Hackers Used Zimbra Email Platform Zero-Day Flaw to Spy on Users

Hackers Used Zimbra Email Platform Zero-Day Flaw to Spy on Users

As part of spear-phishing activities that began in December 2021, a threat actor, most likely of Chinese origin, is actively attempting to attack a zero-day flaw in the Zimbra open-source email platform. 

The espionage operation, nicknamed “EmailThief,” was outlined in a technical report released on Thursday by cybersecurity firm Volexity. It discloses that successful exploitation of the cross-site scripting (XSS) vulnerability might allow arbitrary JavaScript code to be executed in the context of the user’s Zimbra session.

The incursions, which began on December 14, 2021, were linked to a previously unknown hacker gang that Volexity is investigating under the pseudonym TEMP_HERETIC. The attacks focused on the European government and media groups. The zero-day vulnerability affects Zimbra’s most current open-source edition, version 8.8.15.

The attacks were carried out in two stages, with the first targeted at reconnaissance and the distribution of emails to see if a target had received and opened the messages. After that, multiple waves of email messages were sent out to lure users into clicking on a malicious link.

“For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser,” Thomas Lancaster and Steven Adair noted. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”

If exploited, the unpatched vulnerability might be used to exfiltrate cookies, allow continued access to a mailbox, send phishing messages from the hijacked email account to spread the infection, and even facilitate further malware installation.

According to the researchers, none of the infrastructures discovered […] is identical to that employed by previously classified threat organizations. However, given the targeted organization and specific personnel within the targeted business, as well as the fact that the stolen material would have little monetary value, the attacks were most likely carried out by a Chinese APT actor.

The company further said that users of Zimbra should consider updating to version 9.0.0 since version 8.8.15 is presently not safe.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.