NATO and Diplomats’ Email Portals Targeted by Russian APT Winter Vivern
TA473 Has Been Targeting US Political Officials since February 2023.
Winter Vivern (aka TA473), a Russian hacking group, has been exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to access the emails of NATO officials, governments, military people, and diplomats.
The CVE-2022-27926 flaw affects versions 9.0.0 of Zimbra Collaboration, which is used to host webmail portals with public access. The attackers can also exploit compromised accounts to conduct lateral phishing attacks and further infiltrate the target companies.
Researchers have observed TA473, a newly minted advanced persistent threat (APT) actor tracked by Proofpoint, exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia Ukrainian War.
The cyber actions of TA473 align with the support of Russian and/or Belarussian geopolitical aims.
These payloads enable actors to steal usernames, passwords, and active session and CSRF tokens from cookies that allow login to susceptible webmail portals of target organizations that are accessible to the public, explains Security Affairs.
To detect unpatched webmail platforms used by target firms, the APT group employs scanning technologies like as Acunetix. The threat actors send phishing emails using a hacked address that has been faked to look like someone from their organization.