Volexity announced that they detected attackers trying to exploit a zero-day cross-site scripting vulnerability in Zimbra, an open-source email platform popular among organizations. Volexity detected a series of targeted spear-phishing campaigns, through its Network Security Monitoring service, targeting one of its customers from a threat actor it tracks as TEMP_Heretic.
Two attack phases
The campaigns use multiple waves in two attack phases. The first phase targets reconnaissance and involved emails designed to simply track if a target opens the message. The second phase includes several waves that contain email messages that try to trick the user to click an attacker-crafted link. If the target visits the link while it was logged into the Zimbra webmail client, the attack becomes successful.
- Exfiltrate cookies to allow persistent access to a mailbox.
- Send further phishing messages to a user’s contacts.
- Present a prompt to download malware in the context of a trusted website.
Currently, there is no available patch nor an assigned CVE for the vulnerability. Volexity recommends:
- All of the indicators here should be blocked at the mail gateway and network level.
- Users of Zimbra should analyze historical referrer data for suspicious access and referrers. The default location for these logs can be found at /opt/zimbra/log/access*.log.
- Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15.