EmailThief: Zero-day vulnerability discovered in Zimbra email platform

top cybersecurity companies

The backers may be from China. The cross-site scripting vulnerability allows email data to be stolen.

Researchers have uncovered an active hacking campaign exploiting a zero-day vulnerability in the Zimbra email platform. According to Volexity cybersecurity researchers Steven Adair and Thomas Lancaster, a group dubbed TEMP_Heretic exploits the vulnerability to spear phishing email attacks.

In a security advisory, Volexity explained that the campaign, dubbed Operation EmailThief, was first discovered in December 2021 and is likely the work of Chinese hackers. According to the team, TEMP_Heretic takes great care in selecting its potential victims. The threat actor first conducts reconnaissance, using tracker-embedded emails to determine if an address is valid and whether a target would open email at all — and if so, the second stage of the attack chain is triggered.

A total of 74 were unique Microsoft Outlook email addresses used to send initial emails containing generic images and subjects such as invitations, warnings, and airline ticket refunds. TEMP_Heretic then sends customized phishing emails containing a malicious link. The more targeted subjects of subsequent emails related to requests for interviews from news organizations including AFP and BBC, and invitations to charity dinners. Other phishing email samples collected were more general and contained holiday greetings.

The zero-day vulnerability is a cross-site scripting (XSS) vulnerability. It allows attackers to run arbitrary JavaScript in the context of the Zimbra session, leading to theft of email data, attachments, and cookies. In addition, cyber criminals could use a compromised email account to send more phishing emails or ask the victim to download additional malware.

Leave a Reply

Your email address will not be published.