The Zimbra zero-day vulnerability
The Zimbra open-source email platform has a zero-day vulnerability that has been actively exploited by a threat actor, most likely from China, since December 2021, and is expected to continue to be a target in this year.
Volexity claims that TEMP_HERETIC, an illegal cyber group, is responsible for the invasions, which were spotted on December 14, 2021. The attacks were aimed at European government and media entities. The current open-source edition of Zimbra, running version 8.8.15, is affected by the zero-day vulnerability.
As far as the attacking process is concerned, it is believed that it was divided in at least two steps: reconnaissance and the distribution of emails to monitor if a target had received and opened the messages, and then the actual execution of the attacks themselves. Subsequent rounds of emails in waves were sent to trick recipients into clicking on a malicious link, which was erased after that.
For the attack to be successful, the target would have to access the attacker’s link while logged into the Zimbra webmail client via a web browser. However, the connection itself might be launched from an application such as Thunderbird or Outlook.
If the unpatched vulnerability were weaponized, it could be used to steal cookies from a compromised mailbox, providing persistent access to the mailbox and allowing phishing emails to be sent from the compromised email account.
The researchers are noting that the infrastructure that they found in place shares no similarities with any other infrastructure previously identified and used by known threat groups.
Users of Zimbra are encouraged to upgrade to version 9.0.0 in light of the recent disclosures, as there is no safe version of 8.8.15 available at this time.