Threat Research

Winter Vivern Uses Zimbra Vulnerability to Target NATO Email | Proofpoint US

Securonix

Proofpoint traces TA473, also known as Winter Vivern, exploiting a Zimbra vulnerability to access publicly facing webmail portals and target European government-related email accounts, with bespoke JavaScript payloads crafted for each portal. The researchers urge patching Zimbra and restricting public webmail exposure to curb this persistent, reconnaissance-driven campaign. #WinterVivern #TA473 #CVE-2022-27926 #Zimbra #CSRF #CrossSiteRequestForgery #NATO

Keypoints

  • TA473 (Winter Vivern) is targeting military, government, and diplomatic entities across Europe, with indications of US officials/staffers being targeted as of late 2022/2023.
  • The group exploits Zimbra Collaboration CVE-2022-27926 on publicly facing webmail portals to gain access to victim mailboxes.
  • TA473 conducts extensive reconnaissance and develops bespoke JavaScript payloads tailored to each target’s webmail portal to enable exploitation.
  • Phishing campaigns involve emails from compromised domains, spoofed from addresses, and benign URLs that are linked to attacker-controlled malicious content.
  • The operation uses CSRF-oriented JavaScript payloads to steal usernames, passwords, and CSRF tokens, and to attempt login using active tokens.
  • Acunetix is used for vulnerability scanning to identify unpatched portals, demonstrating persistence and targeted research on geopolitical-adjacent victims.
  • Mitigation emphasizes patching all Zimbra versions and restricting public access to webmail portals to hinder TA473’s reconnaissance and bespoke script development.

MITRE Techniques

  • [T1566.001] Phishing – Brief description – ‘TA473 sends emails from compromised email addresses. Often these emails originate from WordPress hosted domains that may be unpatched or unsecure at the time of compromise.’
  • [T1190] Exploit Public-Facing Application – Brief description – ‘Beginning in early 2023, Proofpoint observed a trend of TA473 phishing campaigns targeting European government entities that take advantage of CVE-2022-27926.’
  • [T1059.007] JavaScript – Brief description – ‘The actor writes bespoke JavaScript payloads designed for each government targets’ webmail portal … to conduct Cross Site Request Forgery.’
  • [T1041] Exfiltration Over C2 Channel – Brief description – ‘Caches the stolen values to the actor-controlled server’ and related token/credential data being posted to attacker infrastructure.

Indicators of Compromise

  • [URL] context – example1, example2, and other N items (if applicable)
  • [URL] hxxps://oscp-avanguard[.]com/asn15180YHASIFHOP__ASNfas21/auth.js, hxxps://oscp-avanguard[.]com/settingPopImap/SettingupPOPandIMAPaccounts.html
  • [URL] hxxps://troadsecow[.]com/cbzc.policja.gov.pl
  • [URL] hxxps://bugiplaysec[.]com/mgu/auth.js
  • [URL] hxxps://nepalihemp[.]com/assets/img/images/623930va
  • [URL] hxxps://ocs-romastassec[.]com/redirect/?id=[target specific ID]&url=[Base64 Encoded Hyperlink URL hochuzhit-com.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&x_tr_pto=wapp]
  • [URL] hxxps://ocspdep[.]com/inotes.sejm.gov.pl?id=[Target Specific SHA256 Hash]
  • [Domain] C2 Domains – ocspdep[.]com, bugiplaysec[.]com, oscp-avanguard[.]com, troadsecow[.]com, nepalihemp[.]com

Read more: https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint