A threat actor, likely Chinese in origin, is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform as part of spear-phishing campaigns that commenced in December 2021.
The espionage operation — codenamed “EmailThief” — was detailed by cybersecurity company Volexity in a technical report published Thursday, noting that successful exploitation of the cross-site scripting (XSS) vulnerability could result in the execution of arbitrary JavaScript code in the context of the user’s Zimbra session.
Volexity attributed the intrusions, which started on December 14, 2021, to a previously undocumented hacking group it’s tracking under the moniker TEMP_HERETIC, with the assaults aimed at European government and media entities. The zero-day bug impacts the most recent open-source edition of Zimbra running version 8.8.15.
The attacks are believed to have occurred in two phases; the first stage aimed at reconnaissance and distributing emails designed to keep tabs if a target received and opened the messages. In the subsequent stage, multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
” For the attack to succeed, the target must visit the attacker’s URL while being logged in to Zimbra from a browser. The link could however be launched directly from an application that includes a thick client such as Thunderbird, Outlook, or any other similar program. “
The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.
“None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups,” the researchers said. However, the researchers believe that the Chinese APT actor carried out the attack based on information about the target organization and the individuals within it. The stolen data has no economic value and the targets are not identifiable. “
“Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8. 15,” the company added.
