Attackers have targeted mailboxes in multiple waves across two attack phases. Business email platform Zimbra has released a hotfix for a cross-site scripting (XSS) vulnerability whose abuse has underpinned a series of spear-phishing campaigns. A suspected, previously unknown Chinese APT group has been attempting to leverage the flaw to load malicious JavaScript that exfiltrates mail data and attachments, according to an analysis by incident response outfit Volexity. However, researchers at Volexity believed that the attackers could potentially exfiltrate cookies, gain persistent access to mailboxes, send further phishing messages to victims’ contacts, and dupe the targets inadvertently to download malware.

Using the BinaryEdge web scanning service, the researchers said they detected around 33,000 mail servers running on Zimbra but noted that the company says its open-source software is used by 200,000 businesses and more than 1,000 government and financial institutions.

Volexity said the attackers, which it tracks as TEMP_Heretic, have targeted media organizations and European government bodies and agencies.

Multiple waves

The vulnerability came to light on February 3rd when Volexity detailed how one of its customers had been targeted in multiple waves across two attack phases over a two-week period.

The first is the reconnaissance phase, which began on 14th December 2021, which involved sending emails that were designed to simply track whether the target received and opened the messages.

Also read,

The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link.

The attack hinged on the victim visiting a malicious link while logging into the Zimbra webmail client from a web browser. The link can be launched from an application to include a thick client, such as Thunderbird or Outlook.

Hotfix deployed

Volexity said it notified Zimbra of the attacks on December 16 and Zimbra acknowledged receipt on December 28.

Then, on January 11, Volexity notified other Zimbra customers that they were targeted with the same exploit.

The flaw appeared to affect only Zimbra 8.8.15 and prior versions – not the subsequent, latest version, 9.0.0.

Zimbra announced on Friday (4th February ) that the hotfix would be available to Zimbra customers through Zimbra Support.

The company said: “A durable fix for the issue is undergoing testing and quality review and will be made available as an update to 8.8.15p30. The updated patch is scheduled for availability via our download site on 5th Feb’2022.

It is recommended that all Zimbra customers use the most recent release available to avoid any issues.

Volexity has provided a list of infrastructures that the Zimbra customers should block and advised them to “analyze historical referrer data for suspicious access and referrers.

XSS in the wild

Volexity said the exploit was less damaging than the zero-day Microsoft Exchange vulnerabilities it disclosed in March 2021, but it can still have catastrophic consequences for organizations.

Michał Bentkowski, a web security consultant at Polish cybersecurity firm Securitum, informed that while XSS is one of the most common web application vulnerabilities, we rarely get any information about real-world campaigns utilizing XSS-es. The most popular one (or maybe the only popular one?) is Samy XSS which happened in 2005 in MySpace and affected over a million users.

This was a good case study when explaining the effects of XSS and the importance of preventing this vulnerability.