Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability

Mar 31, 2023Ravie LakshmananCyber Espionage / APT

The advanced persistent threat (APT) actor known as Winter
Vivern is now targeting officials in Europe and the U.S. as
part of an ongoing cyber espionage campaign.

“TA473 since at least February 2023 has continuously leveraged
an unpatched Zimbra vulnerability in publicly facing webmail
portals that allows them to gain access to the email mailboxes of
government entities in Europe,” Proofpoint said^[1]
in a new report.

The enterprise security firm is tracking the activity under its
own moniker TA473 (aka UAC-0114), describing it as
an adversarial crew whose operations align with that of Russian and
Belarussian geopolitical objectives.

What it lacks in sophistication, it makes up for in persistence.
In recent months, the group has been linked to attacks targeting
state authorities of Ukraine and
Poland^[2] as well as government officials in India, Lithuania,
Slovakia, and the Vatican^[3].

The NATO-related intrusion wave entails the exploitation of
CVE-2022-27926 (CVSS score: 6.1), a now-patched medium-severity
security flaw in Zimbra Collaboration that could enable
unauthenticated attackers to execute arbitrary JavaScript or HTML
code.

This also involves employing scanning tools like Acunetix to
identify unpatched webmail portals belonging to targeted
organizations with the goal of sending phishing email under the
guise of benign government agencies.

The messages come with booby-trapped URLs that exploit the
cross-site scripting (XSS) flaw in Zimbra to execute custom
Base64-encoded JavaScript payloads within the victims’ webmail
portals to exfiltrate usernames, passwords, and access tokens.

It’s worth noting that each JavaScript payload is tailored to
the targeted webmail portal, indicating that the threat actor is
willing to invest time and resources to reduce the likelihood of
detection.

“TA473’s persistent approach to vulnerability scanning and
exploitation of unpatched vulnerabilities impacting publicly facing
webmail portals is a key factor in this actor’s success,”
Proofpoint said.

“The group’s focus on sustained reconnaissance and painstaking
study of publicly exposed webmail portals to reverse engineer
JavaScript capable of stealing usernames, passwords, and CSRF
tokens demonstrates its investment in compromising specific
targets.”

The findings come amid revelations^[4]
that at least three Russian intelligence agencies, including FSB,
GRU (linked to Sandworm^[5]), and SVR (linked to
APT29^[6]), likely use software
and hacking tools developed by a Moscow-based IT contractor named
NTC Vulkan.

This includes frameworks like Scan (to facilitate large-scale
data collection), Amesit (to conduct information operations and
manipulate public opinion), and Krystal-2B (to simulate coordinated
IO/OT attacks against rail and pipeline control systems).

“Krystal-2B is a training platform that simulates OT attacks
against different types of OT environments in coordination with
some IO components by leveraging Amesit ‘for the purpose of
disruption,'” Google-owned Mandiant said^[8].

“The contracted projects from NTC Vulkan provide insight into
the investment of Russian intelligence services into developing
capabilities to deploy more efficient operations within the
beginning of the attack lifecycle, a piece of operations often
hidden from our view,” the threat intelligence firm said.