TAG’s discovery of a 0-day exploit used to steal email data from international government organizations.

A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.

• Proofpoint has observed recent espionage-related activity by TA473, including yet to be reported instances of TA473 targeting US elected officials and staffers. TA473 is a newly minted Proofpoint threat actor that aligns with public reporting on Winter Vivern.
• TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe.
• TA473 recons and reverse engineers bespoke JavaScript payloads designed for each government targets’ webmail portal.
• Proofpoint concurs with Sentinel One analysis that TA473 targeting superficially aligns with the support of Russian and/or Belarussian geopolitical goals as they pertain to the Russia-Ukraine War.

On September 25, 2022, CVE-2022-41352 was filed for Zimbra Collaboration Suite. The vulnerability is a remote code execution flaw that arises from unsafe usage…

CISA received seven files for analysis. Six Java Server Pages (JSP) webshells and a Bourne Again SHell (bash) file. Five JSP webshell files are designed to parse inbound requests for commands for execution, download files, and upload files. One JSP webshell file contains a form with input fields that prompts the attacker to enter the command in the input box and click "run" to execute. The command output will be displayed in a JSP page. The bash file is designed to perform ldapsearch queries and store the output into a newly created directory.

Hundreds of millions use Zimbra, an all-in-one business productivity suite for micro, small, medium & enterprise in-office and remote work teams. The Zimbra Inc company was acquired by Synacor Inc

On May 10, 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2…

CISA has urged organizations to patch a recent Zimbra credential theft vulnerability after reports of exploitation in the wild.

On May 6, 2022, Rarlab released version 6.17, which addresses CVE-2022-30333, a path traversal vulnerability reported to them by Sonar, who posted a write-up about it. Sonar specifically calls out Zimbra Collaboration Suite’s usage of unrar as vulnerable (specifically, the amavisd component, which is used to inspect incoming emails for spam and malware). Zimbra addressed this issue in 9.0.0 patch 25 and 8.5.15 patch 32 by replacing unrar with 7z.

We discovered a vulnerability in Zimbra Enterprise Email that allows an unauthenticated, remote attacker fully take over Zimbra instances via a flaw in unrar.

We discovered flaws in Zimbra, an enterprise email solution, that allow attackers to steal credentials of users and gain access to their email accounts.