Google LLC’s Threat Analysis Group today revealed details of how it identified and responded to a new exploit in the Zimbra Collaboration Suite that was used to target international government organizations.

Tracked as CVE-2023-37580, the so-called zero-day vulnerability was first detected in June 2023 when Google TAG noticed it being actively exploited in targeted attacks against Zimbra’s email server. The cross-site scripting, or XSS, vulnerability allowed malicious actors to inject scripts through URL parameters, executing unauthorized commands.

The Google TAG researchers contacted Zimbra at the time, and the company rapidly released a hotfix on its public GitHub repository on July 5, followed by an advisory on July 13 and an official patch on July 25. Despite the reasonable response from Zimbra, the researchers observed four distinct exploitation campaigns, with activities peaking after the public release of the initial fix.

The first campaign targeted a government organization in Greece, utilizing the exploit to access emails and set auto-forwarding rules to attacker-controlled addresses. The second campaign, dubbed “Winter Vivern,” focused on government organizations in Moldova and Tunisia and began after the hotfix publication and before the official patch, highlighting the risks associated with early public disclosures of fixes. The third and fourth campaigns involved credential phishing in Vietnam and stealing Zimbra authentication tokens in Pakistan.

XSS flaws are not uncommon in software and this vulnerability was no different. XSS vulnerabilities allow attackers to execute scripts in the context of another user’s browser, leading to potential data theft or account compromise. However, the gap between the first initial fix and the patch is noted as an example of the importance of organizations applying fixes to their mail servers as soon as possible.

“These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users,” Clement Lecigne and Maddie Stone from Google TAG wrote. “The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

Incidents such as the Zimbra vulnerability serve as a reminder of the importance of vigilant software maintenance and the implementation of robust security practices. Organizations must stay updated with the latest security patches and advisories to safeguard their digital assets against emerging threats.

Image: Zimbra