Russian threat group targets government emails through Zimbra fault

Winter Vivern seen targeting entities in European governments that support Ukraine in the war

A Russia-based threat group known as Winter Vivern or TA473 has been targeting a flaw in the Zimbra webmail client to exfiltrate emails from officials in European countries.

That's according to a report from security vendor Proofpoint, which has been tracking this activity since February. It does not identify the countries concerned.

The attackers exploit a vulnerability tracked as CVE-2022-27926 on unpatched internet-facing Zimbra Collaboration servers, which it discovers using a vulnerability scanner.

CVE-2022-27926 is described as a "A reflected cross-site scripting (XSS) vulnerability of Zimbra Collaboration 9.0" that "allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters." It was patched by Zimbra in April 2022.

The attackers exploit this vulnerability via tailored phishing techniques, persuading the victim to click on a benign URL link which is hijacked by the threat actors to download a JavaScript injection exploit

In cases observed by Proofpoint, the compromised Zimbra servers are then made to run customised cross-site request forgery (CCRF) JavaScript code which emulates the Zimbra webmail portal but sends the user's login details and tokens to the attackers. The malicious code then uses these credentials to login to the legitimate webmail portal.

The malicious code is designed to compromise specific government webmail portals and incorporates a great deal of the legitimate code in the portal through reverse engineering. The fact that the attack is customised to such a granular level suggests a high level of preparatory surveillance work before it is launched.

"This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts prior to delivering phishing emails to organisations," Proofpoint said.

"Rather than developing a one size fits all tools and payloads approach, TA473 invests time and resources to compromise specific entities with each JavaScript payload being custom for the targeted webmail portal."

Over the past two years, TA473 has been observed targeting US and European entities that have been supportive of Ukraine. It has been blamed for attacks against Ukrainian and Polish government targets.

Organisations running Zimbra Collaboration 9.0 should ensure it is patched and those in targeted entities should also restrict resources on publicly facing webmail portals from the public internet.