Since February 2023, a Russian hacking gang known as TA473 or ‘Winter Vivern’ has targeted unpatched Zimbra endpoints in order to collect the emails of NATO officials, governments, military people, and diplomats. The gang has been aggressively exploiting the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to get access to NATO-aligned organizations’ and individuals’ communications.
Sentinel Labs previously reported on the group’s latest operation two weeks ago, in which they utilized websites that mimicked European cybercrime agency to disseminate malware disguised as a virus scanner. Proofpoint has recently published a study outlining how the gang exploits the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to gain access to high-profile targets’ emails.
These payloads are then used to collect usernames, passwords, and tokens from cookies sent by the hacked Zimbra endpoint, granting the hackers full access to the targets’ email accounts.
The sources for this piece include an article in BleepingComputer.