Zero-Day Vulnerability in Zimbra Email Software Exploited by Multiple Threat Actors
A recently identified zero-day vulnerability in the Zimbra Collaboration email software has been exploited by four distinct groups to compromise sensitive email data, user credentials, and authentication tokens. This flaw, designated as CVE-2023-37580, has garnered attention due to its exploitation trajectory and real-world impact, raising significant concerns for organizations relying on this software.
The Google Threat Analysis Group (TAG) reported that much of the exploitation activity was observed shortly after the initial fix was disclosed publicly on GitHub. According to TAG, the vulnerability has a CVSS score of 6.1 and is classified as a reflected cross-site scripting (XSS) issue affecting versions prior to Patch 41 of 8.8.15. Zimbra addressed this vulnerability through patches released on July 25, 2023, but not before several attack campaigns had already taken place.
Successful exploitation of this vulnerability allows attackers to execute malicious scripts on victims’ web browsers by tricking them into clicking crafted URLs. When a victim engages with these links, the malicious script directs the XSS request back to Zimbra, effectively compromising the user’s email account. TAG’s research, led by Clément Lecigne, uncovered several attack waves beginning June 29, 2023, prior to Zimbra’s official advisory.
Among the targeted entities was a government organization in Greece, where attackers delivered emails embedding exploit URLs that deployed email-stealing malware previously linked to a cyber espionage campaign known as EmailThief. This particular intrusion set, codenamed TEMP_HERETIC, had previously exploited a zero-day vulnerability in Zimbra itself to execute its operations.
Following this initial exploitation, the group Winter Vivern engaged in similar activities shortly after the vulnerability’s fix was uploaded to GitHub. They targeted governmental institutions in Moldova and Tunisia, showcasing a methodical approach in exploiting both Zimbra and Roundcube vulnerabilities, as reported by cybersecurity firms such as Proofpoint and ESET.
In addition, an unidentified third group was detected leveraging this flaw to phish credentials from a government organization in Vietnam before the release of the patch. Their strategy involved directing users to a phishing page designed to harvest webmail login details, hosting the compromised credentials on a legitimate government domain that had likely been infiltrated.
Another incident was recorded on August 25, targeting a governmental body in Pakistan, which resulted in the exfiltration of Zimbra authentication tokens to a domain associated with the attackers.
Analysis by Google highlights a troubling trend wherein hackers exploit XSS vulnerabilities found in mail servers. This emphasizes the necessity for organizations to conduct regular audits of their email systems. TAG’s findings reflect how quickly adversaries can act upon disclosed vulnerabilities, particularly in open-source software repositories where patches may exist but are not yet deployed by users.
The series of campaigns targeting CVE-2023-37580 demonstrates the critical importance of rapid patch application for vulnerabilities in email servers. As threat actors actively monitor repositories for emerging weaknesses, organizations must remain vigilant, acting swiftly to protect their systems from potential breaches. In this environment, understanding the tactics and techniques of malicious actors delineated by the MITRE ATT&CK framework—such as initial access through phishing and persistence via credential theft—becomes vital for safeguarding sensitive information.
