"Winter Vivern Hackers Exploit Zimbra Flaw to Steal NATO Emails"

Since February 2023, a Russian hacker group tracked as TA473, also known as Winter Vivern, has exploited vulnerabilities in unpatched Zimbra endpoints to steal the emails of NATO officials, governments, military personnel, and diplomats. Sentinel Labs reported on a new Winter Vivern campaign aimed at spreading malware masquerading as a virus scanner by mimicking European agencies battling cybercrime. Proofpoint has released new research detailing how the threat actors exploit CVE-2022-27926 on Zimbra Collaboration servers to gain access to the communications of NATO-aligned organizations and individuals. Winter Vivern attacks begin with the threat actor using the Acunetix tool vulnerability scanner to check for unpatched webmail platforms. Then, the hackers send a phishing email from an address spoofed to appear as though it is from a person or organization with which the target is familiar. The emails contain a link that exploits CVE-2022-27926 in the victim's compromised Zimbra infrastructure to inject additional JavaScript payloads into the webpage. These payloads are then used to collect usernames, passwords, and tokens from cookies sent by a compromised Zimbra endpoint. This article continues to discuss Winter Vivern hackers' exploitation of vulnerabilities in unpatched Zimbra endpoints.

Bleeping Computer reports "Winter Vivern Hackers Exploit Zimbra Flaw to Steal NATO Emails"