[MART] - Daily Diary #447 - Zimbra zero-day XSS exploited in the wild
CTAS-MAT
ctas-mat at appgate.com
Mon Feb 7 20:26:53 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
02/07/2022 - Diary entry #447
In the past weeks, a new zero-day vulnerability in Zimbra was disclosed. Zimbra is an open-source e-mail platform used by several companies and even European governments. The vulnerability allows an attacker to exfiltrate data from the webclient, only requiring that the user access a malicious link while logged into Zimbra through a web browser.
The Chinese threat actor, tracked as TEMP_Heretic, is actively exploiting this vulnerability in the wild. TEMP_Heretic attacks consisted of two phases. In the first, a generic spam e-mail was sent as reconnaissance, just to track which users received and opened the messages. The second phase contained a spear-phishing message, luring the users to open a malicious link to a phishing page with the exploit.
This incident is an example of why security awareness training is necessary. Even just accessing links from unknown senders poses a risk and should be avoided at all costs. When in doubt, for instance, if an employee receives an e-mail claiming to be from the directory or manager that it normally does not have contact with, they should use a secondary secure channel to validate with the supposed e-mail author before opening any links or attachments.
Kind Regards,
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>
[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity> [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>
Felipe Duarte Domingues
Security Researcher
Appgate
E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220207/a98094a7/attachment.htm>
More information about the MART
mailing list