The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that threat actors have been exploiting a vulnerability in webmail portals hosted by Zimbra Collaboration Suite.
The confirmation came days after cybersecurity firm Proofpoint reported about a pro-Russian advanced persistent threat (APT) actor, TA473, used unpatched Zimbra vulnerabilities in publicly facing webmail portals, which enabled it to gain access to the email mailboxes of these organizations.
The Zimbra Collaboration Suite (ZCS) cross-site scripting (XSS) vulnerability, codenamed CVE-2022-27926, impacts Zimbra Collaboration version 9.0.0, which is used to host publicly facing webmail portals, found by researchers at Proofpoint.
According to the researchers, TA473 utilized scanning tools to identify unpatched webmail portals belonging to these organizations before delivering phishing emails purporting to be benign government resources, which are hyperlinked in the body of the email with malicious URLs.
The group appears to invest significant time studying each webmail portal instance belonging to its targets and writing bespoke JavaScript payloads to conduct Cross-Site Request Forgery (CSRF).
Researchers at Proofpoint and Sentinel One observed that TA473’s targeting superficially aligns with the support of Russian or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.
CVE-2022-27926, TA473, and Zimbra Collaboration Suite
“Beginning in early 2023, Proofpoint observed a trend of TA473 phishing campaigns targeting European government entities that take advantage of CVE-2022-27926,” said the Proofpoint report.
The research report described the vulnerability as a “reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0 (which) allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.”
The phishing campaigns by TA473 hyperlink a benign URL in the body of a phishing email with a URL that leverages CVE-2022-27926.
The malicious URL uses the webmail domain that has a vulnerable Zimbra Collaboration Suite instance and appends an arbitrary hexadecimal encoded or plaintext JavaScript snippet, which is executed as an error parameter when it is received in the initial web request.
The JavaScript, once decoded, results in the download of a next-stage bespoke JavaScript payload that conducts cross-site request forgery (CSRF) to capture usernames, passwords, and CSRF tokens from the user.
“The exploitation of this vulnerability is very similar in practice to the exploitation of CVE-2021-35207, which impacts a wider cross section of Zimbra Collaboration versions, and specifically involves adding executable JavaScript to the loginErrorCode parameter of a webmail login URL,” said the report.
“However, it is believed that this exploitation is distinct and limited to CVE-2022-27926,” it added.
The phishing campaigns are highly targeted, with TA473 specifically targeting RoundCube webmail request tokens in some instances.
This level of reconnaissance conducted by TA473 prior to delivering phishing emails to organizations indicates a detailed focus on which webmail portal is being run by the targeted European government entities, the report observed.
TA473 aka Winter Vivern and its Russian ties
Security vendors such as DomainTools, Lab52, Sentinel One, and the Ukrainian CERT refer TA473 as Winter Vivern and UAC-0114.
TA473 historically leverage phishing campaigns to deliver both PowerShell and JavaScript payloads, as well as conducts recurring credential harvesting campaigns using phishing emails.
TA473 popped up in the cybersecurity news early in March, when a Sentinel One analysis noted that it mode of operation superficially aligns with Russian or Belarussian geopolitical goals.
“It’s highly likely that Russian speaking actors are among the group’s members because one of the previous samples contains PDB with purely Russian wording ‘Aperitivchick’,” noted the Ukrainian CERT warning on the group.
While TA473 has historically targeted European government entities, Proofpoint research confirmed that the group has recently been observed targeting elected officials and staffers in the United States.
“The phishing tactics have consistently been observed across both US and European targets as well as among credential harvesting, malware delivery, and cross-site request forgery (CSRF) campaigns,” said the Proofpoint report.
Winter Vivern has been observed utilizing various tactics to carry out their cyberattacks, such as the use of malicious documents that are either created from authentic government documents publicly available or tailored to specific themes, found SentinelOne.
To distribute malicious downloads, the group has recently adopted a new lure technique of mimicking government domains.
Malicious Page Mimicking cbzc.policja.gov.pl
In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of legitimate organizations, including Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine.
email.gov.in Login Page
In addition to mimicking government domains, Winter Vivern has also employed government email credential phishing webpages, which was observed in mid-2022. For instance, ocspdep[.]com was used to target users of the Indian government’s legitimate email service, email.gov.in.
