CISA Issues Warning on Zimbra Bug Exploited in NATO Country Attacks

April 3, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies to patch a Zimbra Collaboration (ZCS) cross-site scripting flaw, which has been exploited by Russian hackers to steal emails in attacks targeting NATO countries. The vulnerability (CVE-2022-27926) was abused by a Russian hacking group known as Winter Vivern and TA473 in attacks on multiple NATO-aligned governments' webmail portals to access the email mailboxes of officials, governments, military personnel, and diplomats.

Winter Vivern's attacks start with the hackers using the Acunetix tool vulnerability scanner to find vulnerable ZCS servers and sending users phishing emails that spoof senders the recipients are familiar with. Each email redirected the targets to attacker-controlled servers that exploit the CVE-2022-27926 bug or attempt to trick the recipients into handing over their credentials. When targeted with an exploit, the URLs also contain a JavaScript snippet that will download a second-stage payload to launch a Cross-Site Request Forgery (CSRF) attack to steal Zimbra users' credentials and CSRF tokens.

In the following steps, the threat actors used the stolen credentials to obtain sensitive information from the breached webmail accounts or maintain persistence to keep track of exchanged emails over time. The hackers may also leverage the compromised accounts to launch more phishing attacks and expand their infiltration of targeted organizations. The vulnerability was added today to CISA's Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws known to be actively exploited in the wild.

According to a binding operational directive (BOD 22-01) issued by the U.S. cybersecurity agency in November 2021, Federal Civilian Executive Branch Agencies (FCEB) agencies must patch vulnerable systems on their networks against bugs added to the KEV list. CISA gave FCEB agencies three weeks, until April 24, to secure their networks against attacks that would target the CVE-2022-27926 flaw. While BOD 22-01 only applies to FCEB agencies, CISA also strongly urged all organizations to prioritize addressing these bugs to block further exploitation attempts. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

On Thursday, CISA also ordered federal agencies to patch security vulnerabilities exploited as zero-days in recent attacks to deploy commercial spyware on Android and iOS mobile devices, as Google's Threat Analysis Group (TAG) recently revealed.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.