Google’s top threat research team has discovered four separate campaigns exploiting a vulnerability in the Zimbra Collaboration server that the team found in June, three of which emerged in the weeks after the hotfix for the bug was posted to GitHub.
The vulnerability, which is an XSS bug, first emerged in June, when researchers from Google’s Threat Analysis Group (TAG) observed a threat actor exploiting it in attacks against government organizations in Greece. TAG specifically tracks the activity of state-backed actors and has a lengthy track record of uncovering not just their campaigns, but also the zero days that those actors have discovered. The group’s stated goal is to make zero day hard, and its researchers likely are responsible for burning more zero days than any other team working today.
The Zimbra bug (CVE-2023-37580) is a prime example of the type of work TAG does. The group observed a threat group exploiting the vulnerability in June, and immediately disclosed its findings to Zimbra. The company pushed a hotfix for the affected versions on July 5, but did not release a full patch until July 25. In the interim, two other campaigns began targeting the flaw. One of those was the work of Winter Vivern, an APT team that has shown the capability of exploiting multiple vulnerabilities and appears to work in the interests of the government of Belarus. Those groups used phishing campaigns to push malicious URLs to victims.
All four of the campaigns that TAG discovered have targeted government organizations in various countries, including Vietnam, Greece, Tunisia, and Pakistan. Zimbra Collaboration is used quite widely and a zero day in the app will naturally attract the attention of many threat actors, including high-level groups.
“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” TAG researchers Maddie Stone and Clement Lecigne of TAG said.
“These campaigns also highlight how attackers monitor open-source repositories to opportunistically exploit vulnerabilities where the fix is in the repository, but not yet released to users. The actors behind Campaign #2 began exploiting the bug after the fix was pushed to Github, but before Zimbra publicly released the advisory with remediation advice.”
For enterprises and government agencies that have not updated yet, TAG’s findings should serve as a call to action. With multiple threat groups targeting the vulnerability, updating should be a top priority.
“TAG observed three threat groups exploiting the vulnerability prior to the release of the official patch, including groups that may have learned about the bug after the fix was initially made public on Github. TAG discovered a fourth campaign using the XSS vulnerability after the official patch was released. Three of these campaigns began after the hotfix was initially made public highlighting the importance of organizations applying fixes as quickly as possible,” Stone and Lecigne said.