Webmail portals of NATO-aligned governments in Europe hacked by TA473 hackers using known Zimbra vulnerability

Proofpoint researchers disclosed that they have observed recent espionage-related activity by TA473 group, including yet-to-be-reported instances of TA473 targeting U.S. elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern, and since at least February this year has continuously leveraged Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals, to gain access to the email mailboxes of government entities in Europe.

“The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia-Ukrainian War. The group utilizes scanning tools like Acunetix to identify unpatched webmail portals belonging to these organizations to identify viable methods for targeting victims,” Michael Raggi and the Proofpoint Threat Insight Team, wrote in a blog post last week. “Following initial scanning reconnaissance, the threat actors deliver phishing emails purporting to be relevant benign government resources, which are hyperlinked in the body of the email with malicious URLs that abuse known vulnerability to execute JavaScript payloads within victim’s webmail portals.” 

Further, “the threat actors appear to invest significant time studying each webmail portal instance belonging to their targets as well as writing bespoke JavaScript payloads to conduct Cross Site Request Forgery,” the post identified. “These labor-intensive customized payload allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations.”

Proofpoint researchers recently promoted TA473 to a publicly tracked threat actor. Known in open-source research as Winter Vivern, Proofpoint has tracked this activity cluster since at least 2021.

The Proofpoint observations follow SentinelLabs’ reveal in March of the Winter Vivern APT (advanced persistent threat) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. The hacker group employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information.

Proofpoint has observed an evolution of TA473 phishing campaigns since 2021, as the group employs opportunistic exploits to target its victims which include popular 1-day vulnerabilities like the CVE-2022-30190, or Follina exploit, disclosed in May 2022. “However, most commonly this threat actor leverages a recurring set of phishing techniques in every email campaign. The phishing tactics below have consistently been observed across both US and European targets as well as among credential harvesting, malware delivery, and cross-site request forgery (CSRF) campaigns,” the researchers added.

“TA473 sends emails from compromised email addresses. Often these emails originate from WordPress-hosted domains that may be unpatched or unsecure at the time of compromise,” Proofpoint observed. “TA473 spoofs the ‘from’ field of the email to appear as a user at the targeted organization OR TA473 spoofs the ‘from’ field of the email to appear as a relevant peer organization involved in global politics. TA473 includes a benign URL from either the targeted organization or a relevant peer organization in the body of the email.”

Furthermore, the researchers found that TA473 then hyperlinks this benign recognized URL with actor-controlled or compromised infrastructure to deliver a first-stage payload or to redirect to a credential harvesting landing page. “TA473 often uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and in some cases encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets,” they added.

Beginning in early 2023, Proofpoint observed a trend of TA473 phishing campaigns targeting European government entities that take advantage of CVE-2022-27926, according to the post. The vulnerability impacts Zimbra Collaboration (previously ‘the Zimbra Collaboration Suite’) version 9.0.0, which is used to host publicly facing webmail portals. The vulnerability is described as a “reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow[dot]jsp component of Zimbra Collaboration (aka ZCS) 9.0 (which) allows unauthenticated attackers to execute arbitrary web script or HTML via request parameters.

In practice, the researchers said that the TA473 is hyperlinking a benign URL in the body of a phishing email with a URL that leverages CVE-2022-27926. “The malicious URL uses the webmail domain that has a vulnerable Zimbra Collaboration Suite instance and appends an arbitrary hexadecimal encoded or plaintext JavaScript snippet, which is executed as an error parameter when it is received in the initial web request. The JavaScript, once decoded, results in the download of a next stage bespoke JavaScript payload that conducts CSRF to capture usernames, passwords, and CSRF tokens from the user.”

Proofpoint researchers have identified several instances of what appear to be customized CSRF JavaScript payloads with delivery achieved through both the above-mentioned CVE-2022-27926 exploitation and earlier delivery mechanisms, such as TA473-controlled infrastructure delivery stemming from the hyperlink of benign URLs in the body of the phishing email. “These CSRF JavaScript code blocks are executed by the server that host a vulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets.” 

In some instances, the researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. “This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations. These next-stage TA473 CSRF JavaScript payloads also utilize several layers of Base64 encoding to obfuscate the functionality of the JavaScript. The actor inserts three nested instances of Base64 encoded JavaScript to complicate the analysis of these delivered payloads. However, decoding the script is trivial to reveal the intended malicious functionality,” the post added.

Each identified malicious JavaScript payload heavily incorporates the legitimate JavaScript that executes in a native webmail portal. To not identify the specific European governmental organizations impacted by these campaigns, Proofpoint researchers have focused on the high-level functionality of the scripts, specifically the portions inserted by TA473 to achieve cross-site request forgery. 

Researchers observed a malicious JavaScript delivered in February 2023 with capabilities, such as stealing usernames, stealing user passwords, stealing an active CSRF token from a cookie in the web request response, caching the stolen values to the actor-controlled server, attempting login to the legitimate mail portal with active tokens, and the script utilizes the additional URLs in its functionality to display Pop3 and IMAP instructions hosted on an actor-controlled server, and attempts logins to legitimate webmail portal via the native URL. 

TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor’s success,” the Proofpoint researchers said. “The group’s focus on sustained reconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable of stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets, in this case, the European government sector.” 

Proofpoint researchers recommend patching all versions of Zimbra Collaboration used in publicly facing webmail portals, especially among European government entities. Additionally, restricting resources on publicly facing webmail portals from the public internet is highly recommended to prevent groups like TA473 from reconning and engineering custom scripts capable of stealing credentials and logging in to users’ webmail accounts. 

“While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets,” the post added.

Analysis from NCC Group’s Global Threat Intelligence team revealed last week that there were 240 ransomware attacks in February, a 45 percent increase from January. “The volume of activity is the highest recorded by NCC Group for this period, up 30% over February 2022 (185), and 2021 (185). The considerable rise highlights the growing threat of ransomware attacks, as the threat landscape continues to evolve,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.