Threat Research

Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra

Securonix

Volexity uncovered a zero-day cross-site scripting (XSS) vulnerability in Zimbra (CVE-2022-24682) that TEMP_Heretic targeted through spear-phishing campaigns to access and exfiltrate mail data. The attackers could load JavaScript in the victim’s Zimbra webmail session, steal cookies, and potentially broader mailbox data via attacker-controlled infrastructure linked to BitLaunch, with attribution leaning toward a Chinese origin. #TEMP_Heretic #Zimbra #CVE-2022-24682 #BitLaunch

Keypoints

  • TEMP_Heretic conducted targeted spear-phishing against a Zimbra customer to exploit an unpatched zero-day XSS vulnerability.
  • The exploitation allowed arbitrary JavaScript to run in the context of the victim’s Zimbra session, enabling data theft and further actions.
  • The campaign unfolded in two phases: reconnaissance via remote images and subsequent waves with attacker-crafted links to lure clicks.
  • Exfiltration capabilities included cookies theft to enable persistent mailbox access, as well as potential mail/attachment theft and phishing from the target’s contacts.
  • Infrastructure used Freenom domains hosted on AS399269 (BitLaunch) with SSL-backed and non-SSL setups; attribution suggests Chinese origin based on timing and headers.
  • Zimbra issued an update (8.8.15P30 Update 2) to patch the vulnerability; organizations are advised to upgrade and block IOCs at mail gateways and networks.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – ‘Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user’s Zimbra session.’
  • [T1566.002] Spearphishing Link – ‘The attacker embedded links to attacker-controlled infrastructure… and lured targets to click a malicious attacker-crafted link.’
  • [T1539] Steal Web Session Cookie – ‘Exfiltrate cookies to allow persistent access to a mailbox.’
  • [T1189] Drive-by Compromise – ‘Present a prompt to download malware in the context of a trusted website.’
  • [T1583.001] Acquire Infrastructure (Domains/Hosting) – ‘All identified infrastructure used Freenom domains hosted on AS399269, which belongs to BitLaunch (BLNWX).’

Indicators of Compromise

  • [Domain] context – amazon-check.ga, amazon-check.tk, and 2 more items
  • [IP Address] context – 108.160.133.32, 172.86.75.158

Read more: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/