A threat actor, likely Chinese in origin, is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform as part of spear-phishing campaigns that commenced in December 2021.
The espionage operation — codenamed "EmailThief" — was detailed by cybersecurity company Volexity in a technical report published Thursday, noting that successful exploitation of the cross-site scripting (XSS) vulnerability could result in the execution of arbitrary JavaScript code in the context of the user's Zimbra session.
Volexity attributed the intrusions, which started on December 14, 2021, to a previously undocumented hacking group it's tracking under the moniker TEMP_HERETIC, with the assaults aimed at European government and media entities. The zero-day bug impacts the most recent open-source edition of Zimbra running version 8.8.15.
The attacks are believed to have occurred in two phases; the first stage aimed at reconnaissance and distributing emails designed to keep tabs if a target received and opened the messages. In the subsequent stage, multiple waves of email messages were broadcasted to trick the recipients into clicking a malicious link.
In total, 74 unique outlook.com email addresses were created by the attacker to send out the missives over a period of two weeks, among which the initial recon messages contained generic subject lines ranging from invitations to charity auctions to refunds for airline tickets.
"For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser," Steven Adair and Thomas Lancaster noted. "The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook."
The unpatched flaw, should it be weaponized, could be abused to exfiltrate cookies to allow persistent access to a mailbox, send phishing messages from the compromised email account to widen the infection, and even facilitate the download of additional malware.
"None of the infrastructure identified […] exactly matches infrastructure used by previously classified threat groups," the researchers said. "However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor."
"Users of Zimbra should consider upgrading to version 9.0.0, as there is currently no secure version of 8.8.15," the company added.