunisia shortly after the vulnerability patch was pushed to GitHub on July 5. Winter Vivern has been previously linked to exploiting security vulnerabilities in Zimbra Collaboration and Roundcube.
- Unidentified Group in Vietnam: Before the patch was released on July 25, a third, unidentified group exploited the flaw to phish for credentials from a government organization in Vietnam. The attackers used a phishing page to collect webmail credentials and posted stolen credentials to a URL on an official government domain.
- Targeting Pakistan: On August 25, a government organization in Pakistan fell victim to the flaw, resulting in the exfiltration of Zimbra authentication tokens to a remote domain named “ntcpk[.]org.”
Google TAG emphasized the pattern of threat actors exploiting XSS vulnerabilities in mail servers, highlighting the need for thorough audits of such applications. The discovery of four campaigns exploiting CVE-2023-37580, even after the flaw was publicly known, underscores the importance of organizations promptly applying fixes to their mail servers.
The Zimbra CVE-2023-37580 zero-day vulnerability has exposed organizations to targeted attacks, showcasing the significance of robust cybersecurity measures and the need for swift adoption of patches. As cyber threats evolve, proactive security measures, regular audits, and prompt application of updates are crucial to safeguarding sensitive information and maintaining the integrity of communication platforms.