CISA adds Zimbra bug exploited in attacks against NATO countries to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini April 04, 2023

US CISA has added a Zimbra flaw, which was exploited in attacks targeting NATO countries, to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Zimbra flaw, tracked as CVE-2022-27926, to its Known Exploited Vulnerabilities Catalog.

The CVE-2022-27926 flaw affects Zimbra Collaboration version 9.0.0, which is used to host publicly-facing webmail portals.

Proofpoint researchers recently reported that a Russian hacking group, tracked as Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats.

The attacker can also use the compromised accounts to carry out lateral phishing attacks and further infiltrate the target organizations

TA473 targeted US elected officials and staffers since at least February 2023. The threat actors created bespoke JavaScript payloads designed for each government targets’ webmail portal.

TA473’s cyber operations align with the support of Russian and/or Belarussian geopolitical goals.

“Researchers have observed TA473, a newly minted advanced persistent threat (APT) actor tracked by Proofpoint, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia Ukrainian War.” reads the post published by Proofpoint.

The JavaScript payloads were designed to conduct Cross Site Request Forgery attacks and steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing target webmail portals.

These payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies allowing the login to publicly facing vulnerable webmail portals belonging to target organizations.

The APT group uses scanning tools like Acunetix to identify unpatched webmail platforms used by target organizations.

The threat actors send phishing email from a compromised address, which is spoofed to appear as someone relevant to their organization.

Once the attackers identified the vulnerable platform, they deliver phishing emails containing malicious URLs that abuse known vulnerability to execute JavaScript payloads within the victim’s webmail portals. 

Winter Vivern phishing messages
Winter Vivern

Proofpoint identified multiple samples of customized CSRF JavaScript payloads with delivery achieved through both the exploitation of the CVE-2022-27926 flaw and earlier delivery mechanisms adopted by the APT group.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by April 24, 2023.

Recently CISA has added nine flaws to its Known Exploited Vulnerabilities catalog, including bugs exploited by commercial spyware on mobile devices.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)



you might also like

leave a comment