APTs Swarm Zimbra Zero-Day to Steal Government Info Worldwide

At least four separate campaigns against CVE-2023-37580 in the popular Zimbra Collaboration Suite aimed to siphon up reams of sensitive mail data.

Hooded attacker in red tone
Source: Igor Stevanovic via Alamy Stock Photo

At least four separate cyberattack groups have used a former zero-day security vulnerability in the Zimbra Collaboration Suite (ZCS) to steal email data, user credentials, and authentication tokens from government organizations globally.

ZCS is an email server, calendaring, and chat and video platform, used by "thousands" of companies and "hundreds of millions" of individuals, according to the Zimbra website. Its client organizations are as diverse as the Japan Advanced Institute of Science and Technology, Germany's Max Planck Institute, and Gunung Sewu, a top business incubator in Southeast Asia.

The bug (CVE-2023-37580) is a reflected cross-site scripting (XSS) vulnerability in the Zimbra email server that was patched on July 25, with a hotfix rolling out to its public GitHub repository on July 5. According to a report by Google's Threat Analysis Group (TAG) shared with Dark Reading, the zero-day exploitation started in June, before Zimbra offered remediation.

Four Separate Cyberattacks on World Governments

Google TAG has disclosed details on the government campaigns, which include:

  • June 29: Unknown attackers target Greece.

  • July 11: Winter Vivern APT campaign targets Moldova and Tunisia.

  • July 20: Unknown attackers target Vietnam.

  • Aug. 25: Unknown attackers target Pakistan.

"The initial in-the-wild discovery of the zero-day vulnerability was a campaign targeting a government organization in Greece," according to Google TAG researchers. "The attackers sent emails containing exploit URLs to their targets."

If a target clicked the link during a logged-in Zimbra session, the URL loaded a framework that steals users' emails and attachments; and, it set up an auto-forwarding rule to an attacker-controlled email address.

The Winter Vivern campaign meanwhile went on for two weeks after beginning on July 11.

"TAG identified multiple exploit URLs that targeted government organizations in Moldova and Tunisia; each URL contained a unique official email address for specific organizations in those governments," according to the TAG analysis.

The third zero-day campaign, by an unidentified group, was part of a phishing expedition against a government organization in Vietnam.

"In this case, the exploit URL pointed to a script that displayed a phishing page for users' webmail credentials, and posted stolen credentials to a URL hosted on an official government domain that the attackers likely compromised," Google researchers explained.

The fourth campaign employed an N-day exploit to steal Zimbra authentication tokens from a government organization in Pakistan.

"The discovery of at least four campaigns exploiting CVE-2023-37580 … demonstrates the importance of organizations applying fixes to their mail servers as soon as possible," the advisory concluded. “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users."

Cyberattackers Target Juicy Mail Servers

There has been ongoing exploitation of vulnerabilities in mail servers, so organizations should prioritize patching them.

Zimbra alone has been plagued by security incidents, including a remote code execution bug exploited as a zero-day in October 2022 and an infostealing campaign by the nation of North Korea that preyed on unpatched servers. And in January, CISA warned that threat actors were exploiting multiple CVEs against ZCS.

Meanwhile, last month Winter Vivern was exploiting a zero-day flaw in Roundcube Webmail servers, with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

According to TAG: "The regular exploitation of XSS vulnerabilities in mail servers also shows a need for further code auditing of these applications, especially for XSS vulnerabilities."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights