Targets Include Small and Medium Businesses and Government Agencies
Threat actors are on a phishing spree targeting users of Zimbra Collaboration email suite, in particular small and medium businesses and government agencies worldwide.
Security researchers from Eset on Thursday revealed the ongoing campaign, writing that the hackers behind it have been active since at least April.
Countries hit by the campaign are located across the globe, but the greatest number are in Poland, followed by Ecuador and Italy. Zimbra is popular among companies that typically have moderate IT budgets. The open-core email solution was the target earlier this year of likely nation-state hackers, but Eset said it’s not drawing any attribution conclusions (see:Phishing Campaign Tied to Russia-Aligned Cyberespionage).
Eset observed instances of Zimbra email servers holding compromised accounts being used to send new waves of phishing emails. One explanation – Eset said it can’t confirm the hypothesis with available data – is that attackers were able to reuse compromised passwords to gain access to the system administrator account and create new accounts.
Victims initially receive an email about server updates containing an HTML file attachment. Anyone who opens it sees a spoofed Zimbra login page customized to the targeted organization. Aattackers prefill the username field.
Once victims supply their valid credentials to the malicious form, their information is sent to a server controlled by threat actors.
“The popularity of Zimbra Collaboration among organizations expected to have lower IT budgets ensures that it stays an attractive target for adversaries,” Eset wrote.