View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Zimbra vulnerability exploited by Russian hackers targeting Nato countries – CISA

A flaw in the popular email client is being actively exploited, the US cybersecurity agency says.

By Claudia Glover

A flaw in the Zimbra software ecosystem is currently being used to target governments in Nato countries with cyber espionage, especially those actively supporting Ukraine in its war with Russia, US cybersecurity agency CISA has said.

CISA says the Zimbra vulnerability should be patched urgently. (Photo by Tada Images/Shutterstock)

The exploit, called CVE-2022-27926, is a cross-site scripting flaw in Zimbra’s software, which comprises an email client and collaboration tools used widely in the public and private sectors.

Flaw in Zimbra systems exploited for cyber espionage in Nato countries

The flaw was added by CISA to its library today, with the agency calling on US government departments to patch the vulnerability by 24 April as a matter of urgency. It is encouraging private sector companies to do the same.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to federal enterprise,” a CISA alert reads.

It is actively being exploited by a Russian cyber espionage gang called Winter Vivern or TA 473, according to a report by security company Proofpoint. The gang has been using the flaw since February to target organisations in Nato-aligned countries. 

The cybercriminals use CVE-2022-27926 to abuse publicly facing Zimbra-hosted webmail portals to gain access to sensitive information, such as “the emails of military, government, and diplomatic organisations across Europe involved in the Russia-Ukraine war,” explains Proofpoint.

The vulnerability is described as a “reflected cross-site scripting (XSS) vulnerability in a component of Zimbra collaboration, which allows unauthenticated attackers to execute arbitrary web script, or HTML via request parameters,” says the report.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In practice, this means that Winter Vivern is hooking a victim with a phishing link sent to their email leveraging the Zimbra vulnerability. The attack then uses the webmail domain that has a “vulnerable Zimbra collaboration suite instance,” leading to the manipulation of the webmail request using Javascript, initiating the capture of credentials such as usernames and passwords. 

Russian hackers Winter Vivern target foreign governments

Winter Vivern has been targeting government organisations since at least 2021, including those in Lithuania, India, the Vatican and Slovakia, according to research by security company Sentinal Labs.

It has launched action against Polish government agencies, the Ukraine Ministry of Foreign Affairs, Italy’s Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the gang’s targeting of private businesses, including telcos that support Ukraine in the ongoing war.

In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine

“The threat actor’s targeting of a range of government and private entities highlights the need for increased vigilance as their operations include a global set of targets directly and indirectly involved in the war,” the Sentinal Labs report said. 

Read more: UK government hackers have attacked enemy targets – GCHQ

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.