A technical report by Volexity revealing a continuing campaign uncovered an active campaign taking advantage of a zero-day susceptibility in the Zimbra webmail platform since December 2021.
Zimbra is an open-source email platform that serves hundreds of millions of mailboxes across 140 countries.
The Genesis
The attack came to the attention of Volexity through one of their clients. A closer look into the hacking process and infrastructure depicted the behavior of TEMP_ Heretic, a formerly active Chinese espionage cyber gang. `The cyberattack triggers are spear-phishing emails and theft of sensitive information via an embedded link.
How the Cybercriminal Launch the Attack
Volexity noted that the malicious attackers were very selective in launching attacks. They would first send emails with trackers to see if the users would open the email, confirming its validity.
Hackers sent initial confirmed emails to 74 distinct Microsoft Outlook email accounts containing nonspecific graphics and subject lines, such as invitations, notifications, and airline ticket refund information.
TEMP_Heretic will then send customized phishing emails that contain a malicious link. Subsequent emails which prompted a conversation with the user had more specific topics, such as requests for interviews from news organizations like the AFP and BBC or invites to charity dinners and events.
Some of the emails had seasonal greetings and were holiday-themed. Considering the attack began in December, this was a well-thought-out plan.
However, according to Volexity’s findings, the malicious file and link could be launched from other email clients, such as Outlook or Thunderbird, as long as the victim was connected to the Zimbra webmail client from a web browser.
If the user clicks on the URL, it directs them to a malicious JavaScript website that will attack their organization’s Zimbra webmail application with a cross-site scripting (XSS) attack.
Cybercriminals would target mail content such as sensitive information, attachments, and cookies for theft.
Other Cyberattack Mechanisms
Additionally, TEMP_Heretic might use a hacked email account to send phishing emails to other people’s contacts or colleagues or initiate commands that direct the victim to download additional malware.
Who Is Affected by the Cyberattack: Zimbra 0-day Vulnerability Abuse?
Zimbra has more than 33,000 active servers linked to the internet and more than 200,000 active users.
Several European government agencies and news agencies are affected, including other businesses and companies in the 140 countries.
Government agencies and businesses using Version 8.8.15 P29 and P30 of Zimbra’s webmail clients were vulnerable, according to Volexity.
Volexity claims that the zero-day does not apply to the most recent version of the platform (Zimbra 9. x), which means that the cyber-attack effect is not as significant as first assumed.
Mitigation and Protective Measures
Therefore, it would be safe to say that organizations on the Zimbra platform should upgrade their software to the latest version.
However, Zimbra users should analyze past referrer data for unusual access and spammy links as a precaution. They should also filter and block all phishing emails at the email gateway.
Beware: No Patch has been Released for the Zero-day Vulnerability.
Volexity has since released a technical advisory report saying the campaign, aka “Operation EmailThief,” which has been running since December 2021, looks like the work of Chinese hackers.
Volexity’s advisory goal is to promote public knowledge of this issue and allow organizations that utilize a Zimbra email server to examine if they are affected.
The security company had previously written to Zimbra attaching a proof-of-concept (PoC) code on the vulnerability exploit. Zimbra acknowledged the submission and stated the exploit was confirmed, as informed by their cybersecurity team.
After requesting details about a fix in January and receiving no feedback, Volexity made its findings public this month.
Notably, it is unlikely that this issue would impact users of the current webmail client.
Takeaway
The issue remains unresolved, and we are yet to hear from Zimbra.