CVE-2018-6882 XSS Vulnerability in Zimbra Collaboration Suite Leveraged to Target Ukrainian Government, CERT-UA Warns

CERT-UA has recently alerted the global community of a novel malicious activity aimed at Ukrainian state institutions. This time unnamed adversaries leverage a cross-site scripting security issue in Zimbra Collaboration Suite (ZCS) tracked as CVE-2018-6882 to spy on email conversations of the Ukrainian officials. In view of the threat nature, CERT-UA considers it a targeted attack tracked by the UAC-0097 identifier.

Exploiting Zimbra CVE-2018-6882 Vulnerability: Attack Overview

Zimbra is an enterprise solution for cross-team email, calendar, and collaboration synchronization that can be deployed both in the cloud or on-premises. Over 200,000 businesses worldwide leverage Zimbra in the cloud, including organizations in the financial and government sector, which poses a serious threat to a great number of customers that become potential victims of spear-phishing campaigns and related cyber-attacks exploiting Zimbra’s security vulnerabilities.

In March 2018, security researchers spotted a medium-severity cross-site scripting (XSS) issue within ZCS. In case exploited, the flaw enables adversaries to proceed with malicious arbitrary actions on their behalf or produce login screen lures to steal user credentials. The exploitation flow is relatively simple. Hackers only need to convince the victim to open a specially crafted email in ZCS.

Over a period of December 2021 to February 2022, another XSS Zimbra bug was increasingly leveraged in the wild exposing multiple European orgs, including government entities, to several waves of cyber-attacks attributed to Chinese hackers. The initial exploitation attempts leveraged reconnaissance emails containing embedded graphics, while the second attack stage took the form of a spear-phishing campaign spreading emails with suspicious URLs. Exploiting this zero-day flaw, attackers managed to gain access to the targeted emails and exfiltrate the mail data to the adversary C&C server.

In the course of the most recent malicious campaign leveraging the XSS flaw in question, the emails distributed among the Ukrainian state bodies contained a content-location header with JavaScript code that through an infection chain led to exploiting the detected vulnerability in ZCS (CVE-2018-6882). This XSS vulnerability allows adversaries to remotely inject malicious script or HTML code into an attachment sent via emails using a content-location header. Exploiting CVE-2018-6882 enables auto-forwarding of the compromised email to an external address, which can be considered a targeted cyber-espionage campaign.

Detection and Mitigation

Security researchers have successfully tested Zimbra exploit on ZCS 8.7.11_GA-1854 (build 20170531151956) and suggest that the security issue affects all ZCS versions starting from 8.5.0. The bug was addressed in ZCS version 8.8.7.

To protect the organization’s infrastructure against potential cyber-attacks exploiting the Zimbra CVE-2018-6882 vulnerability, organizations are strongly recommended that they check and upgrade to a secure version of Zimbra software. Additionally, CERT-UA recommends keeping a close eye on specific email settings to prevent data exfiltration risks and related spear-phishing attacks.

Apart from security best practices to safeguard the organizational environment against possible Zimbra exploits, CERT-UA provides indicators of compromise for the related cyber-attack against Ukrainian state bodies. To streamline threat hunting activities, security performers can use SOC Prime’s Uncoder CTI tool to automatically convert the IoCs provided by CERT-UA into custom hunting queries ready to run in a chosen SIEM or XDR environment. Uncoder CTO is currently available at no charge for all users registered to our Detection as Code platform through May 25, 2022.

Leveraging SOC Prime’s Detection as Code platform, security performers can seamlessly boost threat detection and hunting capabilities while keeping abreast of continuously emerging threats.