CERT-UA has recently alerted the global community of a novel malicious activity aimed at Ukrainian state institutions. This time unnamed adversaries leverage a cross-site scripting security issue in Zimbra Collaboration Suite (ZCS) tracked as CVE-2018-6882 to spy on email conversations of the Ukrainian officials. In view of the threat nature, CERT-UA considers it a targeted attack tracked by the UAC-0097 identifier.
Zimbra is an enterprise solution for cross-team email, calendar, and collaboration synchronization that can be deployed both in the cloud or on-premises. Over 200,000 businesses worldwide leverage Zimbra in the cloud, including organizations in the financial and government sector, which poses a serious threat to a great number of customers that become potential victims of spear-phishing campaigns and related cyber-attacks exploiting Zimbra’s security vulnerabilities.
In March 2018, security researchers spotted a medium-severity cross-site scripting (XSS) issue within ZCS. In case exploited, the flaw enables adversaries to proceed with malicious arbitrary actions on their behalf or produce login screen lures to steal user credentials. The exploitation flow is relatively simple. Hackers only need to convince the victim to open a specially crafted email in ZCS.
Over a period of December 2021 to February 2022, another XSS Zimbra bug was increasingly leveraged in the wild exposing multiple European orgs, including government entities, to several waves of cyber-attacks attributed to Chinese hackers. The initial exploitation attempts leveraged reconnaissance emails containing embedded graphics, while the second attack stage took the form of a spear-phishing campaign spreading emails with suspicious URLs. Exploiting this zero-day flaw, attackers managed to gain access to the targeted emails and exfiltrate the mail data to the adversary C&C server.
Security researchers have successfully tested Zimbra exploit on ZCS 8.7.11_GA-1854 (build 20170531151956) and suggest that the security issue affects all ZCS versions starting from 8.5.0. The bug was addressed in ZCS version 8.8.7.
To protect the organization’s infrastructure against potential cyber-attacks exploiting the Zimbra CVE-2018-6882 vulnerability, organizations are strongly recommended that they check and upgrade to a secure version of Zimbra software. Additionally, CERT-UA recommends keeping a close eye on specific email settings to prevent data exfiltration risks and related spear-phishing attacks.
Apart from security best practices to safeguard the organizational environment against possible Zimbra exploits, CERT-UA provides indicators of compromise for the related cyber-attack against Ukrainian state bodies. To streamline threat hunting activities, security performers can use SOC Prime’s Uncoder CTI tool to automatically convert the IoCs provided by CERT-UA into custom hunting queries ready to run in a chosen SIEM or XDR environment. Uncoder CTO is currently available at no charge for all users registered to our Detection as Code platform through May 25, 2022.
Leveraging SOC Prime’s Detection as Code platform, security performers can seamlessly boost threat detection and hunting capabilities while keeping abreast of continuously emerging threats.