Highlights:

  • Identified as CVE-2023-37580, the zero-day vulnerability came to light in June 2023, as Google TAG observed its active exploitation in targeted attacks against Zimbra’s email server.
  • Events like the Zimbra vulnerability serve as a reminder of the crucial importance of diligent software maintenance and the adoption of robust security practices.

Google LLC’s Threat Analysis Group recently disclosed specifics on the detection and response to a recent exploit within the Zimbra Collaboration Suite, designed to target governmental organizations worldwide.

Identified as CVE-2023-37580, the zero-day vulnerability came to light in June 2023, as Google TAG observed its active exploitation in targeted attacks against Zimbra’s email server. The cross-site scripting (XSS) vulnerability enabled malicious actors to inject scripts via URL parameters, facilitating the execution of unauthorized commands.

Upon detecting the vulnerability, Google TAG researchers promptly notified Zimbra. In response, Zimbra swiftly deployed a hotfix on its public GitHub repository on July 5, accompanied by an advisory on July 13, and finalized with an official patch on July 25. Despite Zimbra’s prompt response, the researchers noted four distinct exploitation campaigns, with activities reaching their zenith following the public release of the initial fix.

In the initial campaign, a government organization in Greece was the focus, where the exploit was leveraged to gain access to emails. The attackers established auto-forwarding rules, directing emails to addresses under their control. The second campaign, “Winter Vivern,” concentrated on government organizations in Moldova and Tunisia. It commenced after the hotfix was made public but before the official patch release, underscoring the risks associated with early disclosures of fixes. The third and fourth campaigns revolved around credential phishing activities in Vietnam and looting Zimbra authentication tokens in Pakistan.

XSS flaws are common in software, and this vulnerability was no exception.Top of Form XSS vulnerabilities enable attackers to execute scripts within the context of another user’s browser, posing risks such as potential data theft or compromise of user accounts. The gap between the initial fix and the official patch underscores the importance of organizations promptly applying fixes to their mail servers.

Maddie Stone and Clement Lecigne of Google TAG penned, “These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”

Events like the Zimbra vulnerability serve as a reminder of the crucial importance of diligent software maintenance and the adoption of robust security practices. To safeguard their digital assets against evolving threats, organizations must remain vigilant and updated with the latest security patches and advisories.