A flaw in the Zimbra software ecosystem is currently being used to target governments in Nato countries with cyber espionage, especially those actively supporting Ukraine in its war with Russia, US cybersecurity agency CISA has said.
The exploit, called CVE-2022-27926, is a cross-site scripting flaw in Zimbra’s software, which comprises an email client and collaboration tools used widely in the public and private sectors.
Flaw in Zimbra systems exploited for cyber espionage in Nato countries
The flaw was added by CISA to its library today, with the agency calling on US government departments to patch the vulnerability by 24 April as a matter of urgency. It is encouraging private sector companies to do the same.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to federal enterprise,” a CISA alert reads.
It is actively being exploited by a Russian cyber espionage gang called Winter Vivern or TA 473, according to a report by security company Proofpoint. The gang has been using the flaw since February to target organisations in Nato-aligned countries.
The cybercriminals use CVE-2022-27926 to abuse publicly facing Zimbra-hosted webmail portals to gain access to sensitive information, such as “the emails of military, government, and diplomatic organisations across Europe involved in the Russia-Ukraine war,” explains Proofpoint.
The vulnerability is described as a “reflected cross-site scripting (XSS) vulnerability in a component of Zimbra collaboration, which allows unauthenticated attackers to execute arbitrary web script, or HTML via request parameters,” says the report.
In practice, this means that Winter Vivern is hooking a victim with a phishing link sent to their email leveraging the Zimbra vulnerability. The attack then uses the webmail domain that has a “vulnerable Zimbra collaboration suite instance,” leading to the manipulation of the webmail request using Javascript, initiating the capture of credentials such as usernames and passwords.
Russian hackers Winter Vivern target foreign governments
Winter Vivern has been targeting government organisations since at least 2021, including those in Lithuania, India, the Vatican and Slovakia, according to research by security company Sentinal Labs.
It has launched action against Polish government agencies, the Ukraine Ministry of Foreign Affairs, Italy’s Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the gang’s targeting of private businesses, including telcos that support Ukraine in the ongoing war.
In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine
“The threat actor’s targeting of a range of government and private entities highlights the need for increased vigilance as their operations include a global set of targets directly and indirectly involved in the war,” the Sentinal Labs report said.