Technology

Users of collaboration tool Zimbra have their accounts stolen

August 18, 2023

A new phishing campaign targeting users of the Zimbra Collaboration email servers has been spotted, and researchers are saying it’s quite successful.

Zimbra Collaboration is a online collaborative suite that comes with an email server and a web client.

According to researchers from ESET, cybercriminals started sending phishing emails to victims at random in April 2023, in an attempt to obtain login credentials for the service.

In these emails, the attackers assume the identity of the victim organization’s administrator, and tell the recipient that their email server is about to be updated. This update will make the email inbox inaccessible, and possibly result in termination.

To make sure that doesn’t happen, the victim is advised to open the HTML file that is attached to the email and review the instructions found there.

The attachment, however, holds no instructions. Instead, it shows a fake Zimbra login page with the username prefilled, where users can type in their passwords. These are then sent to the attacker’s server via an HTTPS POST request.

In some cases, ESET further stated, the attackers would use previously compromised admin accounts to create new accounts on Zimbra servers for phishing email distribution, further adding to the perceived legitimacy of the emails. They’re saying that the campaign is hardly sophisticated, but its results are “impressive”.

According to BleepingComputer, Zimbra Collaboration email servers are “commonly” targeted by cybercriminals. They use them for cyber espionage, collecting internal company communications. They can also sometimes use them as an initial point of breach, to further move laterally throughout the target network.

One such scenario happened earlier this year, when a Russian threat actor abused a vulnerability in the tool (CVE-2022-27926) to snoop on emails belonging to organizations aligned with the North Atlantic Treaty Organization (NATO). Governments, diplomats, and military personnel were also targeted, the publication said.

Another attack occurred in October 2022, when more than 900 servers were hacked thanks to a Zimbra zero-day. Kaspersky labeled the flaw as a remote code execution vulnerability that allows threat actors to send an email with a malicious file that deploys a webshell in the Zimbra server without triggering an antivirus alarm. It is now tracked as CVE-2022-41352 and some researchers claim as many as 1,600 servers were compromised as a result.

Via: BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar