The Zimbra vulnerability utilized by Russian hackers in attacks against NATO countries has been included in the ‘Must Patch’ list by the US Cybersecurity and Infrastructure Security Agency (CISA).
The flaw, tracked as CVE-2022-27926 (CVSS score of 6.1), is described as a reflected cross-site scripting (XSS) bug in Zimbra Collaboration version 9.0. It could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code.
CISA’s warning follows a Proofpoint report on the vulnerability being exploited by Russia-linked advanced persistent threat (ATP) actor Winter Vivern in attacks targeting NATO countries. The APT has been observed launching cyberattacks in support of Russian and/or Belarussian geopolitical goals in the context of the Russia-Ukraine war.
The attacks against NATO countries targeted public Zimbra hosted webmail portals to access email correspondence of military, government, and diplomatic organizations in Europe. The APT uses scanning tools to identify vulnerable, unpatched webmail portals and then sends phishing emails containing a malicious a URL leading to the execution of JavaScript code.
Proofpoint reveals that Winter Vivern appears to have invested time and resources in analyzing the publicly exposed webmail portals of the targeted organizations in order to create different JavaScript payloads for each of them. This allows actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations.
Organizations are advised to upgrade to a patched version of the Zimbra Collaboration Suite as soon as possible. Per Binding Operational Directive (BOD) 22-01, once a vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog, federal agencies have three weeks to apply the relevant patches within their environments.
In conclusion, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned of a ‘Must Patch’ vulnerability in Zimbra Collaboration Suite version 9.0 that is being exploited by Russian hackers in attacks targeting NATO countries. The flaw is a reflected cross-site scripting (XSS) bug that could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code. Organizations are advised to upgrade to a patched version of the Zimbra Collaboration Suite as soon as possible, and federal agencies have three weeks to apply the relevant patches within their environments.
Key Points:
- A vulnerability in Zimbra Collaboration Suite version 9.0 is being exploited by Russian hackers in attacks targeting NATO countries.
- The flaw is a reflected cross-site scripting (XSS) bug that could allow an unauthenticated attacker to provide crafted request parameters leading to the execution of arbitrary web scripts or HTML code.
- Organizations are advised to upgrade to a patched version of the Zimbra Collaboration Suite as soon as possible.
- Per Binding Operational Directive (BOD) 22-01, once a vulnerability is added to CISA’s Known Exploited Vulnerabilities catalog, federal agencies have three weeks to apply the relevant patches within their environments.