The Zimbra Collaboration Suite (ZCS), a platform offering email server, calendaring, chat, and video services, has been targeted by at least four different cyber-attack groups, exploiting a previously unknown vulnerability to steal email data, user credentials, and authentication tokens from various government organizations worldwide. ZCS serves thousands of companies and hundreds of millions of individuals, including high-profile clients such as the Japan Advanced Institute of Science and Technology, Germany's Max Planck Institute, and Southeast Asia's leading business incubator, Gunung Sewu.
The exploited bug, identified as CVE-2023-37580, is a reflected cross-site scripting (XSS) vulnerability in the Zimbra email server. The vulnerability was patched on July 25, with an immediate fix made available on its public GitHub repository on July 5. Google's Threat Analysis Group (TAG) reports that exploitation of the zero-day vulnerability began in June, prior to Zimbra's remediation efforts.
Google TAG revealed details of the government-targeted campaigns. The first known exploitation of the zero-day vulnerability was a campaign aimed at a government institution in Greece. Attackers sent emails containing exploit URLs to their targets. If a target clicked the link during an active Zimbra session, the URL triggered a framework that pilfered users' emails and attachments, and established an auto-forwarding rule to an email address controlled by the attacker.
The Winter Vivern campaign continued for two weeks, starting on July 11. Google TAG identified numerous exploit URLs targeting government organizations in Moldova and Tunisia. Each URL contained a unique official email address for specific organizations within those governments.
An unidentified group launched the third zero-day campaign as part of a phishing expedition against a government organization in Vietnam. The exploit URL led to a script that displayed a phishing page for users' webmail credentials and posted stolen credentials to a URL hosted on an official government domain likely compromised by the attackers.
The fourth campaign used an N-day exploit to steal Zimbra authentication tokens from a government institution in Pakistan. The discovery of at least four campaigns exploiting CVE-2023-37580 underscores the importance of organizations promptly applying fixes to their mail servers. It also highlights how attackers monitor open-source repositories to exploit vulnerabilities opportunistically when the fix is in the repository but not yet released to users.
There has been continuous exploitation of vulnerabilities in mail servers, so organizations should prioritize their patching. Zimbra has been particularly affected by security incidents, including a remote code execution bug exploited as a zero-day in October 2022 and an infostealing campaign by North Korea that targeted unpatched servers. In January, CISA warned that threat actors were exploiting multiple CVEs against ZCS. More recently, Winter Vivern exploited a zero-day flaw in Roundcube Webmail servers, launching a malicious email campaign against governmental organizations and a European think tank. Google TAG emphasized that the regular exploitation of XSS vulnerabilities in mail servers underscores the need for more thorough code auditing of these applications, especially for XSS vulnerabilities.