Russian Hackers Exploit Zimbra Flaw to Access NATO Emails

March 30, 2023

A Russian hacking group known as TA473, or 'Winter Vivern,' has been exploiting vulnerabilities in unpatched Zimbra endpoints to access the emails of NATO officials, governments, military personnel, and diplomats since February 2023. Sentinel Labs reported on a recent operation by Winter Vivern that used sites mimicking European agencies fighting cybercrime to spread malware disguised as a virus scanner. Proofpoint has now published a new report detailing how the threat actor exploits CVE-2022-27926 in Zimbra Collaboration servers to gain access to the communications of NATO-aligned organizations and individuals.

The Winter Vivern attacks start with the threat actor scanning for unpatched webmail platforms using the Acunetix vulnerability scanner. The hackers then send a phishing email from a compromised address, which is spoofed to appear as someone the target knows or is relevant to their organization. The emails contain a link that exploits the CVE-2022-27926 in the target's compromised Zimbra infrastructure to inject other JavaScript payloads into the webpage. These payloads are then used to steal usernames, passwords, and tokens from cookies received from the compromised Zimbra endpoint, allowing the threat actors to freely access the targets' email accounts.

Proofpoint explains in their report, "These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets." Researchers also observed TA473 specifically targeting RoundCube webmail request tokens in some instances. This demonstrates the diligence of the threat actors in pre-attack reconnaissance, determining which portal their target uses before crafting the phishing emails and setting the landing page function.

Winter Vivern applies three layers of base64 obfuscation to the malicious JavaScript to complicate analysis. The threat actors also included parts of the legitimate JavaScript that runs in a native webmail portal, blending with normal operations and reducing the likelihood of detection. Once they gain access to sensitive information on the compromised webmails, the threat actors can maintain their hold to monitor communications over time. They can also use the breached accounts to carry out lateral phishing attacks and further infiltrate target organizations.

Researchers describe Winter Vivern as not particularly sophisticated, but their operational approach is effective against high-profile targets who fail to apply software patches quickly enough. In this case, CVE-2022-27926 was fixed in Zimbra Collaboration 9.0.0 P24, released in April 2022. The earliest attacks were observed in February 2023, indicating a delay of at least ten months in applying the security update.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.