NATO email breach caused by Winter Vivern hackers exploiting Zimbra vulnerability

Since February 2023, a Russian hacking group called TA473, or ‘Winter Vivern’, has been using unpatched Zimbra endpoints to steal emails of NATO officials, governments, military personnel, and diplomats, according to a report by cybersecurity firm Proofpoint. The group targets unpatched webmail platforms using the Acunetix tool vulnerability scanner, sends phishing emails from compromised addresses to trick the target, and injects JavaScript payloads into the webpage through a link in the email.

The payloads steal usernames, passwords, and tokens from cookies received from the compromised Zimbra endpoint, enabling the group to access the targets’ email accounts. ‘Winter Vivern’ has been exploiting CVE-2022-27926 in Zimbra Collaboration servers. The group uses a three-layer base64 obfuscation technique on malicious JavaScript and includes parts of legitimate JavaScript that run in a native webmail portal to blend with normal operations and avoid detection. Despite being not particularly sophisticated, ‘Winter Vivern’ has been effective against high-profile targets that fail to apply software patches quickly enough.