As part of spear-phishing activities that began in December 2021, a threat actor, most likely of Chinese origin, is actively attempting to attack a zero-day flaw in the Zimbra open-source email platform.
The incursions, which began on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the pseudonym TEMP_HERETIC. The attacks focused on the European government and media groups. The zero-day vulnerability affects Zimbra’s most current open-source edition, version 8.8.15.
The attacks were carried out in two stages, with the first targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. After that, multiple waves of email messages were sent out to lure users into clicking on a malicious link.
“For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser,” Thomas Lancaster and Steven Adair noted. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”
If exploited, the unpatched vulnerability might be used to exfiltrate cookies, allow continued access to a mailbox, send phishing messages from the hijacked email account to spread the infection, and even facilitate further malware installation.
According to the researchers, none of the infrastructures discovered […] is identical to that employed by previously classified threat organizations. However, given the targeted organization and specific personnel within the targeted business, as well as the fact that the stolen material would have little monetary value, the attacks were most likely carried out by a Chinese APT actor.
The company further said that users of Zimbra should consider updating to version 9.0.0 since version 8.8.15 is presently not safe.