Google Threat Intelligence Team reportedA vulnerability was discovered in the Zimbra email server that was used to steal data from the governments of Greece, Moldova, Tunisia, Vietnam and Pakistan. The exploit, known as CVE-2023-37580, targeted Zimbra Collaboration’s email server to steal email data, user credentials, and authentication tokens from organizations.
The exploit was first used in Greece at the end of June. The attackers who discovered the vulnerability sent emails containing an exploit to one of the government organizations. Users who clicked on the link while logging into their Zimbra account fell victim to a hacker attack, their email data was compromised, and cybercriminals took control of their accounts.
Zimbra released a fix for the vulnerability on Github on July 5, but the massive spread of the exploit began later as many users did not update the software in a timely manner. “This situation shows how attackers monitor open source repositories to quickly exploit vulnerabilities when fixes are present in the repository but not yet released to users.”members of the Google Threat Analysis Group are confident.
In mid-July, cybercriminal group Winter Vivern used this exploit to attack government organizations in Moldova and Tunisia. An unknown attacker later used the vulnerability to obtain the ID cards of members of the Vietnamese government. The latest exploit described by Google’s threat intelligence team involves the theft of authentication tokens from a Pakistani government email server. These tokens are used to access locked or protected information.
Zimbra users were the target of a massive phishing campaign earlier this year. In 2022, attackers used another Zimbra exploit to steal emails from European governments and media companies. Note that in 2022, the Zimbra mail server was used by approximately 200,000 customers, including more than 1,000 government organizations.
“Zimbra Collaboration’s popularity among organizations with limited IT budgets ensures that it remains an attractive target for attackers.”say researchers at ESET, a developer of antivirus software and computer security solutions.