Volexity announced that they detected attackers trying to exploit a zero-day cross-site scripting vulnerability in Zimbra, an open-source email platform popular among organizations. Volexity detected a series of targeted spear-phishing campaigns, through its Network Security Monitoring service, targeting one of its customers from a threat actor it tracks as TEMP_Heretic.
Two attack phases
The campaigns use multiple waves in two attack phases. The first phase targets reconnaissance and involved emails designed to simply track if a target opens the message. The second phase includes several waves that contain email messages that try to trick the user to click an attacker-crafted link. If the target visits the link while it was logged into the Zimbra webmail client, the attack becomes successful.
When successfully exploited, the vulnerability allows an attacker to run arbitrary JavaScript in the context of the user’s Zimbra session. Volexity stated that attackers are attempting to load JavaScript to steal user mail data and attachments. The vulnerability is allowing an attacker to other actions in the context of the user’s Zimbra webmail session, such as:
- Exfiltrate cookies to allow persistent access to a mailbox.
- Send further phishing messages to a user’s contacts.
- Present a prompt to download malware in the context of a trusted website.
Currently, there is no available patch nor an assigned CVE for the vulnerability. Volexity recommends:
- All of the indicators here should be blocked at the mail gateway and network level.
- Users of Zimbra should analyze historical referrer data for suspicious access and referrers. The default location for these logs can be found at /opt/zimbra/log/access*.log.
- Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15.