Email Thief: An Active Exploitation of Zero-day Vulnerability in Zimbra

Zimbra is an open-source email platform often used by many European organizations in place of Microsoft Exchange. In December 2021, there is an active exploitation of Zero-day vulnerability in Zimbra as a part of the spear-phishing campaign, which Volexity discovered.

The codename Email Thief: An Active Exploitation of Zero-day XSS Vulnerability in Zimbra- a detailed technical report by Volexity was published on Thursday. Successful exploitation of the Cross-Site Scripting (XSS) vulnerability resulted in implementing arbitrary Javascript code. 

Volexity identified a series of targeted spear-phishing attacks against one of its customers from attackers and traced it as a moniker TEMP_Heretic and believes that the attackers are of Chinese origin. They observed that the European Governments and Media had been affected by this attack. As per Volexity analysis, the spear-phishing campaigns has occurred in multiple waves over two phases: 

The first phase was intended for reconnaissance and a series of emails designed to track whether a target had received and opened the emails or not.

The second phase was occurred in waves, with email messages allowing victims to click on a malicious attacker-crafted link. The target would have to visit the attacker’s URL while logged into the Zimbra webmail client via a web browser for the attack to be successful. On the other hand, the link might be opened from within an application, such as Thunderbird or Outlook.

This attack paved the way for the attacker to run arbitrary JavaScript in the context of the user’s Zimbra session. The attacker attempted to load JavaScript in order to steal user mail data and attachments, according to Volexity. 

However, Volexity has identified the TEMP Heretic aiming to grab emails and attachments. Still, the vulnerability can allow an attacker to perform the following threats in the context of the user’s Zimbra webmail session:

• Sending phishing messages to the users
• Exfiltrate cookies to gain access to the mailbox.
• Requesting users to download malware attachments in the context of a reputed website.

As of now, there is no patch found for this exploit, and it has not been designated a CVE (i.e., a zero-day vulnerability). The current Zimbra- 8.8.15 P29 & P30 remain vulnerable, tested, and confirmed by Volexity, and version 9.0.0 appears to be unaffected. 

“If you are currently on Zimbra V8.8.15 Patch 8, update all NG modules before upgrading to Zimbra V9.0.0,” stated the company. This Collaboration version introduces Zimbra Web Client- Modern and Classic.

According to BinaryEdge data, the Zimbra email server runs on about 33,000 machines, though the total number is likely to be more significant. According to Zimbra, 200,000 enterprises and over a thousand government and financial institutions use the software.