Hackers use a zero-day vulnerability in Zimbra to inject a malicious payload onto vulnerable webmail servers using the PGP decryption exploit they ported during a recent Black Hat 2022 conference. To take control of the victim’s email account, the hacker would first have to steal their password or bypass authentication using some other means. That was done by exploiting the PGP attack and sending an email that looked like it was from their boss requesting that they check out some information in a new email attachment. Attackers were also taking advantage of corporate connections to send messages about upcoming meetings, schedule changes, etc., including an attached file that downloaded malware once opened by the recipient.
Once the PGP attack was successful, hackers could compromise the victim’s email account and infect the server with a file-infecting malware that caused all messages to be sent from the infected server to a series of other servers under the control of the attackers. That caused a distributed denial-of-service (DDoS) attack against Zimbra Networks. The company has already rolled out patches for all active versions, including Zimbra Collaboration 8.8.8, that resolve the vulnerability. However, there are still around 1,000 vulnerable systems currently being targeted by hackers, according to Check Point researchers who discovered how these attacks were taking place. It is not the first time researchers have recently uncovered other hacking groups targeting Zimbra email servers. “In previous research, we’ve seen attackers compromise Zimbra servers as a stepping stone to accessing internal servers at large organizations,” explained Daniel Cohen, a security researcher at Check Point.
These attacks are known as data exfiltration and are generally used to steal information from targeted organizations. The researchers who uncovered this latest zero-day attack believe the attackers are trying to log into their victim’s email account and access other confidential information that could be used to later target them in a variety of ways, including spear phishing campaigns, and data leaks, or even straight up identity theft. “The attackers use this to get data for various reasons and to gain access to other systems inside the victim’s network. We can’t say if the attackers are trying to exfiltrate more sensitive data, such as customer records, user credentials, or financial information. Still, we believe that is the case.” said Cohen. “Attacks on Zimbra email servers using these PGP attacks have been known since at least June 2016, and it’s become one of the most common ways attackers gain access to Zimbra servers,” continued Cohen.
Check Point researchers believe the campaign began in late 2016 and has ramped up significantly in recent months. The first stage of the attack starts with hackers sending phishing emails to the organization’s employees and is often masqueraded as a message from a known or trusted source.
To further make their emails seem legitimate, cybercriminals often use email addresses that mimic those used by company employees, said Cohen. Most of the attacks observed were targeting businesses in Southeast Asia, especially Thailand. Check Point researchers say a phishing campaign often precedes these attacks. During these campaigns, hackers will use legitimate-looking emails to trick employees into either clicking on a malicious link or opening an attachment. Once the employee performs these actions, their system is compromised and used in subsequent zero-day exploit launches.
“This attack may be the work of organized cybercrime groups who use different tools and techniques to launch different attacks,” said Cohen. “We believe this is because Zimbra has become such an attractive target for criminal groups over the past few years. The reason is that Zimbra has become a popular target and is seen as valuable by hackers and cybercriminals, no matter their motives. While many cybercriminals tend to target critical infrastructure systems, they also tend to go after companies like Zimbra because they can use the email platform to hunt for sensitive information, steal credentials, and compromise various other types of targets.”
What could be done to prevent future attacks of this type? While there are no guarantees, Cohen recommended taking the following actions to make your systems less attractive to hackers:
• Always use caution when opening attachments or clicking on links in emails. According to Cohen, this is one of the most basic cybersecurity rules but is also often ignored by employees and companies.
• Implement an email filtering solution that monitors email traffic and looks for malicious content. This way, you can stop potentially harmful emails from being delivered to employees before they even have a chance of infecting your system.
• Perform regular audits of your system and patch any security vulnerabilities as soon as possible.