Zimbra, an open-source email platform, has been
the victim of a phishing attack that exploits a zero-day cross-site scripting (XSS) vulnerability in Zimbra, according to the security firm Volexity.
The attack, which was
identified in December 2021, came in two waves. The first sought to determine whether intended victims opened emails that were sent to them. The second was designed to lure them into clicking on
malicious links, Volexity reports.
The targeted sectors include European governments and media.
The attack is believed to be Chinese in origin, Volexity
states. The threat actor is TEMP_Heretic, it adds.
Zimbra, a Synacor company, offers email hosting, management and migration services.
Volexity says the dangerous link
could be launched from “an application to include a thick client, such as Thunderbird or Outlook.”
If successful, the attacker is able to run “arbitrary JavaScript in the
context of the user's Zimbra session.”
The phishing emails were “largely generic and mostly themed around the holiday season, notably purporting to be from various airlines or
Amazon,” Volexity writes.
Zimbra acknowledged the exploit on December 28 and confirmed that “it works against newest build of Zimbra Collaboration,” Volexity
says.
According to this report, TEMP_Heretic allows malefactors to:
- “Exfiltrate cookies to allow persistent access to a mailbox
- “Send further phishing messages to a user's contacts
- “Present a prompt to download malware in the context of a trusted
website"