November 16, 2023 at 11:45AM
Google’s Threat Analysis Group (TAG) has disclosed that a zero-day exploit in Zimbra Collaboration Suite was used to steal email data from government organizations worldwide. The vulnerability (CVE-2023-37580) was made public in July, and it allows attackers to execute malicious code through specially crafted URLs sent via email. Google observed four campaigns targeting various governments, emphasizing the importance of promptly applying patches to mail servers. The attacks also demonstrated how attackers monitor open-source repositories for vulnerabilities before public release.
During the meeting, it was discussed that Google’s Threat Analysis Group (TAG) announced the exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite. This vulnerability, identified as CVE-2023-37580, was used to steal email data from government organizations in multiple countries. The flaw is a reflected cross-site scripting (XSS) bug, which allows attackers to execute malicious code by sending specially crafted URLs in emails. The targeted user needs to click on the malicious link while authenticated to a Zimbra session for the exploit to succeed.
Zimbra had notified its customers about the vulnerability in mid-July, and shortly after they released an official patch on July 25. However, before the patch was released, Google’s TAG observed in-the-wild exploitation of the vulnerability. The first campaign exploiting CVE-2023-37580 was observed on June 29, targeting a government organization in Greece. The attacker utilized a previously known framework to steal emails and attachments and could also automatically forward emails to their own controlled addresses.
Zimbra published a hotfix for the vulnerability on July 5, and on July 11, Google observed a second campaign targeting government organizations in Moldova and Tunisia. These attacks were linked to Winter Vivern, a Russian Advanced Persistent Threat (APT) group known for targeting NATO countries using Zimbra exploits.
While Zimbra released an official patch on July 25, Google identified a third campaign targeting a government organization in Vietnam before the patch was available. In this case, the attacker used the exploit to redirect users to a phishing page that prompted them to enter their webmail credentials. After the patch was released, a fourth campaign was discovered, targeting a government organization in Pakistan.
Google emphasized the importance of promptly applying fixes to mail servers, as demonstrated by the discovery of four campaigns exploiting CVE-2023-37580. They also noted that attackers monitor open-source repositories to exploit vulnerabilities opportunistically. In Campaign #2, the attackers began exploiting the bug after the fix was pushed to GitHub but before Zimbra publicly released the advisory with remediation advice.
It was mentioned that CISA’s Known Exploited Vulnerabilities Catalog includes seven other Zimbra Collaboration Suite flaws, with a majority being discovered in 2022. Additionally, Winter Vivern, the Russian APT group, has been observed targeting governments in Europe and Asia. CISA has urged organizations to patch the actively exploited Zimbra XSS vulnerability.