The Cybersecurity and Infrastructure Security Agency (CISA) warned federal agencies to patch a Zimbra Collaboration (ZCS) cross-site scripting flaw exploited by Russian hackers to steal emails in attacks targeting NATO countries.
The vulnerability (CVE-2022-27926) was abused by a Russian hacking group tracked as Winter Vivern and TA473 in attacks on multiple NATO-aligned governments’ webmail portals to access the email mailboxes of officials, governments, military personnel, and diplomats.
Winter Vivern’s attacks start with the hackers using the Acunetix tool vulnerability scanner to find vulnerable ZCS servers and sending users phishing emails that spoof senders the recipients are familiar with.
Each email redirected the targets to attacker-controlled servers that exploit the CVE-2022-27926 bug or attempt to trick the recipients into handing over their credentials.
When targeted with an exploit, the URLs also contain a JavaScript snippet that will download a second-stage payload to launch a Cross-Site Request Forgery (CSRF) attack to steal Zimbra users’ credentials and CSRF tokens.
In the following steps, the threat actors used the stolen credentials to obtain sensitive information from the breached webmail accounts or maintain persistence to keep track of exchanged emails over time.
The hackers may also leverage the compromised accounts to launch more phishing attacks and expand their infiltration of targeted organizations.
Federal agencies ordered to patch until April 24
The vulnerability was added today to CISA’s Known Exploited Vulnerabilities (KEV) catalog, a list of security flaws known to be actively exploited in the wild.
According to a binding operational directive (BOD 22-01) issued by the U.S. cybersecurity agency in November 2021, Federal Civilian Executive Branch Agencies (FCEB) agencies must patch vulnerable systems on their networks against bugs added to the KEV list.
CISA gave FCEB agencies three weeks, until April 24, to secure their networks against attacks that would target the CVE-2022-27926 flaw.
While BOD 22-01 only applies to FCEB agencies, CISA also strongly urged all organizations to prioritize addressing these bugs to block further exploitation attempts.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned today.
On Thursday, CISA also ordered federal agencies to patch security vulnerabilities exploited as zero-days in recent attacks to deploy commercial spyware on Android and iOS mobile devices, as Google’s Threat Analysis Group (TAG) recently revealed.