Google’s Threat Analysis Group discovered and helped patch an email server flaw used to steal data from several governments, including Greece, Moldova, Tunisia, Vietnam, and Pakistan. The exploit, known as CVE-2023-37580, targeted the Zimbra Collaboration email server to steal email data, user credentials, and authentication tokens from organizations.
The attack began in Greece at the end of June, with attackers sending emails containing the exploit to a government organization. If clicked while logged into a Zimbra account, the link automatically stole email data and set up auto-forwarding to take control of the address.
Although Zimbra published a hotfix on Github on July 5, most of the exploit activity occurred afterward. This highlights the importance of promptly updating devices with available fixes. According to the Google Threat Analysis Group, attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users.
In mid-July, the threat group Winter Vivern used the exploit to target government organizations in Moldova and Tunisia, while a third unknown actor used it to phish for credentials from members of the Vietnam government. The data was published to an official government domain likely run by the attackers. Additionally, a campaign targeted a government organization in Pakistan to steal Zimbra authentication tokens.
Earlier in the year, Zimbra users were targeted in a mass-phishing campaign. In 2022, threat actors used a different Zimbra exploit to steal emails from European government and media organizations.
Zimbra, with over 200,000 customers, including over 1,000 government organizations, remains an attractive target for adversaries due to its popularity among organizations with lower IT budgets, according to ESET researchers.