Attackers have targeted mailboxes ‘in multiple waves across two attack phases’

Business email platform Zimbra has released a hotfix for a cross-site scripting (XSS) vulnerability whose abuse has underpinned a series of spear-phishing campaigns.

A suspected, previously unknown Chinese APT group has been attempting to leverage the flaw in order to load malicious JavaScript that exfiltrates mail data and attachments, according to an analysis by incident response outfit Volexity.

However, Volexity researchers believe the attackers could potentially also exfiltrate cookies and gain persistent access to mailboxes, send further phishing messages to victims’ contacts, and dupe targets into inadvertently downloading malware.


RELATED Chained Zimbra flaws gave attackers unrestricted access to mail servers


Using the BinaryEdge web scanning service, the researchers said they detected around 33,000 mail servers running on Zimbra, but noted that the company says its open source software is used by 200,000 businesses and more than 1,000 government and financial institutions.

Volexity said the attackers, which it tracks as ‘TEMP_Heretic’, have targeted media organizations and European government bodies and agencies.

‘Multiple waves’

The vulnerability came to light on February 3 when Volexity detailed how one of its customers had been targeted “in multiple waves across two attack phases” over a two-week period.

The first, reconnaissance phase, which began on December 14, 2021, “involved emails designed to simply track if a target received and opened the messages”, the researchers explained.


DEEP DIVES A guide to spear-phishing – how to protect against targeted attacks


“The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link.”

The attack hinged on the victim visiting a malicious link while logged into the Zimbra webmail client from a web browser. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook,” the researchers added.

Hotfix deployed

Volexity said it notified Zimbra of the attacks on December 16 and Zimbra acknowledged receipt on December 28.

Then, on January 11, Volexity notified certain other Zimbra customers that they were being targeted with the same exploit.

The flaw appeared to only affect Zimbra 8.8.15 and prior versions – not the subsequent, latest version, 9.0.0.

Zimbra announced on Friday (February 4) that the hotfix would “be available to Zimbra customers through Zimbra Support”.


Read more of the latest email security news


The company said: “A durable fix for the issue is undergoing testing and quality review and will be made available as an update to 8.8.15p30. The updated patch is scheduled for availability via our download site on 5 February 2022.

“We recommend that all Zimbra customers use the most recent release available to avoid any issues”.

Volexity has provided a list of infrastructure that Zimbra customers should block and advised them to “analyze historical referrer data for suspicious access and referrers”.

XSS in the wild

Volexity said the exploit was less damaging than the then zero-day Microsoft Exchange vulnerabilities it disclosed in March 2021, but that it “can still have catastrophic consequences for organizations”.

Michał Bentkowski, web security consultant at Polish cybersecurity firm Securitum, told The Daily Swig: “While XSS is one of the most common web application vulnerabilities, we rarely get any information about real world campaigns utilizing XSS-es. Probably the most popular one (or maybe the only popular one?) is Samy XSS that happened in 2005 in MySpace, and affected over a million users.

“I found the Zimbra XSS story really interesting because it’s a real world campaign. It also highlights one of typical effects of XSS, that is the ability to exfiltrate user data, in this case: email bodies and attachments.

“This might be a good case study, when explaining the effects of XSS and the importance of preventing this vulnerability.”


DON’T FORGET TO READ ThePhish: ‘the most complete’ non-commercial phishing email analysis tool