Americas

  • United States

Asia

Oceania

lconstantin
CSO Senior Writer

APT group Winter Vivern exploits Zimbra webmail flaw to target government entities

News Analysis
Mar 30, 20236 mins
Advanced Persistent ThreatsEmail SecurityVulnerabilities

Winter Vivern's campaign shows that threat actors can effectively take advantage of medium-severity vulnerabilities.

An APT group known in the security industry as Winter Vivern has been exploiting a vulnerability in the Zimbra Collaboration software to gain access to mailboxes from government agencies in several European countries. While no clear links have been established between Winter Vivern and a particular country’s government, security researchers have noted that its activities closely align with the interests of Russia and Belarus.

The group, which is also tracked as TA473 or UAC-0114, has been operating since at least 2021 and past victims were identified in Lithuania, India, Vatican, and Slovakia. According to a report earlier this month by cybersecurity firm SentinelLabs, more recent targets include Polish government agencies, Ukraine’s Ministry of Foreign Affairs, Italy’s Ministry of Foreign Affairs, individuals within the Indian government, and telecommunications companies that support Ukraine in the ongoing war. In a new report released today, cybersecurity firm Proofpoint said it saw Winter Vivern campaigns late last year that targeted elected officials in the United States and their staffers.

The group’s general modus operandi involves sending phishing emails that impersonate people from the victim’s own organization or from peer organizations involved in global politics. These spoofed emails are sometimes sent from mailboxes associated with domains that host vulnerable WordPress websites and were compromised. The messages typically include a link to what appears to be a resource on the target organization’s own website but actually leads to a payload hosted on an attacker-controlled domain or to a credential phishing page.

This technique was recently enhanced with an exploit for a known cross-site scripting (XSS) vulnerability in Zimbra, an open-source business collaboration and email platform that can be deployed in the cloud or on premise. According to Zimbra’s own website, its email software powers hundreds of millions of mailboxes across 140 countries and is used by “governments, service providers, educational institutions, and small/midsize enterprises.”

From cross-site scripting to cross-site request forgery and account hijacking

The exploit seen by Proofpoint in TA473 campaigns from early this year and as late as last month, targeted CVE-2022-27926, a medium-severity reflected XSS vulnerability that Zimbra patched in version 9.0.0 Patch 24, a year ago. Interestingly, the vulnerability is not listed on Zimbra’s security advisories page but does appear in the release notes for Zimbra 9.0.0 P24 alongside even more serious flaws, including critical and high-risk ones.

One could argue that organizations who have Zimbra deployments that haven’t been upgraded in a year have questionable security practices, as well as many other vulnerabilities to worry about. Since then, Zimbra has patched at least three more XSS flaws, including in its webmail component, an email authentication bypass, a server-side request forgery flaw, issues with two-factor authentication (2FA) validation, and remote code execution in file upload functionality. However, the recent TA473 attacks stand to show how even a medium-risk XSS can be weaponized to great effect by attackers.

Reflected XSS vulnerabilities allow attackers to craft URLs with appended code to them that, if opened by a user, would execute that malicious code inside their browser in the context of that website. In other words, as if that code had been served by the website itself to the user’s browser.

In this case, attackers first identified government agencies using vulnerable Zimbra installations and webmail interfaces. They then crafted phishing emails with URLs that would exploit the XSS flaw and execute some encoded JavaScript included in it. Once executed by the browser, this JavaScript snippet would fetch a larger JavaScript payload from an attacker-controlled server and execute it in the context of the website.

The larger JavaScript payload uses multiple layers of encoding and is meant to execute what’s known as a cross-site request forgery (CSRF) attack. This is an attack where the authenticated session that the user’s browser has with a certain website is hijacked when visiting a different malicious website which forces the browser to execute requests on the target website without the user’s knowledge, piggybacking on their active session.

The payload is a variant of the legitimate JavaScript code that exists on the portal with all the target’s customizations and specific URLs, in which Winter Vivern injected specific routines and logic. This highlights a sustained effort to study every target’s webmail portal and reverse-engineer its JavaScript code.

The malicious functions added to the payload are meant to steal the user’s username, password, and active CSRF token from a cookie, and send them to an attacker-controlled server. Websites use CSRF tokens that need to accompany browser requests to prevent CSRF attacks, but since the attackers in this case have the ability to execute code in the context of the website through the XSS flaw, they can simply read that token.

Once the login credentials and token are stolen, the script tries to login into the email portal using hardcoded URIs that are custom to the targeted domain and if authentication fails, it has the capability to prompt users with an error message and ask them to authenticate again.

“In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well,” Proofpoint said. “This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts prior to delivering phishing emails to organizations.”

The researchers noted some similarities between these exploits for CVE-2022-27926 and past exploits for an older Zimbra XSS vulnerability called CVE-2021-35207, in that they both involve adding executable JavaScript to the loginErrorCode parameter of a webmail login URL. This stands to show that it’s very important to keep Zimbra deployments up to date as webmail portals are an attractive target for APT groups.

“Restricting resources on publicly facing webmail portals from the public internet is highly recommended to prevent groups like TA473 from reconning and engineering custom scripts capable of stealing credentials and logging in to users’ webmail accounts,” the Proofpoint researchers said. “While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets.”