Phishing Scheme Hits Email Platform Zimbra: Report

Zimbra, an open-source email platform, has been the victim of a phishing attack that exploits a zero-day cross-site scripting (XSS) vulnerability in Zimbra, according to the security firm Volexity. 

The attack, which was identified in December 2021, came in two waves. The first sought to determine whether intended victims opened emails that were sent to them. The second was designed to lure them into clicking on malicious links, Volexity reports. 

The targeted sectors include European governments and media.  

The attack is believed to be Chinese in origin, Volexity states. The threat actor is TEMP_Heretic, it adds. 

Zimbra, a Synacor company, offers email hosting, management and migration services. 

Volexity says the dangerous link could be launched from “an application to include a thick client, such as Thunderbird or Outlook.”

If successful, the attacker is able to run “arbitrary JavaScript in the context of the user's Zimbra session.”

The phishing emails were “largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or Amazon,” Volexity writes. 

Zimbra acknowledged the exploit on December 28 and confirmed that “it works against newest build of Zimbra Collaboration,” Volexity says. 

According to this report, TEMP_Heretic allows malefactors to:

  • “Exfiltrate cookies to allow persistent access to a mailbox
  • “Send further phishing messages to a user's contacts
  • “Present a prompt to download malware in the context of a trusted website"  

 

Next story loading loading..