[ad_1]
The Threat Analysis Group of Google have identified and resolved a security flaw in an email server that was being used to steal data from the governments of Pakistan, Greece, Moldova, Tunisia, and Vietnam.
This security issue, known as CVE-2023-37580, specifically targeted the ZimbraCollaboration email server to extract email data, user credentials, and authentication tokens from various organisations.The attack began in Greece at the end of June. The perpetrators of the attack discovered a vulnerability and sent emails containing the exploit to a government organisation. If the recipient clicked on the link while logged into their Zimbra account, the exploit would automatically steal their email data and set up auto-forwarding to take control of the address.
The Winter Vivern threat group had gained access to the exploit. The group targeted government organisations in Moldova and Tunisia. Later, a third unknown actor used the exploit to phish for credentials from members of the Vietnam government. That data was published to an official government domain, likely run by the attackers.
The final campaign described by Google’s Threat Analysis Group targeted a government organisation in Pakistan to steal Zimbra authentication tokens, a secure piece of information used to access locked or protected information. Zimbra users were also the target of a mass-phishing campaign earlier this year.
Researchers from ESET found that an unknown threat actor sent an email with a phishing link in an HTML file starting in April. Before that, in 2022, threat actors used a different Zimbra exploit to steal emails from European government and media organisations.
According to a blog post by the Google Threat Analysis Group, these campaigns highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository but not yet released to users.
This security issue, known as CVE-2023-37580, specifically targeted the ZimbraCollaboration email server to extract email data, user credentials, and authentication tokens from various organisations.The attack began in Greece at the end of June. The perpetrators of the attack discovered a vulnerability and sent emails containing the exploit to a government organisation. If the recipient clicked on the link while logged into their Zimbra account, the exploit would automatically steal their email data and set up auto-forwarding to take control of the address.
The Winter Vivern threat group had gained access to the exploit. The group targeted government organisations in Moldova and Tunisia. Later, a third unknown actor used the exploit to phish for credentials from members of the Vietnam government. That data was published to an official government domain, likely run by the attackers.
The final campaign described by Google’s Threat Analysis Group targeted a government organisation in Pakistan to steal Zimbra authentication tokens, a secure piece of information used to access locked or protected information. Zimbra users were also the target of a mass-phishing campaign earlier this year.
Researchers from ESET found that an unknown threat actor sent an email with a phishing link in an HTML file starting in April. Before that, in 2022, threat actors used a different Zimbra exploit to steal emails from European government and media organisations.
According to a blog post by the Google Threat Analysis Group, these campaigns highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository but not yet released to users.
[ad_2]
Source link