New Zimbra Webmail Attack Steals Credentials, Data – Here’s What You Need to Know
A sophisticated attack targeting Zimbra Webmail is currently underway, designed to steal sensitive data including your credentials, emails, contacts, and shared folders. Recent research reveals a malicious code injection leveraging .INC calendar files, enabling attackers to gain deep access to compromised accounts. This isn’t a simple phishing attempt; it’s a complex operation utilizing zero-day vulnerabilities and advanced techniques.
How Does This Attack Work?
The malicious code operates discreetly, employing asynchronous execution and Instantly Invoked Function Expressions (IIFEs) to evade detection. Here’s a breakdown of what it can do:
* It creates hidden username and password fields within the Zimbra interface.
* It actively steals your login credentials directly from login forms.
* It monitors your mouse and keyboard activity,logging out inactive users to facilitate data theft.
* It utilizes the Zimbra SOAP API to search your folders and retrieve your emails.
* It sends the content of your emails to the attacker every four hours.
* It adds a forwarding filter named “Correo” to redirect your mail to a Proton address.
* It collects authentication data and other artifacts for exfiltration.
* It exfiltrates your contacts, distribution lists, and shared folders.
* It incorporates delays and execution gates to avoid immediate detection and maintain persistence.
* It hides user interface elements to minimize visual cues that might alert you to the compromise.
What Makes This Attack Unique?
This isn’t a run-of-the-mill attack.Several factors point to a highly skilled adversary:
* Zero-Day Exploitation: The attack leverages a previously unknown vulnerability in Zimbra, making it particularly perilous.
* Advanced Techniques: The use of asynchronous execution, IIFEs, and API manipulation demonstrates a deep understanding of Zimbra’s architecture.
* Persistence & Evasion: The 60-second delay, 3-day execution gate, and UI hiding are all designed to evade detection and maintain access over time.
Who is Behind This?
Attribution remains challenging, but researchers believe a small group with the capability to discover zero-day vulnerabilities is responsible. While a definitive link hasn’t been established,a “Russian-linked group” is considered especially prolific in this type of activity.
Interestingly, similar tactics, techniques, and procedures (TTPs) have been observed in attacks attributed to UNC1151, a threat group linked to the Belarusian government by Mandiant. This suggests a potential connection, though further examination is needed.
How Can You Protect Yourself?
While a patch isn’t immediately available, you can take steps to mitigate your risk:
* Be Vigilant About Calendar Invites: Exercise extreme caution when opening .INC calendar files from unknown or untrusted sources.
* Monitor Account Activity: Regularly review your Zimbra account activity for any unusual logins or forwarding rules.
* Enable Multi-Factor Authentication (MFA): If available, enable MFA for an extra layer of security.
* Stay Informed: Keep abreast of security updates and advisories from Zimbra and the security community.
* Review Filters: Regularly check your email filters for any unexpected or suspicious rules.
Indicators of Compromise (IOCs)
Researchers have released indicators of compromise to help you identify potential infections. These include a deobfuscated version of the JavaScript code used in the attack. You can find these IOCs here.
What’s Next?
This is a developing situation. Security professionals are actively analyzing the attack and working to develop effective defenses. We will continue to monitor the situation and provide updates as they become available.Your proactive awareness and vigilance are crucial in protecting your Zimbra Webmail account and sensitive data.