European governments targeted by Chinese hackers with zero-day Zimbra webmail

A new Chinese cyber-espionage group has been seen abusing a zero-day vulnerability in the Zimbra collaborative suite to access the inboxes of European governments and media agencies.

The attacks were spotted last month by security firm Volexity, and although the security firm notified Zimbra on Dec. 16, the company has yet to release a patch for its product.

Earlier today, Volexity released a technical report about the attacks in hopes of raising awareness of this issue and enabling organizations that use a Zimbra mail server to verify whether they have been targeted.

Hackers stole cookies to access targeted accounts

According to Volexity, attackers began exploiting this zero-day on December 14, when its researchers spotted the first attacks against some of its customers.

Volexity said the attacks were split into two stages. In the first, hackers sent a benign email intended to perform reconnaissance and determine if accounts were active and if users would be willing to open strange emails from unknown entities.

The actual attack took place in a second email when the hackers included a link in the body of the email. If users accessed the URL, they would land on a remote website where malicious JavaScript code would execute a cross-site scripting (XSS) attack against their organization’s Zimbra webmail application.

The Volexity team said this code exploited an issue in Zimbra webmail clients running versions 8.8.15 P29 and P30 and would allow attackers to steal Zimbra session cookie files.

These files would then allow attackers to log into a Zimbra account, from which they would access emails, send additional phishing messages to a user’s contacts, and even prompt users to download malware.

Image: Volexity

Although there are currently over 33,000 Zimbra servers connected to the internet, Volexity said zero day does not work against installations of Zimbra 9.x, which is the most recent version of the platform, this which means that the attack surface is not as large as originally thought.

The security company said that based on the attacker’s infrastructure used in these attacks, it was unable to link this threat actor, which it named TEMP_hereticto a previously known group or group of activities.

Nonetheless, based on the techniques used in the attacks, Volexity said they believe “the attacker is likely of Chinese descent.”

The security firm said that, based on its visibility, it has seen TEMP_Heretic attack European governments and media agencies; however, the group is believed to have attacked numerous other targets.

IT administrators who operate Zimbra mail servers and want to know if they have been targeted should consult the Volexity report. The security firm said TEMP_Heretic typically uses emails masquerading as invitations, refunds, warnings, and pointless emails as decoys for their attacks.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant inside scoop on new vulnerabilities, cyberattacks and law enforcement actions against hackers.