November 17, 2023 at 11:11AM
Threat actors exploited a zero-day vulnerability in Zimbra Collaboration email server to steal sensitive data from government systems in multiple countries. The vulnerability, known as CVE-2023-37580, allowed the hackers to perform email forwarding, steal credentials, and lead victims to phishing pages. The attacks took place before Zimbra released an official patch for the vulnerability. This highlights the importance of timely security updates, even for medium-severity vulnerabilities. Exploiting XSS flaws in mail servers has been a recurring issue, affecting Zimbra and Roundcube.
Key points from the meeting notes:
– Google’s Threat Analysis Group (TAG) discovered that threat actors exploited a zero-day vulnerability in the Zimbra Collaboration email server to steal sensitive data from government systems in multiple countries.
– The vulnerability, identified as CVE-2023-37580, was leveraged since June 29 and was only addressed by Zimbra on July 25.
– The flaw, an XSS issue, was present in the Zimbra Classic Web Client.
– The threat actors targeted government organizations in Greece, Moldova, Tunisia, Vietnam, and Pakistan, stealing email data, user credentials, and authentication tokens, and performing email forwarding. They also led victims to phishing pages.
– Zimbra responded to the observed compromises by pushing an emergency hotfix on GitHub.
– Multiple campaigns were conducted by different threat actors, exploiting the vulnerability with malicious URLs and JavaScript.
– Zimbra published a security advisory on July 13, recommending mitigations for the vulnerability, but did not mention active exploitation.
– The official patch for CVE-2023-37580 was released by Zimbra five days later, after the active exploitation had taken place.
– In a fourth campaign on August 25, a threat actor exploited the bug on a Pakistani government organization’s systems to steal Zimbra authentication tokens.
– Google’s report emphasizes the importance of timely security updates, even for medium-severity vulnerabilities, as adversaries can exploit them to further their attacks.
– This exploitation is one of several examples of XSS flaws being used to target mail servers, including CVE-2022-24682 and CVE-2023-5631, affecting Zimbra and Roundcube.