{"id":18199,"date":"2022-02-04T09:10:06","date_gmt":"2022-02-04T17:10:06","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/04\/news-11932\/"},"modified":"2022-02-04T09:10:06","modified_gmt":"2022-02-04T17:10:06","slug":"news-11932","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/04\/news-11932\/","title":{"rendered":"Threat actor steals email with Zimbra zero-day"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 04 Feb 2022 16:07:15 +0000<\/strong><\/p>\n

Researchers<\/a> have discovered a threat actor attempting to exploit a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform.<\/p>\n

Zimbra is open source webmail application used for messaging and collaboration. Cross-site scripting is a type of\u00a0injection<\/a> attack<\/a>\u00a0wherein a vulnerability in a web application allows a\u00a0threat<\/a> actor<\/a>\u00a0to inject malicious code into the site\u2019s content.\u00a0In this case the target was a Zimbra email opened in a web browser<\/span>.<\/p>\n

Targets and threat actor<\/h3>\n

The entire campaign was targeted\u2014predominantly at organizations in the European government and media realm. According to Zimbra, there are 200,000 businesses, and over a thousand government and financial institutions, using their software. How many of them fall into the target audience is unknown.<\/p>\n

The researchers have dubbed the threat actor \u201cTEMP_Heretic\u201d and based on a number of observed factors they have reason to believe the threat actor is of Chinese origin.<\/p>\n

The campaign<\/h3>\n

This campaign was named EmailThief by the researchers and consisted of two clear components. The first one was a reconnaissance mission to find people that were likely to open the second email. Using this method the attackers could weed out invalid and unresponsive receivers. The reconnaissance emails were sent on 14 December, 2021 and contained no malicious links. This first wave only contained embedded remote images in the body of email messages. These emails contained no content other than the remote image and had generic subjects often associated with non-targeted spam. These emails are unlikely to have attracted any negative attention because remote images are widely used in marketing emails to measure email open rates.<\/p>\n

The image URLs were unique to each individual, enabling the threat actor to ascertain the validity of the email addresses, and to determine which accounts were more likely to open phishing email messages.<\/p>\n

The second part of the campaign was only sent to the receivers that qualified as likely to open such an email in the first wave. This part of the campaign was done in four waves which were sent out at 16, 23, 24, and 27 of December, 2021. These spear-phishing waves were largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or Amazon.<\/p>\n

In these campaigns, the attacker embedded links to attacker-controlled infrastructure. Upon clicking the malicious link, the attacker infrastructure would attempt a redirect to a page on the targeted organization\u2019s Zimbra webmail host. A specifically crafted URL format exploited a zero-day vulnerability, allowing an attacker to load arbitrary JavaScript into the page, in the context of a logged-in Zimbra session.<\/p>\n

The overall effect of this attack is that by getting a user to click a link in an email and leave their browser window open for any length of time, the attacker can steal the contents of their mailbox.<\/p>\n

Mitigation<\/h3>\n

Besides the theft of mailbox contents the vulnerability could also have been used to:<\/p>\n