Since the invasion of Ukraine began, we’ve witnessed a lot of military activity on the battlefield, as well as in the areas surrounding Russia and Ukraine both in a geographical and geopolitical sense. We’ve seen cargo planes flying over and military convoys transporting weapons, munitions, and whatnot.

The war wasn’t only happening on the battlefield though. We’ve seen an increased number of cyberattacks happening on both sides, targeting both civilian and military infrastructure, predominantly coming from rogue actors, with Russia seemingly dominating the digital battlefield.

At around the same time, in March of 2022, a new vulnerability measuring a CVSS base score of 6.1 was registered at MITRE, which was found in Zimbra Collaboration.

Zimbra Collaboration is a software suite that includes email, calendar, contacts, task management, and document sharing. It’s used as a unified platform for efficient team collaboration. It allows users to access their email and other tools from a variety of devices and platforms, including web-based interfaces, desktop clients, and mobile apps.

Zimbra Collaboration can be deployed either on-premise or in the cloud, making it a flexible solution for businesses of all sizes. The software is highly scalable and can support thousands of users on a single server, making it suitable for large organizations. Among those are some of the biggest world organizations, governments, and government institutions, including the US and NATO, as well as some other allied countries.

The attacks

This vulnerability and its exploitation in the wild have been closely monitored by ProofPoint. They have probably uncovered CVE-2022-27926 exploitation by observing a group of hackers that goes by the name “Winter Vivern”, which they have declared as a publicly tracked threat actor TA473.

Winter Vivern” has been on their radar since at least 2021 and they have detected various attacks and attempts of intrusion, of which a great percentage involved very advanced phishing scams. TA473 have done their reconnaissance homework very well, scanning the internet using automated tools such as Acunetix. Having that said, it’s important to point out that when they were performing the phishing scams they didn’t leave anything to the case. All the attempts were orchestrated with precision and with a specific approach for each individual case. The emails they sent were made look very legitimate, mostly using already compromised government emails, containing a hyperlink that led to the attacker’s servers or some other already compromised infrastructures.

The vulnerability - Bad input validation strikes again

Once again, we’ve got a vulnerability on our plate with a very similar weakness as in many previous ones we’ve researched. This time we’re talking about improper neutralization of input during web page generation (CWE-79), which results in reflected cross-site scripting (XSS), caused by the /public/launchNewWindow.jsp component of Zimba.

The manner in which launchNewWindow.jsp performs page parsing allows the attacker to squeeze a hexadecimally encoded JavaScript code through the cracks, leading to the payload download on the victim’s PC. Once the payload is executed, it conducts CSRF (Cross-Site Request Forgery) that exploits the trust that a website has in the user's browser. Using this method, the attacker is able to steal the victim's username and password, as well as an active CSRF token from a cookie in the request-response.

ProofPoint explained this using this diagram.

Affected software, mitigation, and patches

CVE-2022-27926 affects Zimbra Collaboration 9.0.0 and has been fixed with the P24 patch. As for mitigating the risk of this attack, the easiest solution would of course be updating the software to the latest version.

The fact of the matter is you will never be able to train your employees to not open suspicious emails or click on links that promise a better tomorrow, claim to bring prosperity, etc. In case you’re managing a big organization’s infrastructure, your colleagues have no other option than to share links via email from time to time, so avoiding links is probably not a good long-term solution.

Having that said, installing the patch is probably the only viable solution.

Subscribe to be updated on the new content!

Subscription Form (#4)