NATO countries targeted by Winter Vivern via Zimbra vulnerability

BleepingComputerreports that NATO-aligned countries, organizations, and individuals had their emails compromised by Russian hacking operation Winter Vivern, also known as TA473, through the exploitation of a Zimbra Collaboration server vulnerability, tracked as CVE-2022-27926. Vulnerable Zimbra Collaboration webmail platforms are being scanned by Wintern Vivern using the Acunetix scanner, with attackers then sending phishing emails that contain links exploiting the flaw to facilitate the delivery of other JavaScript payloads, according to a Proofpoint report. Winter Vivern will then be leveraging usernames, passwords, and cookie tokens stolen by the payloads from impacted Zimbra instances to facilitate email account access. "These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets," said Proofpoint, which also noted attackers' diligent pre-attack reconnaissance efforts due to the targeting of RoundCube webmail request tokens.