'Winter Vivern' Hackers Target NATO Officials with Zimbra Vulnerability Exploit

Since February 2023, Russian-aligned hacking group TA473 or 'Winter Vivern' has been exploiting the Zimbra vulnerability CVE-2022-27926 targeting publicly facing Zimbra-hosted webmail portals. Their main objective is to steal sensitive emails belonging to government officials, military personnel, diplomats, and NATO members who are associated with the Russian and Ukrainian war. Proofpoint researchers report Winter Vivern actors' campaign against military and government officials began by using scanning tools such as Acunetix to scan for vulnerable targets. Following their reconnaissance efforts, they sent phishing emails from compromised addresses spoofed to appear as legitimate accounts the target knows or someone relevant to their organization. "Often targeted individuals are experts in facets of European politics or economy as it pertains to regions impacted by the ongoing conflict. Social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict," said by ProofPoint.

Within the email is a link exploiting the Zimbra vulnerability, CVE-2022-27926. Through this exploit, other JavaScript payloads are injected into the webpage, enabling the theft of credentials including usernames, passwords, and tokens. This stolen information provides the threat actors unrestricted access to the targets' email accounts. After gaining access to sensitive information on compromised webmails, the hackers are capable of monitoring the organization's communications over an extended period. They can also use the breached accounts to carry out lateral phishing attacks, and further infiltrate the target organizations. Winter Vivern threat actors are growing in sophistication, refining their operational approach, and are successful even against high-profile targets who are slow to apply crucial software patches. Furthermore, the actors demonstrated the capability to research their targets to deliver effective phishing emails and exploit zero-days like the Follina exploit, CVE-2022-30190, and the reported Zimbra vulnerability.