A new Chinese cyber-espionage group has been seen abusing a zero-day vulnerability in the Zimbra collaborative suite to access the inboxes of European governments and media agencies.
The attacks were spotted last month by security firm Volexity, and although the security firm notified Zimbra on Dec. 16, the company has yet to release a patch for its product.
Earlier today, Volexity released a technical report about the attacks in hopes of raising awareness of this issue and enabling organizations that use a Zimbra mail server to verify whether they have been targeted.
Hackers stole cookies to access targeted accounts
According to Volexity, attackers began exploiting this zero-day on December 14, when its researchers spotted the first attacks against some of its customers.
Volexity said the attacks were split into two stages. In the first, hackers sent a benign email intended to perform reconnaissance and determine if accounts were active and if users would be willing to open strange emails from unknown entities.
The Volexity team said this code exploited an issue in Zimbra webmail clients running versions 8.8.15 P29 and P30 and would allow attackers to steal Zimbra session cookie files.
These files would then allow attackers to log into a Zimbra account, from which they would access emails, send additional phishing messages to a user’s contacts, and even prompt users to download malware.
Although there are currently over 33,000 Zimbra servers connected to the internet, Volexity said zero day does not work against installations of Zimbra 9.x, which is the most recent version of the platform, this which means that the attack surface is not as large as originally thought.
Volexity links hackers to China
The security company said that based on the attacker’s infrastructure used in these attacks, it was unable to link this threat actor, which it named TEMP_hereticto a previously known group or group of activities.
Nonetheless, based on the techniques used in the attacks, Volexity said they believe “the attacker is likely of Chinese descent.”
The security firm said that, based on its visibility, it has seen TEMP_Heretic attack European governments and media agencies; however, the group is believed to have attacked numerous other targets.
IT administrators who operate Zimbra mail servers and want to know if they have been targeted should consult the Volexity report. The security firm said TEMP_Heretic typically uses emails masquerading as invitations, refunds, warnings, and pointless emails as decoys for their attacks.