Hackers Exploit Zimbra Flaw Via iCalendar Files To Steal Data - 1

Image by charlesdeluvio, from Unsplash

Hackers Exploit Zimbra Flaw Via iCalendar Files To Steal Data

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers have exploited a previously unknown flaw in Zimbra Collaboration Suite (ZCS) using iCalendar (.ICS) files to steal sensitive data, researchers at StrikeReady revealed .

In a rush? Here are the quick facts:

  • The vulnerability affected ZCS versions 9.0, 10.0, and 10.1.
  • Attackers stole credentials, emails, contacts, and shared folders from Zimbra Webmail.
  • The malware executed asynchronously, hiding UI elements and evading detection.

ICS files function as a format to distribute calendar data including meetings and events between various applications. However, attackers discovered a cross-site scripting (XSS) vulnerability tracked as CVE-2025-27915 in ZCS versions 9.0, 10.0, and 10.1.

The security problem occurred because HTML sanitization of calendar files was insufficient, allowing attackers to insert dangerous JavaScript code to steal user session credentials.

StrikeReady detected the attack through their monitoring of big ICS files which contained JavaScript code. The researchers discovered that the attack operation started during early January before Zimbra released security updates on January 27.

“The threat actor spoofed the Libyan Navy’s Office of Protocol in an email that delivered a zero-day exploit that targeted a Brazilian military organization,” researchers said.

The attackers embedded Base64-encoded ICS files into their malicious emails to conceal their obfuscated JavaScript code. The executed code would enable attackers to steal Zimbra Webmail user credentials, together with their email content, contact information, and shared folder access.

It also used the Zimbra SOAP API to search for emails, forwarded messages to a ProtonMail address, and repeatedly sent stolen data every four hours.

The malware contains three main functions which enable it to conceal user interface elements and steal credentials by detecting user logout, and implementing a three-day reactivation delay for evading detection.

While StrikeReady couldn’t confirm the attackers’ identity, they noted that “a Russian-linked group is especially prolific” at exploiting such vulnerabilities. They also observed tactics similar to those used by UNC1151, a group linked to the Belarusian government.

BleepingComputer received a statement from Zimbra which indicated that the company does not think the exploit exists at large scale.

However, the company states that users should update their systems right away, and monitor their network activity for suspicious behavior, as well as check their filters for unauthorized modifications.

Deloitte To Refund Australian Government Over AI-Generated Errors In Report - 2

Photo by Social Estate on Unsplash

Deloitte To Refund Australian Government Over AI-Generated Errors In Report

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Sarah Frazier Former Content Manager

One of the world’s largest accounting and consulting firms, Deloitte, has been required to provide the Australian government with a partial refund after the company issued a report, valued at about $440,000, that contained several AI-generated errors.

In a rush? Here are the quick facts:

  • Deloitte Australia issued a report, valued at $440,000, that contained several AI-generated errors.
  • The firm confirmed it used AI and has been required to provide a partial refund.
  • The company has been criticized as it advises large companies worldwide on the responsible use of AI.

According to The Australian Financial Review (AFR) , the Department of Employment and Workplace Relations (DEWR) released on Friday an updated version of the report delivered by Deloitte Australia, including multiple corrections. The document, a review of an automated system used by the government, contained multiple mistakes, including fake academic references and non-existent quotes from a Federal Court judgment.

The first version of the report was published in July. Just a few weeks later, Dr Christopher Rudge, an academic from the University of Sydney, identified several errors in the document, suggesting they were hallucinations generated by an AI model. Deloitte launched an internal investigation after the errors were made public.

In the latest update, beyond deleting the mistakes and revising the document, Deloitte confirmed the use of generative AI: “a generative AI large language model (Azure OpenAI GPT-4o)–based tool chain licensed by DEWR and hosted on DEWR’s Azure tenancy.”

“This is no longer a ‘strong hypothesis,’” said Rudge to AFR. “Deloitte has now issued a confession, albeit buried in the methodology section. Deloitte has admitted to using generative AI for a core analytical task, but it failed to disclose this in the first place.”

A spokesperson from DEWR said to AFR that Deloitte had “agreed to repay the final instalment under its contract.” The specific amount was not specified.

The Deloitte case raises concerns, especially considering that the firm advises large companies worldwide on the responsible use of AI.

“The incident is embarrassing for Deloitte as it earns a growing part of its $US70.5 billion ($107 billion) in annual global revenue by providing advice and training clients and executives about AI,” states AFR’’s report. “The firm also boasts about its widespread use of the technology within its global operations, while emphasising the need to always have humans review any output of AI.”

This year, AI errors have also taken a toll on other companies. Replit’s AI agent deleted the company’s database in July, and the U.S. courts have issued multiple warnings to lawyers and law firms about AI use after AI-generated errors were found in court filings.