Pierluigi Paganini February 04, 2022

An alleged Chinese threat actor is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform.

An alleged Chinese threat actor, tracked as TEMP_Heretic, is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The zero-day vulnerability impacts almost any Zimbra install running version 8.8.15.

Researchers from cybersecurity company Volexity uncovered a cyber espionage spear-phishing campaign, tracked as EmailThief, that has been active at least since December 2021.

The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code in the context of the user’s Zimbra session.

In order to exploit the vulnerability, the attackers have to trick the target into clicking the attacker’s specially crafted link while logged into the Zimbra webmail client from a web browser.

Experts noticed that the campaigns are carried out across two attack phases, one aimed at reconnaissance and one aimed at spreading the malicious links.

“The campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance and involved emails designed to simply track if a target received and opened the messages. The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link. For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser.” reads the analysis published by Volexity. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook. Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user’s Zimbra session.”

TEMP_Heretic attempted to steal emails and attachments from target organizations, the exploitation of the zero-day XSS issue could allow attackers to exfiltrate cookies to allow persistent access to a mailbox, send further phishing messages to a user’s contacts, and deliver malware.

The attribution to a threat actor with a Chinese origin is based on the following clues:

• Most of the emails were sent between 04:00 and 08:30 UTC, fitting hours of a working day of UTC + 8 hours.
• Emails were sent with headers indicating they were sent from a +0800 UTC time zone.
• The hard-coded headers used in the Zimbra requests generated by the attacker’s JavaScript code contain a timezone set to “Asia/Hong_Kong”.

“In terms of attribution, none of the infrastructure identified by Volexity exactly matches infrastructure used by previously classified threat groups. However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.” concludes the report.

Volexity also released indicators of compromise (IoCs) for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)

[adrotate banner=”5″]

[adrotate banner=”13″]