An APT group known in the security industry as Winter Vivern has been exploiting a vulnerability in the Zimbra Collaboration software to gain access to mailboxes from government agencies in several European countries. While no clear links have been established between Winter Vivern and a particular country's government, security researchers have noted that its activities closely align with the interests of Russia and Belarus.
The group, which is also tracked as TA473 or UAC-0114, has been operating since at least 2021 and past victims were identified in Lithuania, India, Vatican, and Slovakia.
According to a report earlier this month by cybersecurity firm SentinelLabs, more recent targets include Polish government agencies, Ukraine's Ministry of Foreign Affairs, Italy's Ministry of Foreign Affairs, individuals within the Indian government, and telecommunications companies that support Ukraine in the ongoing war.
In a new report released today, cybersecurity firm Proofpoint said it saw Winter Vivern campaigns late last year that targeted elected officials in the United States and their staffers.
The group's general modus operandi involves sending phishing emails that impersonate people from the victim's own organisation or from peer organisations involved in global politics.
These spoofed emails are sometimes sent from mailboxes associated with domains that host vulnerable WordPress websites and were compromised.
The messages typically include a link to what appears to be a resource on the target organisation's own website but actually leads to a payload hosted on an attacker-controlled domain or to a credential phishing page.
This technique was recently enhanced with an exploit for a known cross-site scripting (XSS) vulnerability in Zimbra, an open-source business collaboration and email platform that can be deployed in the cloud or on premise.
According to Zimbra's own website, its email software powers hundreds of millions of mailboxes across 140 countries and is used by "governments, service providers, educational institutions, and small/midsize enterprises."
From cross-site scripting to cross-site request forgery and account hijacking
The exploit seen by Proofpoint in TA473 campaigns from early this year and as late as last month, targeted CVE-2022-27926, a medium-severity reflected XSS vulnerability that Zimbra patched in version 9.0.0 Patch 24, a year ago. Interestingly, the vulnerability is not listed on Zimbra's security advisories page but does appear in the release notes for Zimbra 9.0.0 P24 alongside even more serious flaws, including critical and high-risk ones.
One could argue that organisations who have Zimbra deployments that haven't been upgraded in a year have questionable security practices, as well as many other vulnerabilities to worry about.
Since then, Zimbra has patched at least three more XSS flaws, including in its webmail component, an email authentication bypass, a server-side request forgery flaw, issues with two-factor authentication (2FA) validation, and remote code execution in file upload functionality.
However, the recent TA473 attacks stand to show how even a medium-risk XSS can be weaponised to great effect by attackers.
Reflected XSS vulnerabilities allow attackers to craft URLs with appended code to them that, if opened by a user, would execute that malicious code inside their browser in the context of that website. In other words, as if that code had been served by the website itself to the user's browser.
In this case, attackers first identified government agencies using vulnerable Zimbra installations and webmail interfaces.
This is an attack where the authenticated session that the user's browser has with a certain website is hijacked when visiting a different malicious website which forces the browser to execute requests on the target website without the user's knowledge, piggybacking on their active session.
The malicious functions added to the payload are meant to steal the user's username, password, and active CSRF token from a cookie, and send them to an attacker-controlled server.
Websites use CSRF tokens that need to accompany browser requests to prevent CSRF attacks, but since the attackers in this case have the ability to execute code in the context of the website through the XSS flaw, they can simply read that token.
Once the login credentials and token are stolen, the script tries to login into the email portal using hardcoded URIs that are custom to the targeted domain and if authentication fails, it has the capability to prompt users with an error message and ask them to authenticate again.
"In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well," Proofpoint said. "This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts prior to delivering phishing emails to organisations."
"Restricting resources on publicly facing webmail portals from the public internet is highly recommended to prevent groups like TA473 from reconning and engineering custom scripts capable of stealing credentials and logging in to usersâ€™ webmail accounts," the Proofpoint researchers said.
"While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets."