AICPA SOC Service Organizations - Certrec

Chinese Hackers are spying on Zimbra opensource email users

Chinese Hackers are spying on Zimbra opensource email users

If you use Zimbra, then watch out !! Chinese hackers appear to have exploited zero-day vulnerability in the Zimbra email platform to spy on users like you.
The chances are you might use Zimbra… why? Because Zimbra is the world’s leading open source email platform, powering hundreds of millions of mailboxes in 140 countries.
(It’s an email client platform described here… ) A threat actor, likely Chinese in origin, is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform as part of spear-phishing campaigns that commenced in December 2021. The espionage operation — codenamed “EmailThief” — was detailed by cybersecurity company Volexity in a technical report published Thursday, noting that successful exploitation of the cross-site scripting (XSS) vulnerability could result in the execution of arbitrary JavaScript code in the context of the user’s Zimbra session.

The attacks are believed to have occurred in two phases:

Phase 1

Aimed at reconnaissance and distributing emails designed to keep tabs if a target received and opened the messages.

Phase 2

Multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link. In total, 74 unique email addresses were created by the attacker to send out the missives over a period of two weeks, among which the initial recon messages contained generic subject lines ranging from invitations to charity auctions to refunds for airline tickets.


More about Zero-day vulnerability

A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit. … Vulnerable systems are exposed until a patch is issued by the vendor. So the developers did not know their software contained a vulnerability and the threat actor spots that vulnerability before the developer realizes there is a defect or has had time to fix the defect.
The attacker writes and implements exploit code while the vulnerability is still open and available

A Zero-day vulnerability is invincible

Why? A zero-day vulnerability is really hard if not impossible to detect. It can take not just days but months and sometimes years before a developer learns of the vulnerability that led to an attack.

One-day vulnerability

A zero-day attack happens when that flaw, or software/hardware vulnerability, is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability.
Zero-day is a flaw in software, hardware or firmware that is unknown to the party or parties responsible for patching or otherwise fixing the flaw. … Once a zero-day vulnerability has been made public, it is known as an n-day or one-day vulnerability.

Disclaimer: Any opinions expressed in the blog do not necessarily reflect the opinions of Certrec. The content of this blog is meant for informational purposes only.