A threat actor, likely to be Chinese, targeted a zero-day vulnerability in the Zimbra open-source email platform. The zero-day exploitation is part of a spear-phishing program that began in December 2021.

Volexity, a cybersecurity company, recorded the espionage operation in a technical report. The report stated that cross-site scripting (XSS)  vulnerability if successfully exploited could result in executing the arbitrary JavaScript code while using the Zimbra session.

Volexity ascribed the intrusions to a previously unchronicled hacking group under the name TEMP_HERTIC. The attack targeted ay European government and media entities. The zero-day vulnerability affects recent open-source Zimbra version 8.8.15.

The attacks occurred in two stages; the first stage targeted reconnaissance and distributing emails designed to track if the target received and opened the messages. In the later stage, various email messages were shown to dupe recipients into clicking a malicious link.

For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser,” Steven Adair and Thomas Lancaster noted. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook.”

The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.

The unpatched flaw, if exploited, can exfiltrate cookies to enable permanent access to the mailbox, send phishing messages from the compromised email account to spread infection, and even allow downloading of additional malware.

“None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups,” the researchers said. “However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.”

“Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15,” the company added.