Google blocks a zero-day flaw used to target government emails

The Google TAG team discovered a zero-day in Zimbra

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers fromGoogle’s Threat Analysis Group (TAG) recently discovered a zero-day vulnerability in a popularemailserver platform that hackers were using to steal sensitive data from government organizations around the world.

In ablog postpublished by researchers Clement Lecigne and Maddie Stone of TAG, it was said that a cross-site scripting (XSS) flaw was found in June this year, in a popular email server platform Zimbra Collaboration. An XSS flaw allows threat actors to inject malicious scripts into vulnerable websites. These scripts can pull sensitive information such as email data, user credentials, and authentication tokens, from unsuspecting visitors.

The flaw is now tracked as CVE-2023-37580.

Reader Offer: $50 Amazon gift card with demoPerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Hackers flocking

In the timeframe between the flaw being discovered and being patched, Google observed four threat actors abusing it to target various government organizations.

One threat actor was sending emails with an exploit URL to people working for a government organization in Greece. If the victim, who was logged into a Zimbra session, clicked the link, the URL loaded a framework that used XSS to steal emails and attachments and set up an auto-forwarding rule to an attacker-controlled address.

The second campaign targeted government organizations in Moldova and Tunisia, while the third one went after a Vietnamese organization. Finally, someone tried to steal Zimbra authentication tokens from people working for a Pakistani government organization.

The first campaign leveraging the zero-day was discovered in late June 2023, while Zimbra pushed the official patch a month later, in late July. The Pakistani campaign was conducted after the release of the patch, Google said, highlighting the importance of timely patching:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google concluded.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Scotland vs South Africa live stream: how to watch 2024 rugby union Autumn International online from anywhere