The Cybersecurity and Infrastructure Security Agency (CISA) has warned federal agencies to patch a Zimbra Collaboration (ZCS) cross-site scripting flaw, which has been exploited by Russian hackers to steal emails in attacks targeting NATO countries. The vulnerability (CVE-2022-27926) was abused by a Russian hacking group known as Winter Vivern and TA473 in attacks on multiple NATO-aligned governments' webmail portals to access the email mailboxes of officials, governments, military personnel, and diplomats.
In the following steps, the threat actors used the stolen credentials to obtain sensitive information from the breached webmail accounts or maintain persistence to keep track of exchanged emails over time. The hackers may also leverage the compromised accounts to launch more phishing attacks and expand their infiltration of targeted organizations. The vulnerability was added today to CISA's Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws known to be actively exploited in the wild.
According to a binding operational directive (BOD 22-01) issued by the U.S. cybersecurity agency in November 2021, Federal Civilian Executive Branch Agencies (FCEB) agencies must patch vulnerable systems on their networks against bugs added to the KEV list. CISA gave FCEB agencies three weeks, until April 24, to secure their networks against attacks that would target the CVE-2022-27926 flaw. While BOD 22-01 only applies to FCEB agencies, CISA also strongly urged all organizations to prioritize addressing these bugs to block further exploitation attempts. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.
On Thursday, CISA also ordered federal agencies to patch security vulnerabilities exploited as zero-days in recent attacks to deploy commercial spyware on Android and iOS mobile devices, as Google's Threat Analysis Group (TAG) recently revealed.