An alleged Chinese threat actor, tracked as TEMP_Heretic, is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The zero-day vulnerability impacts almost any Zimbra install running version 8.8.15.
Researchers from cybersecurity company Volexity uncovered a cyber espionage spear-phishing campaign, tracked as EmailThief, that has been active at least since December 2021.
In order to exploit the vulnerability, the attackers have to trick the target into clicking the attacker’s specially crafted link while logged into the Zimbra webmail client from a web browser.
Experts noticed that the campaigns are carried out across two attack phases, one aimed at reconnaissance and one aimed at spreading the malicious links.
TEMP_Heretic attempted to steal emails and attachments from target organizations, the exploitation of the zero-day XSS issue could allow attackers to exfiltrate cookies to allow persistent access to a mailbox, send further phishing messages to a user’s contacts, and deliver malware.
The attribution to a threat actor with a Chinese origin is based on the following clues:
“In terms of attribution, none of the infrastructure identified by Volexity exactly matches infrastructure used by previously classified threat groups. However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.” concludes the report.
Volexity also released indicators of compromise (IoCs) for these attacks.
(SecurityAffairs – hacking, Zimbra)