A Russian hacking group known as TA473, or 'Winter Vivern,' has been exploiting vulnerabilities in unpatched Zimbra endpoints to access the emails of NATO officials, governments, military personnel, and diplomats since February 2023. Sentinel Labs reported on a recent operation by Winter Vivern that used sites mimicking European agencies fighting cybercrime to spread malware disguised as a virus scanner. Proofpoint has now published a new report detailing how the threat actor exploits CVE-2022-27926 in Zimbra Collaboration servers to gain access to the communications of NATO-aligned organizations and individuals.
Researchers describe Winter Vivern as not particularly sophisticated, but their operational approach is effective against high-profile targets who fail to apply software patches quickly enough. In this case, CVE-2022-27926 was fixed in Zimbra Collaboration 9.0.0 P24, released in April 2022. The earliest attacks were observed in February 2023, indicating a delay of at least ten months in applying the security update.