CISA warns of Zimbra bug exploited in attacks against NATO countries

CISA

The Cybersecurity and Infrastructure Security Agency (CISA) warned federal agencies to patch a Zimbra Collaboration (ZCS) cross-site scripting flaw exploited by Russian hackers to steal emails in attacks targeting NATO countries.

The vulnerability (CVE-2022-27926) was abused by a Russian hacking group tracked as Winter Vivern and TA473 in attacks on multiple NATO-aligned governments‘ webmail portals to access the email mailboxes of officials, governments, military personnel, and diplomats.

Winter Vivern’s attacks start with the hackers using the Acunetix tool vulnerability scanner to find vulnerable ZCS servers and sending users phishing emails that spoof senders the recipients are familiar with.

Each email redirected the targets to attacker-controlled servers that exploit the CVE-2022-27926 bug or attempt to trick the recipients into handing over their credentials.

When targeted with an exploit, the URLs also contain a JavaScript snippet that will download a second-stage payload to launch a Cross-Site Request Forgery (CSRF) attack to steal Zimbra users’ credentials and CSRF tokens.

In the following steps, the threat actors used the stolen credentials to obtain sensitive information from the breached webmail accounts or maintain persistence to keep track of exchanged emails over time. 

The hackers may also leverage the compromised accounts to launch more phishing attacks and expand their infiltration of targeted organizations.

Winter Vivern CVE-2022-27926 attack chain
Winter Vivern CVE-2022-27926 attack chain (Proofpoint)

Federal agencies ordered to patch until April 24

The vulnerability was added today to CISA’s Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws known to be actively exploited in the wild.

According to a binding operational directive (BOD 22-01) issued by the U.S. cybersecurity agency in November 2021, Federal Civilian Executive Branch Agencies (FCEB) agencies must patch vulnerable systems on their networks against bugs added to the KEV list.

CISA gave FCEB agencies three weeks, until April 24, to secure their networks against attacks that would target the CVE-2022-27926 flaw.

While BOD 22-01 only applies to FCEB agencies, CISA also strongly urged all organizations to prioritize addressing these bugs to block further exploitation attempts.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned today.

On Thursday, CISA also ordered federal agencies to patch security vulnerabilities exploited as zero-days in recent attacks to deploy commercial spyware on Android and iOS mobile devices, as Google’s Threat Analysis Group (TAG) recently revealed.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn