Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

APT

Zimbra zero-day vulnerability actively exploited by an alleged Chinese threat actor

An alleged Chinese threat actor is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform. An alleged Chinese threat actor, tracked as TEMP_Heretic, is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The zero-day vulnerability impacts almost any Zimbra install running version 8.8.15. Researchers from […]

volexity zimbra zero-day blog-flowchart

An alleged Chinese threat actor is actively attempting to exploit a zero-day vulnerability in the Zimbra open-source email platform.

An alleged Chinese threat actor, tracked as TEMP_Heretic, is actively attempting to exploit a zero-day XSS vulnerability in the Zimbra open-source email platform. The zero-day vulnerability impacts almost any Zimbra install running version 8.8.15.

Researchers from cybersecurity company Volexity uncovered a cyber espionage spear-phishing campaign, tracked as EmailThief, that has been active at least since December 2021.

The successful exploitation of the cross-site scripting (XSS) vulnerability could allow threat actors to execute arbitrary JavaScript code in the context of the user’s Zimbra session.

In order to exploit the vulnerability, the attackers have to trick the target into clicking the attacker’s specially crafted link while logged into the Zimbra webmail client from a web browser.

Experts noticed that the campaigns are carried out across two attack phases, one aimed at reconnaissance and one aimed at spreading the malicious links.

“The campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance and involved emails designed to simply track if a target received and opened the messages. The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link. For the attack to be successful, the target would have to visit the attacker’s link while logged into the Zimbra webmail client from a web browser.” reads the analysis published by Volexity. “The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook. Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user’s Zimbra session.”

volexity zimbra zero-day blog-flowchart

TEMP_Heretic attempted to steal emails and attachments from target organizations, the exploitation of the zero-day XSS issue could allow attackers to exfiltrate cookies to allow persistent access to a mailbox, send further phishing messages to a user’s contacts, and deliver malware.

The attribution to a threat actor with a Chinese origin is based on the following clues:

  • Most of the emails were sent between 04:00 and 08:30 UTC, fitting hours of a working day of UTC + 8 hours.
  • Emails were sent with headers indicating they were sent from a +0800 UTC time zone.
  • The hard-coded headers used in the Zimbra requests generated by the attacker’s JavaScript code contain a timezone set to “Asia/Hong_Kong”.

“In terms of attribution, none of the infrastructure identified by Volexity exactly matches infrastructure used by previously classified threat groups. However, based on the targeted organization and specific individuals of the targeted organization, and given the stolen data would have no financial value, it is likely the attacks were undertaken by a Chinese APT actor.” concludes the report.

Volexity also released indicators of compromise (IoCs) for these attacks.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)

[adrotate banner=”5″]

[adrotate banner=”13″]