European Government Emails Stolen Through Exploiting Vulnerability in Zimbra Email Platform - 1

European Government Emails Stolen Through Exploiting Vulnerability in Zimbra Email Platform

  • Written by Ari Denial Cybersecurity & Tech Writer

The Russian hacking group TA473, also known as ‘Winter Vivern,’ has been targeting unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats. Recent operations have involved using fake European agency websites to spread malware disguised as a virus scanner.

Proofpoint has now released a report detailing how the group exploits the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access the communications of NATO-aligned individuals and organizations.

Security researchers suggest Belarus and Russia may be aligned with APT group, although their support remains unproven. Zimbra Collaboration is a versatile platform used by businesses, service providers, governments, and educational institutions to manage emails, contacts, calendars, and tasks, available for on-premise or cloud-based use.

A link embedded in emails is being used to exploit the CVE-2022-27926 vulnerability in compromised Zimbra infrastructure. This vulnerability is used to inject JavaScript payloads into the webpage, which are then used to steal login credentials and tokens from cookies received from the endpoint. This information is then used by threat actors to access the targets’ email accounts with ease.

Proofpoint’s report explains that the server hosting a vulnerable webmail instance is responsible for executing the CSRF JavaScript code blocks.

TA473 has been observed targeting RoundCube webmail request tokens in some instances, revealing their careful pre-attack reconnaissance to identify the specific webmail portal used by their targets before crafting phishing emails and creating landing pages.

Winter Vivern’ employed various tactics to evade detection, including applying three layers of base64 obfuscation to the malicious JavaScript and incorporating fragments of legitimate JavaScript that operate in native webmail portals. This blending of malicious and legitimate code reduces the likelihood of detection during analysis.

After compromising the webmails, the threat actors can access sensitive information or monitor communications over an extended period of time. The breached accounts can also be used for lateral phishing attacks to further infiltrate target organizations.

Misconfigured Microsoft App Causes Hijacking of Bing Search Results - 2

Misconfigured Microsoft App Causes Hijacking of Bing Search Results

  • Written by Ari Denial Cybersecurity & Tech Writer

Cybersecurity firm Wiz has reported an Azure Active Directory (AAD) misconfiguration, which left applications vulnerable to unauthorized access and could have resulted in the hijacking of Bing.com.

The cloud-based Identity and Access Management (IAM) service of Microsoft, known as AAD, is commonly utilized as the authentication method for Azure App Services and Azure Functions Applications.

Wiz Research, the cybersecurity firm, identified the security flaw and dubbed the exploit “BingBang.” Developers can use the ‘Support account types’ configuration setting to determine which account types should be permitted to access the application, including multi-tenants, personal accounts, or a combination of both.

The availability of this configuration option is intended for legitimate scenarios where developers need to enable their applications to be accessed across different organizations.

Accidentally granting excessive permissions by a developer could lead to unauthorized access to the application and its functionalities.

Wiz analysts discovered a misconfigured “Bing Trivia” app that allowed unrestricted access to its CMS, which was linked directly to Bing.com. They successfully modified search results and conducted a cross-site scripting attack, which led to the compromise of Office 365 tokens for Bing users.

Wiz reported the issue to Microsoft and worked together to assess the impact of the attack, which gave access to sensitive data such as SharePoint documents, Outlook emails, messages on Teams, Calendar Data, and OneDrive files.

Of particular significance, Microsoft has implemented a measure to cease the issuance of access tokens to clients that are not registered in the resource tenants, thereby restricting access solely to appropriately registered clients.

According to Microsoft’s advisory, “over 99% of customer applications” have had this feature disabled. Microsoft has supplied guidance to Global Admins (via the Azure Portal and email) and the Microsoft 365 Message Center on how to proceed with the remaining multi-tenant resource applications that depend on client access without a service principal.

Further security checks have been implemented for multi-tenant applications, including validation of the tenant ID against a specified allow-list and verification of the client registration (Service Principal).