A Russian hacking group tracked as TA473, aka ‘Winter Vivern,’ has been actively exploiting vulnerabilities in unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats.
Two weeks ago, Sentinel Labs reported on a recent operation by ‘Winter Vivern’ using sites mimicking European agencies fighting cybercrime to spread malware that pretends to be a virus scanner.
Today, Proofpoint has published a new report on how the threat actor exploits CVE-2022-27926 on Zimbra Collaboration servers to access the communications of NATO-aligned organizations and persons.
Winter Vivern attacks begin with the threat actor scanning for unpatched webmail platforms using the Acunetix tool vulnerability scanner.
Next, the hackers send a phishing email from a compromised address, which is spoofed to appear as someone the target is familiar with or is somehow relevant to their organization.
These payloads are then used to to steal usernames, passwords, and tokens from cookies received from the compromised Zimbra endpoint. This information allows the threat actors to access the targets’ email accounts freely.
“In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well.”
This detail demonstrates the diligence of the threat actors in pre-attack reconnaissance, figuring out which portal their target uses before crafting the phishing emails and setting the landing page function.
Finally, the threat actors can access sensitive information on the compromised webmails or maintain their hold to monitor communications over a period of time. Additionally, the hackers can use the breached accounts to carry out lateral phishing attacks and further their infiltration of the target organizations.
Despite researchers stating that ‘Winter Vivern’ is not particularly sophisticated, they follow an effective operational approach that works even against high-profile targets who fail to apply software patches quickly enough.
In this case, CVE-2022-27926 was fixed in Zimbra Collaboration 9.0.0 P24, released in April 2022.
Considering that the earliest attacks were observed in February 2023, the delay in applying the security update is measured to at least ten months.