Government agencies in Moldova, Pakistan, Tunisia, and Vietnam have been targeted by threat actors in campaigns exploiting a zero-day vulnerability in the Zimbra Collaboration email server that was discovered in June, reports The Record, a news site by cybersecurity firm Recorded Future.
The flaw, classified as CVE-2023-37580, is a cross-site scripting bug that enables hackers to insert malicious scripts into victims' websites. A hotfix was released on GitHub on July 5, followed by an official patch issued on July 25. According to Google, Greek government organizations were attacked on June 29 using an email with a malicious link, followed by Moldova and Tunisia on July 11, Vietnam on July 20, and Pakistan on August 25. The breaches led to the unauthorized extraction of user credentials, authentication tokens, and email information. The attacks on Moldova and Tunisia were attributed to the Russia-linked hacking group Winter Vivern. The Vietnam breach involved an exploit URL that led to a script that displayed a phishing page. The fourth campaign occurred after the hotfix's release and involved the attempted theft of Zimbra authentication tokens.