The Russian-speaking hack group Winter Vivern (aka TA473 in the Proofpoint classification) has been actively exploiting a vulnerability in Zimbra and has been stealing letters from NATO officials, governments, military personnel and diplomats since February 2023.
In mid-March 2023, SentinelOne experts submitted a report on the Russian-speaking Winter Vivern group, which was seen in attacks on government agencies in several countries in Europe and Asia, as well as on telecommunications service providers.
As analysts from Proofpoint have now reported, these same attackers are using the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access messages from organizations and individuals associated with NATO.
According to the researchers, Winter Vivern attacks begin with the use of the Acunetix vulnerability scanner, with which hackers look for unpatched webmail platforms. The attackers then send a phishing email from the compromised mailbox, which is spoofed to look like it was written by someone the victim knows or someone related to the target organization.
The emails contain a link that exploits the aforementioned CVE-2022-27926 vulnerability in the Zimbra framework and injects payloads (JavaScript) into a web page. These payloads are used to steal usernames, passwords, and tokens from cookies received from a compromised Zimbra endpoint. This allows attackers to gain full access to the victim’s mailbox. In addition, hackers can use hacked accounts to carry out further phishing attacks and penetrate deeper into targeted organizations.
Experts note that in some cases TA473 also targets RoundCube webmail request tokens. According to analysts, this only emphasizes that before attacks, compiling phishing emails and preparing a landing page, attackers conduct thorough reconnaissance and find out what exactly their target is using.
However, malicious JavaScript is not only protected by three levels of base64 obfuscation to make parsing more difficult, but the grouping also uses parts of legitimate JavaScript code that runs on regular webmail portals to mix with regular operations and reduce the chance of detection.
Despite this, the researchers argue that in general Winter Vivern operations are not particularly sophisticated, instead hackers take a simple and effective approach that works even against high-value targets that are unable to install updates and patches in a timely manner. So, the problem CVE-2022-27926 was fixed back in April 2022, with the release of Zimbra Collaboration 9.0.0 P24.