The Russian-speaking hack group Winter Vivern (aka TA473 in the Proofpoint classification) has been actively exploiting a vulnerability in Zimbra and has been stealing letters from NATO officials, governments, military personnel and diplomats since February 2023.

Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by Russian hackers, and also that the State Department Offers $1 million for Info on Russian Hackers.

And also the media wrote that Due of the sanctions, Russian hackers are looking for new ways to launder money.

In mid-March 2023, SentinelOne experts submitted a report on the Russian-speaking Winter Vivern group, which was seen in attacks on government agencies in several countries in Europe and Asia, as well as on telecommunications service providers.

As analysts from Proofpoint have now reported, these same attackers are using the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access messages from organizations and individuals associated with NATO.

According to the researchers, Winter Vivern attacks begin with the use of the Acunetix vulnerability scanner, with which hackers look for unpatched webmail platforms.

The attackers then send a phishing email from the compromised mailbox, which is spoofed to look like it was written by someone the victim knows or someone related to the target organization.

Phishing email

The emails contain a link that exploits the aforementioned CVE-2022-27926 vulnerability in the Zimbra framework and injects payloads (JavaScript) into a web page. These payloads are used to steal usernames, passwords, and tokens from cookies received from a compromised Zimbra endpoint. This allows attackers to gain full access to the victim’s mailbox.

In addition, hackers can use hacked accounts to carry out further phishing attacks and penetrate deeper into targeted organizations.

Attack scheme

Experts note that in some cases TA473 also targets RoundCube webmail request tokens. According to analysts, this only emphasizes that before attacks, compiling phishing emails and preparing a landing page, attackers conduct thorough reconnaissance and find out what exactly their target is using.

At the same time, malicious JavaScript is not only protected by three levels of base64 obfuscation to make analysis more difficult, but the grouping also uses parts of legitimate JavaScript code that runs on regular webmail portals to mix with normal operations and reduce the likelihood of detection.

Despite this, the researchers argue that in general Winter Vivern operations are not particularly sophisticated, instead hackers take a simple and effective approach that works even against high-value targets that are unable to install updates and patches in a timely manner. So, the problem CVE-2022-27926 was fixed back in April 2022, with the release of Zimbra Collaboration 9.0.0 P24.

The post Russian-Speaking Hack Group Winter Vivern Attacks Governments in Europe and Asia appeared first on Gridinsoft Blog.

According to official statistics, more than 200,000 enterprises in 140 countries around the world use Zimbra, including more than 1,000 government and financial institutions. The researchers write that using the 0-day vulnerability, attackers gain access to the mailboxes of European authorities and the media.

The attacks were discovered in mid-December, and although Volexity notified the Zimbra developers about the bug as early as December 16, the company has not yet released a patch.

The attacks were divided into two stages. Initially, the hackers sent a harmless email to victims to determine if the right accounts were active and whether users would open suspicious emails from unknown individuals.

The actual attack only happened with a second email, in which the hackers included a link. If the user accessed this URL, they were taken to a hacker site where malicious JavaScript code performed an XSS attack on Zimbra webmail at the victim’s organization.

The vulnerability works against Zimbra webmail clients versions 8.8.15 P29 and P30 and allows stealштп Zimbra session cookies. These files allow hackers to connect to someone else’s Zimbra account, from where they gain access to email (they can view emails in victims’ mailboxes and steal their contents), after which they send additional phishing messages to the user’s contacts, and also offer targets to download malware.

While there are currently over 33,000 Zimbra servers on the web, Volexity says 0-day is thankfully safe for Zimbra 9.x (the most recent version of the platform).

Based on the attacker infrastructure used in these attacks, experts were unable to link what was happening to any previously known hack group. As a result, the grouping was given the name TEMP_Heretic. At the same time, experts report that “the attacker is probably of Chinese origin.”

Let me remind you that we reported that Chinese hackers attacked US organizations and exploit bugs in F5, Citrix and Microsoft Exchange and also that Hackers attacked Microsoft Exchange servers of the European Banking Authority.

The post Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities appeared first on Gridinsoft Blog.