Hackers Exploiting Zimbra 0-day to Attack Government Organizations
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
Zimbra Collaboration is an open-source solution software suite with an email server and web client for collaboration.
Over 5,000 companies and public sector users, along with hundreds of millions of end-users in more than 140 countries, utilize this solution.
Google TAG (Threat Analysis Group) found an in-the-wild 0-day exploit in June 2023 targeting Zimbra Collaboration (CVE-2023-37580).
In total, there are four distinct groups that exploited this bug, stealing the following data:-
Flaw Profile
Hackers Exploiting Zimbra 0-day
Most of the activity took place after the initial fix went public on GitHub. TAG highlights staying protected by keeping software up-to-date and promptly applying security updates.
📁🄳🄾🄲🅄🄼🄴🄽🅃
TAG found a critical XSS flaw in Zimbra’s email server (CVE-2023-37580), which was actively exploited in June. Zimbra released a hotfix on July 5, 2023, and an advisory on July 13, 2023.
Timeline (Source –
Google TAG
)
Besides this, researchers also identified three threat groups exploiting it before the official patch, and a fourth campaign emerged after the fix.
Zimbra’s URL vulnerability led to a reflected XSS, allowing the injection of malicious scripts into web pages.
Campaigns
Here below we have mentioned all the campaigns:-
The discovery of four CVE-2023-37580 campaigns underscores the urgency for prompt mail server fixes. Attackers exploit vulnerabilities post-Github fix, pre-public advisory.
This follows CVE-2022-24682 exploitation and precedes CVE-2023-5631. Regular XSS exploits highlight the need for rigorous mail server code audits.
IoCs
#Cyber_Attack #Cyber_Security #Cyber_Security_News #Hacks #Zero-Day #cyber_attack #cyber_security #vulnerability
Оригинальная версия на сайте:
Hackers Exploiting Zimbra 0-day to Attack Government Organizations
Author: Tushar Subhra DuttaZimbra Collaboration is an open-source solution software suite with an email server and web client for collaboration.
Over 5,000 companies and public sector users, along with hundreds of millions of end-users in more than 140 countries, utilize this solution.
Google TAG (Threat Analysis Group) found an in-the-wild 0-day exploit in June 2023 targeting Zimbra Collaboration (CVE-2023-37580).
In total, there are four distinct groups that exploited this bug, stealing the following data:-
- Email data
- User credentials
- Authentication tokens
Flaw Profile
- CVE ID: CVE-2023-37580
- Description: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client.
- Base Score: 6.1
- Severity: MEDIUM
- Vulnerability Name: Required Action Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability.
Hackers Exploiting Zimbra 0-day
Most of the activity took place after the initial fix went public on GitHub. TAG highlights staying protected by keeping software up-to-date and promptly applying security updates.
📁🄳🄾🄲🅄🄼🄴🄽🅃
TAG found a critical XSS flaw in Zimbra’s email server (CVE-2023-37580), which was actively exploited in June. Zimbra released a hotfix on July 5, 2023, and an advisory on July 13, 2023.
Timeline (Source –
Google TAG
)Besides this, researchers also identified three threat groups exploiting it before the official patch, and a fourth campaign emerged after the fix.
Zimbra’s URL vulnerability led to a reflected XSS, allowing the injection of malicious scripts into web pages.
Campaigns
Here below we have mentioned all the campaigns:-
- Campaign 1: First known exploitation leads to email-stealing framework
- Campaign 2: Winter Vivern exploitation after hotfix pushed to Github
- Campaign 3: Exploit used for credential phishing
- Campaign 4: N-day exploit used for stealing authentication token
The discovery of four CVE-2023-37580 campaigns underscores the urgency for prompt mail server fixes. Attackers exploit vulnerabilities post-Github fix, pre-public advisory.
This follows CVE-2022-24682 exploitation and precedes CVE-2023-5631. Regular XSS exploits highlight the need for rigorous mail server code audits.
IoCs
- https://obsorth.opwtjnpoc[.]ml/pQyMSCXWyBWJpIos.js
- https://applicationdevsoc[.]com/zimbraMalwareDefender/zimbraDefender.js
- https://applicationdevsoc[.]com/tndgt/auth.js
- ntcpk[.]org
#Cyber_Attack #Cyber_Security #Cyber_Security_News #Hacks #Zero-Day #cyber_attack #cyber_security #vulnerability
Оригинальная версия на сайте:
