A lesser-known Russian hacking group, tracked as Winter Vivern, has been associated with a new wave of attacks against government entities in Europe. The campaign has been active since February and leverages unpatched Zimbra endpoints to steal emails and other sensitive information of NATO officials, governments, military personnel, and diplomats involved in the Russia-Ukraine war.
What has been discovered?
Proofpoint has found that Winter Vivern APT group (aka TA473) is exploiting a cross-site scripting vulnerability (CVE-2022-27926) in Zimbra Collaboration Suite to target webmails of NATO-aligned governments in Europe.
The gang utilizes scanning tools like Acunetix to track unpatched Zimbra-hosted webmail portals to identify targets.
Researchers note that the exploitation of this vulnerability is very similar to the exploitation of CVE-2021-35207, another flaw that impacts a broader range of the Zimbra Collaboration Suite.
In some instances, the threat actors are also found targeting RoundCube Webmail request tokens to deliver payloads.
Infection process
The initial stage of the infection chain is carried out through phishing emails purporting to be relevant government resources.
The body of the email is hyperlinked with a malicious URL that abuses the Zimbra vulnerability to execute malicious payloads within the victim’s webmail portals.
The malicious payloads, written in JavaScript, are used to steal usernames, passwords, and tokens from cookies received from compromised Zimbra endpoint.
A similar campaign last week
Proofpoint's latest research is similar to the recent analysis by SentinelOne.
At that time, Winter Vivern APT targeted government agencies and officials in Ukraine, Poland, Italy, and India. A private telecommunications company supporting Ukraine was also a victim of the attack.
The campaign leveraged webpages mimicking European agencies to spread APERETIF trojan that was disguised as a virus scanner.
Additionally, the Winter Vivern APT used malicious documents and scanning tools to accomplish the attack.
The bottomline
The threat actor group’s most defining characteristic is its approach to scanning vulnerabilities and phishing lures that mimic legitimate government resources. As the latest campaign involves the exploitation of a previously known Zimbra flaw, it is strongly recommended to patch all versions of Zimbra Collaboration used in public-facing webmail portals, especially those by European government entities. Additionally, organizations must cross-check the sender's address before emails that look suspicious.