The vulnerability stems from an email platform known as Zimbra used by numerous businesses and institutions including financial entities and the European government. Zimbra is an open-source mail server platform akin to Microsoft Exchange.
The Operation is a Spear-Phishing Campaign
The form of cybercrime in this case is targeted spear-phishing via email. The campaign “came in multiple waves across two attack phases,” which comprised a primary reconnaissance phase and a payload (sabotage) phase. The former sent out emails to sniff out valid (active) email targets, while the latter distributed targeted emails loaded with malware to users that were confirmed as active in stage one.
How the Attack Works
For the scheme to work, a victim has to click on a malicious link in an email while simultaneously being logged into Zimbra’s webmail services. Following the infiltration of the victim’s transmission, the attacker can then “run arbitrary JavaScript in the context of the user’s Zimbra session.” Therefore, once the link is clicked, it redirects the victim to an exploit URL that is loaded with the malicious Javascript. Now, a compromised account can be siphoned off its email data and all attachments therein. Additionally, an attacker can propagate supplementary phishing scams from an account that is permanently under their control. Veloxity also confirmed that the threat actor is leveraging an XSS (cross-site scripting) flaw in the Zimbra email platform. XSS flaws are considered significant threats by information security specialists.
Zero-Day Confirmed
This particular XSS security flaw has been confirmed to be a zero-day exploit, which means that cybercriminals have immediately exploited the flaw before developers have had a chance to input a fix. Zero-days are events that are dreaded by IT security specialists, as evident in the recent Log4Shell incident. “The overall effect of this attack is that by getting a user to click a link in an email and leave their browser window open for any length of time, the attacker can steal the contents of their mailbox,” wrote threat researchers at Veloxity.
Various email subjects used to entice victims
74 unique outlook email addresses used
74 unique outlook email addresses, as well as female personas, were used by the attacker. The addresses were frequently formatted as _@outlook.com or @outlook.com.
Threat actor is most likely a Chinese APT
The particular threat actor behind this case is TEMP_Heretic, a Chinese APT threat actor tracked by Veloxity since December 14th, 2021. Researchers found that email timestamps, timezone information, and the “Asia/Hong_Kong” snippet in the code all correlate with the suspected origin of the attacker.
Situation Unresolved
The Veloxity report emphasizes that there is no fix available so far and that Zimbra versions 8.8.15 P29 and P30 are still vulnerable. 200,000 organizations, including over a thousand government and financial institutions, are at risk. Particularly, the European government and media are being targeted. All of these entities are at risk of the theft of email data, malware attacks, and account takeover. This scenario is not the worst Veloxity has seen, but “it can still have catastrophic consequences for organizations that land in the crosshairs of an attacker with the exploit.”
Volexity Security Recommendations
For now, Veloxity recommends that users block the indicators found here at the mail gateway and network level. Secondly, Zimbra users should analyze suspicious historical referrer data, which can be found in the “/opt/zimbra/log/access*.log” location. Zimbra users should also upgrade to Zimbra 9.0.0 and avoid version 8.8.15. Finally, Veloxity can be contacted by organizations for assistance here.
