A cross-site scripting (XSS) vulnerability in the Zimbra email platform is currently actively exploited in attacks targeting European media and government organizations.
Zimbra is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file sharing, and cloud storage capabilities.
According to Zimbra, more than 200,000 businesses from over 140 countries are using its software, including over 1,000 government and financial organizations.
Attacks linked to Chinese threat actor
“At the time of writing, this exploit has no available patch, nor has it been assigned a CVE (i.e., this is a zero-day vulnerability),” the researchers said.
“Volexity can confirm and has tested that the most recent versions of Zimbra—8.8.15 P29 & P30—remain vulnerable; testing of version 9.0.0 indicates it is likely unaffected.”
Volexity says that so far, it only observed a single, previously unknown threat actor it tracks as TEMP_Heretic (believed to be Chinese) exploiting the zero-day in spear-phishing campaigns to steal emails.
However, the vulnerability can also enable attackers to perform other malicious actions “in the context of the user’s Zimbra webmail session,” including:
- exfiltrating cookies to allow persistent access to a mailbox
- sending phishing messages to the user’s contacts
- displaying prompt to download malware from trusted websites
Zero-day exploited for email theft
Since exploitation started in December, Volexity has seen TEMP_Heretic checking for live email addresses using reconnaissance emails with embedded remote images.
In the next attack stage, the threat actors sent spear-phishing emails with malicious links and various themes (e.g., interview requests, invitations to charity auctions, and holiday greetings) in multiple waves between December 16 and December 2021.
The malicious code allowed the attackers to go through emails in the victims’ mailboxes and exfiltrate email contents and attachments to attacker-controlled servers.
“At the time of this writing, there is no official patch or workaround for this vulnerability. Volexity has notified Zimbra of the exploit and hopes a patch will be available soon,” the company said.
“Based on BinaryEdge data, approximately 33,000 servers are running the Zimbra email server, although the true number is likely to be higher.”
Volexity recommends taking the following measures to block attacks exploiting this zero-day:
- All of the indicators here should be blocked at the mail gateway and network level
- Users of Zimbra should analyze historical referrer data for suspicious access and referrers. The default location for these logs can be found at /opt/zimbra/log/access*.log
- Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15.
A disclosure timeline and indicators of compromise (IoCs), including domains and IP addresses linked to the campaign (dubbed EmailThief), are available at the end of the report Volexity published today.