European Government Emails Stolen Through Exploiting Vulnerability in Zimbra Email Platform
The Russian hacking group TA473, also known as ‘Winter Vivern,’ has been targeting unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats. Recent operations have involved using fake European agency websites to spread malware disguised as a virus scanner.
Proofpoint has now released a report detailing how the group exploits the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access the communications of NATO-aligned individuals and organizations.
Security researchers suggest Belarus and Russia may be aligned with APT group, although their support remains unproven. Zimbra Collaboration is a versatile platform used by businesses, service providers, governments, and educational institutions to manage emails, contacts, calendars, and tasks, available for on-premise or cloud-based use.
TA473 has been observed targeting RoundCube webmail request tokens in some instances, revealing their careful pre-attack reconnaissance to identify the specific webmail portal used by their targets before crafting phishing emails and creating landing pages.
After compromising the webmails, the threat actors can access sensitive information or monitor communications over an extended period of time. The breached accounts can also be used for lateral phishing attacks to further infiltrate target organizations.