Adam Bannister February 07, 2022 at 14:13 UTC
Updated: February 07, 2022 at 15:53 UTC
Attackers targeted mailboxes ‘in multiple waves over two attack phases’
Business email platform Zimbra has released a patch for a cross-site scripting (XSS) vulnerability whose abuse has underpinned a series of spear phishing campaigns.
However, Volexity researchers believe attackers could also exfiltrate cookies and gain persistent access to mailboxes, send other phishing messages to victims’ contacts, and trick targets into inadvertently downloading malware.
RELATED Chained Zimbra flaws gave attackers unrestricted access to mail servers
Using web analytics service BinaryEdge, researchers said they detected around 33,000 mail servers running on Zimbra, but noted that the company claims its open-source software is used by 200,000 businesses and more than 1,000 institutions. governmental and financial.
Volexity said the attackers, which it tracks as “TEMP_Heretic”, targeted European media outlets and government bodies and agencies.
The vulnerability was disclosed on February 3 when Volexity detailed how one of its customers was targeted “in multiple waves across two attack phases” over a two-week period.
The first phase of reconnaissance, which began on December 14, 2021, “involved emails designed to simply track whether a target received and opened the messages,” the researchers explained.
DEEP DIVES A guide to spear phishing – how to protect against targeted attacks
“The second phase took place in multiple waves containing emails tricking targets into clicking on a malicious link crafted by an attacker.”
The attack relied on the victim visiting a malicious link while logged into the Zimbra webmail client from a web browser. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook,” the researchers added.
Volexity said it notified Zimbra of the attacks on December 16, and Zimbra acknowledged receipt on December 28.
Then, on January 11, Volexity informed some other Zimbra customers that they were targeted by the same exploit.
The flaw appeared to only affect Zimbra 8.8.15 and earlier versions – not the latest later version, 9.0.0.
Zimbra announcement on Friday (February 4) that the fix would be “available to Zimbra customers via Zimbra Support”.
Learn about the latest email security news
The company said, “A lasting fix to the issue is under testing and quality review and will be available as an update to 8.8.15p30. The updated patch is expected to be available through our download site on February 5, 2022.
“We recommend all Zimbra customers to use the latest version available to avoid any issues.”
Volexity has provided a list of Infrastructure that Zimbra customers should block and advised them to “analyze historical referrer data to detect suspicious hits and referrers.”
XSS in the wild
Volexity said the exploit was less damaging than Microsoft Exchange vulnerabilities at the time, it unveiled in March 2021but that it “can still have catastrophic consequences for organizations”.
Michał Bentkowski, web security consultant at Polish cybersecurity firm Securitum, said The daily sip: “Although XSS is one of the most common vulnerabilities in web applications, we rarely get information about actual campaigns using XSS-es. Probably the most popular (or maybe the only popular?) is Samy XSS it happened in 2005 on MySpace and reached over a million users.
“I found the Zimbra XSS story really interesting because it’s a real-world campaign. It also highlights one of the typical effects of XSS, namely the ability to exfiltrate user data, in this case: the body of the emails and the attachments.
“This could be a good case study, to explain the effects of XSS and the importance of preventing this vulnerability.”
DON’T FORGET TO READ ThePhish: the “most comprehensive” non-commercial phishing email scanner