Contents:
Zimbra Collaboration email servers worldwide are being targeted by threat actors. Recently, cybersecurity researchers have uncovered an ongoing phishing campaign, that has been underway since at least April 2023.
Threat actors are sending phishing emails to organizations worldwide, with no specific focus on certain organizations or sectors, in an attempt to steal credentials. So far, no threat actor group has been linked with the campaign.
Details on the Attacks: Zimbra Admins Impersonators
According to BleepingComputer, the attacks begin with a phishing email that appears to be from an organization’s administrator and alerts users of an impending email server update that may temporarily deactivate accounts.
In order to understand more about the server upgrade and to study instructions on preventing the deactivation of accounts, the recipient is urged to read an HTML file that has been attached. While opening the HTMP attachment, a fake Zimbra login page will be shown that features the targeted company’s logo and brand to appear authentic to the targets. The username field in the login will be prefilled, making the phishing page appear more legitimate.
Account passwords put into the phishing form are delivered via an HTTPS POST request to the threat actor’s server. It is reported that in some instances, the attackers use compromised admin accounts to create new mailboxes to be used for disseminating phishing emails to other members of the organization.
Zimbra Collection Users, Beware
Despite the campaign’s lack of sophistication, it has spread widely and been successful, so users of Zimbra Collaboration should be aware of the danger.
Zimbra Collaboration email servers are commonly targeted by threat actors for cyberespionage to gather internal communications or to use them as a starting point for attacks on the network of the intended target company.
Earlier this year, Proofpoint disclosed that the Russian “Winter Vivern” hacker gang had gained access to the webmail accounts of NATO-aligned organizations, governments, embassies, and military personnel by using a Zimbra Collaboration vulnerability (CVE-2022-27926).
Zimbra Collaboration is a popular email and collaboration software, being used by thousands of businesses worldwide. This is why this phishing campaign is so largely spread, and we advise Zimbra users to be careful and always check for signs of phishing emails.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.