March 31, 2023

Since February 2023, a Russian hacking gang known as TA473 or ‘Winter Vivern’ has targeted unpatched Zimbra endpoints in order to collect the emails of NATO officials, governments, military people, and diplomats. The gang has been aggressively exploiting the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to get access to NATO-aligned organizations’ and individuals’ communications.

Sentinel Labs previously reported on the group’s latest operation two weeks ago, in which they utilized websites that mimicked European cybercrime agency to disseminate malware disguised as a virus scanner. Proofpoint has recently published a study outlining how the gang exploits the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to gain access to high-profile targets’ emails.

According to the Proofpoint report, the hackers begin their attack by scanning for unpatched webmail platforms with the Acunetix tool vulnerability scanner. They send a phishing email from a compromised account that looks to be from someone the victim knows or is significant to their company after they find a vulnerable Zimbra endpoint. The email contains a link that exploits the CVE-2022-27926 vulnerability by injecting JavaScript payloads into the compromised Zimbra infrastructure of the target.

These payloads are then used to collect usernames, passwords, and tokens from cookies sent by the hacked Zimbra endpoint, granting the hackers full access to the targets’ email accounts.

The sources for this piece include an article in BleepingComputer.