Since February 2023, a Russian hacking group known as TA473, also identified as "Winter Vivern," has been actively stealing the emails of NATO leaders, governments, soldiers, and diplomats by taking advantage of flaws in unpatched Zimbra endpoints.
Sentinel Labs published a report on 'Winter Vivern's' recent operation two weeks ago, detailing how the group propagated malware that poses as a virus scanner by imitating websites run by European organisations that fight online crime.
The threat actor used Zimbra Collaboration servers to exploit CVE-2022-27926, according to a new report released by Proofpoint today. This vulnerability allowed the threat actor to access the communications of individuals and organisations that are NATO allies.
Taking aim at Zimbra
Before launching a Winter Vivern attack, the threat actor first uses the Acunetix tool vulnerability scanner to look for unpatched webmail platforms.
After there, the hackers send a phishing email from a compromised account that is faked to look like it is from a person the target knows or is somehow connected to their business.
A link in the emails uses the CVE-2022-27926 vulnerability in the target's compromised Zimbra infrastructure to inject additional JavaScript payloads into the webpage.
When cookies are received from the hacked Zimbra endpoint, these payloads are then exploited to steal usernames, passwords, and tokens. These details give the threat actors unrestricted access to the targeted' email accounts.
"These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," the Proofpoint report reads. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets.In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well."
This particular aspect illustrates the diligence of the threat actors in pre-attack reconnaissance, ascertaining which portal their target utilises before constructing the phishing emails and establishing the landing page function.
In addition to the three layers of base64 obfuscation used to obfuscate the malicious JavaScript to complicate analysis, "Winter Vivern" also incorporated pieces of the legal JavaScript that runs on a native webmail interface, blending in with regular activities and lowering the risk of detection.
Ultimately, the threat actors have access to confidential data on the compromised webmails or can keep their hold in place to watch communications over time. In addition, the hackers can utilise the compromised accounts to conduct lateral phishing attacks and further their penetration of the target companies.
Researchers claim that "Winter Vivern" is not very sophisticated, but they nonetheless employ a successful operating strategy that is effective even against well-known targets who are slow to deploy software updates.
In this instance, Zimbra Collaboration 9.0.0 P24, which was released in April 2022, corrected CVE-2022-27926.
The delay in implementing the security update is estimated to have been at least ten months long given that the earliest assaults were discovered earlier this year in February.
