Google’s Threat Analysis Group revealed on Thursday that a major security breach occurred in Zimbra Collaboration, an email server system, resulting in the theft of valuable data from government organizations in Greece, Moldova, Tunisia, Vietnam, and Pakistan. The exploit, dubbed CVE-2023-37580, was used to infiltrate the email server and extract critical information such as email data, user credentials, and authentication tokens.
The attack initially began in Greece at the end of June when hackers discovered a vulnerability in the Zimbra Collaboration server. They then sent emails containing the exploit to government organizations in an attempt to compromise their systems. If a recipient clicked on the malicious link while logged into their Zimbra account, the exploit would automatically siphon email data and set up auto-forwarding to gain control of the address.
While Zimbra released a hotfix for the vulnerability on the open-source platform GitHub on July 5, the majority of the attack activity occurred after this date. As a result, many targets failed to update their software with the necessary fix, leaving their systems vulnerable to exploitation. This incident serves as a critical reminder for users and organizations to promptly update their software and devices as new updates become available to protect against potential threats.
The situation took a more alarming turn in mid-July when it was revealed that the threat group Winter Vivern had acquired the exploit and began targeting government organizations in Moldova and Tunisia. Subsequently, a third unidentified group used the exploit to conduct a phishing campaign aimed at members of the Vietnamese government, compromising their credentials and publishing the stolen data on an official government domain, likely operated by the attackers. The final campaign targeted a government organization in Pakistan, aiming to steal Zimbra authentication tokens, a crucial piece of information used to access secure and protected data.
The Zimbra Collaboration platform has been the target of previous security incidents, including a mass-phishing campaign earlier in the year that specifically targeted Zimbra users. In this campaign, an unknown threat actor sent out emails containing a phishing link in an HTML file, according to ESET researchers. Additionally, in 2022, threat actors exploited a different vulnerability in Zimbra to steal emails from European government and media organizations.
Zimbra, with more than 200,000 customers, including over 1,000 government organizations, remains a popular email collaboration solution. Its widespread adoption, especially among organizations with limited IT budgets, makes it an attractive target for adversaries seeking to exploit security vulnerabilities. ESET researchers emphasized that the popularity of Zimbra Collaboration among organizations with lower IT budgets increases its appeal to malicious actors.
This series of security breaches in Zimbra Collaboration serves as a stark reminder of the ongoing cybersecurity threats faced by organizations and individuals. The incidents underscore the importance of remaining vigilant, promptly applying software updates, and implementing robust security measures to defend against potential attacks. As cyber threats continue to evolve, it is crucial for organizations and users to prioritize cybersecurity and stay abreast of the latest developments in the threat landscape to safeguard their digital assets and sensitive information.