Researchers have found active phishing campaigns exploiting a zero-day vulnerability in the Zimbra email platform. Since the vendors have released a hotfix, users must update quickly to prevent such attacks.
Zimbra Zero-Day Vulnerability
Elaborating the details in a blog post, researchers from Volexity shared their findings of the active exploitation of Zimbra zero-day.
As explained, the researchers observed that the threat actors exploit the flaw in spear-phishing campaigns. Upon analyzing one such phishing email, they noticed the attempt to exploit an XSS zero-day bug in the Zimbra email platform.
Zimbra is an open-source web email platform frequently used as a substitute for Microsoft Exchange. Hence, its use in the corporate environment makes it a lucrative target for adversaries.
In the malicious campaign that Veloxity spotted, the attackers executed the attack in two phases. In the first phase, the attackers aim at assessing the success rate of the phishing attack. At this point, the attackers merely wish to observe if the target user actually opens the phishing email or not. Then, in the second phase, the attackers change the phishing email’s design to make it more appealing for the target user to open.
This subsequent email carries the phishing link that an app like Outlook or Thunderbird could also execute. However, it would only work if the target user visits the Zimbra webmail client via the browser.
If the attack goes as intended, the attackers can execute JavaScript codes and perform various actions. As stated in the post,
Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user’s Zimbra session. Volexity observed the attacker attempting to load JavaScript to steal user mail data and attachments.
Hotfix Released
The researchers observed the bug affecting Zimbra versions 8.8.15 and earlier. However, the latest version 9.0 remains unaffected.
Following this discovery, Volexity reported the matter to Zimbra. However, the vendors couldn’t release a fix in time. Hence, Volexity moved forward with the public disclosure, urging users to upgrade their mail clients.
Nonetheless, after this disclosure, Zimbra released a hotfix for the users of version 8.8.15 p30 as an update. So now, users must ensure receiving this patch, alongside considering upgrading their mail clients to the latest version to prevent any risks.