Pierluigi Paganini
March 31, 2023
A Russian hacking group, tracked as Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats.
The CVE-2022-27926 flaw affects Zimbra Collaboration versions 9.0.0, which is used to host publicly facing webmail portals.
The attacker can also use the compromised accounts to carry out lateral phishing attacks and further infiltrate the target organizations
TA473 targeted US elected officials and staffers since at least February 2023. The threat actors created bespoke JavaScript payloads designed for each government targets’ webmail portal.
TA473’s cyber operations align with the support of Russian and/or Belarussian geopolitical goals.
The JavaScript payloads were designed to conduct Cross Site Request Forgery attacks and steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing target webmail portals.
These payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies allowing the login to publicly facing vulnerable webmail portals belonging to target organizations.
The APT group uses scanning tools like Acunetix to identify unpatched webmail platforms used by target organizations.
The threat actors send phishing email from a compromised address, which is spoofed to appear as someone relevant to their organization.
Once the attackers identified the vulnerable platform, they deliver phishing emails containing malicious URLs that abuse known vulnerability to execute JavaScript payloads within the victim’s webmail portals.
Proofpoint identified multiple samples of customized CSRF JavaScript payloads with delivery achieved through both the exploitation of the CVE-2022-27926 flaw and earlier delivery mechanisms adopted by the APT group.
“These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance,” explains Proofpoint in the report. “Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets. In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well.”
The attackers employed several layers of Base64 encoding to for the JavaScript obfuscation, however, the experts pointed out that decoding the script is trivial.
“TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor’s success.” concludes the post published by the experts that also provides Indicators of Compromise (IOCs). “Rather than developing a one size fits all tools and payloads approach, TA473 invests time and resources to compromise specific entities with each JavaScript payload being custom for the targeted webmail portal.”
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
You can nominate yourself or your favourite blogger. We ask that you provide a brief paragraph of 250 words explaining why they should win.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NATO)
