A low-profile attack group that appears to work in support of Russian state interests has begun targeting American and European government officials and military and diplomatic officials in a new campaign that involves exploiting a known vulnerability in a widely used secure email platform.
The campaign is the work of a group known as Winter Vivern that recently has been seen targeting organizations in Ukraine, Poland and elsewhere that are supporting Ukraine’s defense against the Russian invasion. The group mostly uses spear phishing in its campaigns, but researchers at Proofpoint have observed the team targeting high-value individuals in American and European government agencies with an exploit for a bug in the Zimbra email platform. Zimbra is developed by Synacor and the Winter Vivern attackers are targeting a vulnerability in Zimbra Collaboration that was disclosed nearly a year ago.
The bug (CVE-2022-27926) is a reflected XSS vulnerability and it affects version 9.0.0 of the Zimbra Collaboration webmail platform. Researchers at Proofpoint have seen Winter Vivern, also known as TA473, running a phishing campaign that targets government employees and diplomatic personnel, using lure emails that have a link to a malicious URL hosting an exploit for the Zimbra bug. The attacks have been ongoing since early this year.
“The malicious URL uses the webmail domain that has a vulnerable Zimbra Collaboration Suite instance and appends an arbitrary hexadecimal encoded or plaintext JavaScript snippet, which is executed as an error parameter when it is received in the initial web request. The JavaScript, once decoded, results in the download of a next stage bespoke JavaScript payload that conducts CSRF to capture usernames, passwords, and CSRF tokens from the user,” the Proofpoint analysis says.
“Proofpoint researchers have identified several instances of what appear to be customized CSRF JavaScript payloads with delivery achieved through both the above-mentioned CVE-2022-27926 exploitation and earlier delivery mechanisms, such as TA473-controlled infrastructure delivery stemming from the hyperlink of benign URLs in the body of the phishing email.”
As part of this campaign, the Winter Vivern attackers are spending time to reconnoiter the Zimbra webmail portals of potential victims and then developing the custom payloads for each victim organization.
“These labor-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” the Proofpoint analysis says.
Winter Vivern is one of the newer APT groups on the Russian threat landscape and doesn’t have the panache or reputation of Cozy Bear or Fancy Bear or any of the bears, really. But you don’t always have to be fancy to be effective, and Winter Vivern has proven to be just that. The payloads that the group delivers in this current campaign has several capabilities, including stealing usernames and passwords, stealing active CSRF token from a cookie, and attempting to login to the webmail portal.
“While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets,” the researchers said.