Hackers Exploiting Zimbra 0-day to Attack Government Organizations
Zimbra Collaboration is an open-source solution software suite with an email server and web client for collaboration.
Over 5,000 companies and public sector users, along with hundreds of millions of end-users in more than 140 countries, utilize this solution.
Google TAG (Threat Analysis Group) found an in-the-wild 0-day exploit in June 2023 targeting Zimbra Collaboration (CVE-2023-37580).
In total, there are four distinct groups that exploited this bug, stealing the following data:-
Email data
User credentials
Authentication tokens
Flaw Profile
CVE ID: CVE-2023-37580
Description: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
Base Score: 6.1
Severity: MEDIUM
Vulnerability Name: Required Action Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability.
Hackers Exploiting Zimbra 0-day
Most of the activity took place after the initial fix went public on GitHub. TAG highlights staying protected by keeping software up-to-date and promptly applying security updates.
Document
Free Webinar
Live API Attack Simulation Webinar
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
TAG found a critical XSS flaw in Zimbra’s email server (CVE-2023-37580), which was actively exploited in June. Zimbra released a hotfix on July 5, 2023, and an advisory on July 13, 2023.
Besides this, researchers also identified three threat groups exploiting it before the official patch, and a fourth campaign emerged after the fix.
Zimbra’s URL vulnerability led to a reflected XSS, allowing the injection of malicious scripts into web pages.
Campaigns
Here below we have mentioned all the campaigns:-
Campaign 1: First known exploitation leads to email-stealing framework
Campaign 2: Winter Vivern exploitation after hotfix pushed to Github
Campaign 3: Exploit used for credential phishing
Campaign 4: N-day exploit used for stealing authentication token
The discovery of four CVE-2023-37580 campaigns underscores the urgency for prompt mail server fixes. Attackers exploit vulnerabilities post-Github fix, pre-public advisory.
This follows CVE-2022-24682 exploitation and precedes CVE-2023-5631. Regular XSS exploits highlight the need for rigorous mail server code audits.
IoCs
https://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js
https://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js
https://applicationdevsoc[.]com/tndgt/auth.js
ntcpk[.]org
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
The post Hackers Exploiting Zimbra 0-day to Attack Government Organizations appeared first on Cyber Security News.
Cyber Security News