Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability


Winter Vivern, a well-known perpetrator of long-term cyber attacks, is currently focusing on government representatives in Europe and the United States as part of their ongoing mission to conduct espionage through technology.

According to a recent report from Proofpoint, TA473 has been exploiting an unpatched Zimbra vulnerability found in webmail portals that are accessible to the public. The exploitation has been ongoing since February 2023, and this has enabled the group to gain entry into the email mailboxes of several government entities situated in Europe.

The security company is monitoring the actions of a group identified as TA473 (also known as UAC-0114), which it believes is a hostile team that acts in accordance with the geopolitical goals of Russia and Belarus.

Although it may not be particularly sophisticated, the group compensates for this with its determination. This group has been associated with various attacks that aimed at authorities in Ukraine and Poland, as well as government officials in India, Lithuania, Slovakia, and even the Vatican, during the past few months.

The current surge in security breaches related to NATO involves using a vulnerability called CVE-2022-27926 (rated 6.1 on the CVSS scale). This flaw, which has now been fixed, existed in Zimbra Collaboration and was of medium severity. It allowed attackers who had not yet been authenticated to run JavaScript or HTML code as they wished.

In addition, this requires the use of scanning software such as Acunetix to identify webmail portals of targeted organizations that have not been patched, with the purpose of sending phishing emails pretending to be from harmless government agencies.

The communications contain links that have been set up with malicious intent and take advantage of a flaw in Zimbra known as cross-site scripting. This flaw allows for custom JavaScript code that has been encoded in Base64 to be executed inside the victim's webmail account, allowing unauthorized access to usernames, passwords, and access tokens.

It should be acknowledged that every JavaScript payload is specifically designed for the webmail portal being targeted, which shows that the person responsible for the threat is prepared to commit effort and money to minimize the chances of being discovered.

According to Proofpoint, the reason why TA473 has been so successful is because they continuously scan for vulnerabilities and exploit those that have not been updated on webmail portals that are accessible to the public.

The group demonstrates its dedication to infiltrating specific targets by conducting thorough surveillance and thorough examination of publicly-exposed webmail portals, with the aim of reverse-engineering JavaScript that can be used to steal usernames, passwords, and CSRF tokens.

The results were discovered at a time when it was revealed that a minimum of three Russian intelligence organizations, such as the FSB GRU (associated with Sandworm) and SVR (associated with APT29), are likely to utilize software and hacking tools created by an IT contractor based in Moscow named NTC Vulkan.

This comprises of structures such as Scan (used to make the process of gathering a large amount of data easier), Amesit (used to carry out operations related to information and change public perception), and Krystal-2B (used to imitate synchronized attacks on control systems for pipeline and railway).

Mandiant, a subsidiary of Google, has announced the development of Krystal-2B, a simulation training program designed to imitate various OT (operational technology) attacks on different environments alongside IO (information operations) elements. The platform utilizes Amesit to enhance its capacity for disruption.

NTC Vulkan's contracted projects offer some perspective on the Russian intelligence services' investments in enhancing their abilities to execute operations more efficiently during the early stages of an attack, which are typically kept concealed from our observation by threat intelligence firms. I'm sorry, there is no paragraph to paraphrase provided in your request. Please provide the original text to be paraphrased.

Post a Comment

Previous Post Next Post