Russian hacking group Winter Vivern has been actively exploiting Zimbra flaws to steal the emails of NATO and diplomats.
A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats.
The CVE-2022-27926 flaw affects Zimbra Collaboration versions 9.0.0, which is used to host publicly facing webmail portals.
The attacker can also use the compromised accounts to carry out lateral phishing attacks and further infiltrate the target organizations
TA473’s cyber operations align with the support of Russian and/or Belarussian geopolitical goals.
“Researchers have observed TA473, a newly minted advanced persistent threat (APT) actor tracked by Proofpoint, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia Ukrainian War.” reads the post published by Proofpoint.
These payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies allowing the login to publicly facing vulnerable webmail portals belonging to target organizations.
The APT group uses scanning tools like Acunetix to identify unpatched webmail platforms used by target organizations.
The threat actors send phishing email from a compromised address, which is spoofed to appear as someone relevant to their organization.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NATO)
The post Russian APT group Winter Vivern targets email portals of NATO and diplomats appeared first on Security Affairs.