A Zero-Day Flaw In Zimbra Has Allowed Hackers To Exploit Servers, Volexity Warns

Posted on February 4, 2022 at 6:45 PM

A Zero-Day Flaw In Zimbra Has Allowed Hackers To Exploit Servers, Volexity Warns

Security researchers at Volexity have warned that Chinese threat actors are exploiting a zero-day vulnerability in the Zimbra email platform. According to the malware hunters, the threat actors are targeting government establishments in Europe.

The exploits begin with a series of targeted spear-phishing emails and are described as “ongoing” at the moment.  The researchers also said that the vulnerability has not been given a CVE name and has not been patched yet.

The Attack Was Launched In Two Phases

As a new flaw, users have been updated on the attacking and exploiting method of the threat actors.  According to Volexity, the Chinese threat actors launched the attacks in two different phases in different waves.

In the first stage, the threat actors designed the emails to verify whether the target has received and opened the message. The second stage was launched in several waves containing email messages that lure deceive targets to click on a malicious link. However, the exploit will not be successful if the target did not click on the link to visit the sender’s page. They will also be logged into the Zimbra webmail client from a web browser.

Once an exploit is successful, the threat actor will infiltrate the target’s system and run arbitrary JavaScript using the user’s Zimbra session. The security researchers also noted that the threat actors also steal user mail attachments and data while loading JavaScript.

Once they deceive the user into clicking on the malware-infested link, the user’s Zimbra email server will be at the mercy of the attackers. They can plant cookies and use the email to allow other malware into the system, the researchers warned.

The Vulnerability Is Still Unpatched

According to the report, Volexity discovered the attacks in December and notified Zimba immediately. However, as nothing has been done to provide a patch to the vulnerability, Volexity says it has decided to make its discovery public.

The security firm says it decided to provide details about the attack to warn those who use Zimbra email servers to add more protection to their systems. The information will also help them find out whether they have become victims and how they can deal with the situation.

The first email was a preliminary stage as the actual attack started in the second stage. In the second exploit, an email link is set to the user, who will be redirected to the attacker’s remote website when they click on the link.

Once they are taken to the page, a malicious JavaScript code will execute a cross-site scripting (XSS) attack against their company’s Zimbra webmail application.

The Zero-Day Is Inactive Against Zimbra 9.X Installs

According to the security team, the code exploited a flaw in the 8.8.15 P29 & P30 running versions of Zimbra webmail clients. It also gives the threat actors access to Zimbra session cookie files.

Once the attackers have the files, it can enable them to connect directly to a Zimbra account, allowing them to deceive users to download malware and gain access to their emails. The attackers can also perform other exploits once they have control of the user’s account.

One positive thing about the vulnerability is the fact that not all Zimbra users are vulnerable to the attack.

Although there are over 33,000 Zimbra servers connected to the internet, users of the Zimbra 9x models are completely covered from exploitation via this zero-day, which is the most recent version. This means that the level of penetration of the attack is not as wide as previously thought.

Administrators Are Advised To Go Through Volexity’s Report

Volexity also noted that although they have named the threat actor TEMP_Heretic, they haven’t been able to link them yet. The researchers noted that nothing much is known about the threat actors, although they seemed to be from China.

Volexity added that the attacking technique and infrastructure used to show that the attackers are most likely of Chinese origin, but they may be attacking from a different region.

The researchers noted that they have previously seen TEMP_Heretic attacking European government and media agencies, although the group has also attacked other targets.

IT administrators of Zimbra email servers have been advised to check the Volexity report to find out whether they have been targeted. According to Volexity, these threat actors usually used emails and disguise them as warnings, invitations, refunds, or other contents that may attract the user as the subject line of the email.

Summary
A Zero-Day Flaw In Zimbra Has Allowed Hackers To Exploit Servers, Volexity Warns
Article Name
A Zero-Day Flaw In Zimbra Has Allowed Hackers To Exploit Servers, Volexity Warns
Description
Security researchers at Volexity have warned that Chinese threat actors are exploiting a zero-day vulnerability in the Zimbra email platform. According to the malware hunters, the threat actors are targeting government establishments in Europe.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE