A new Proofpoint report indicates that in late 2022, threat actor TA473 targeted elected officials and staffers in the U.S., as well as experts in European politics and economics. Proofpoint also states that “social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict” and notes that the email mailboxes of NATO-aligned government entities were targeted in Europe.
SEE: Security risk assessment checklist (TechRepublic Premium)
In older phishing campaigns from TA473, targets included Polish government agencies, Ukraine’s and Italy’s Ministries of Foreign Affairs, and individuals within the Indian government.
Jump to:
- Who is TA473?
- How TA473’s phishing campaigns work
- How TA473 exploits a Zimbra vulnerability
- How to protect from this security threat
Who is TA473?
TA473 is a threat actor, known since 2021, that has targeted several countries aligned against the interests of Belarus and Russia; the group is also known as Winter Vivern for some security companies and governmental entities.
Although there is no confirmed evidence, a few elements support the theory that the threat actor originates from Russia. For instance, a Russian word used in malware samples and documents has leaked. Beyond this leak, TA473’s frequent alignment with Russian interests makes it believable that the threat actor would originate from that country.
The threat actor mostly creates phishing campaigns to deliver payloads and harvest credentials. Payloads often target vulnerabilities in internet-facing webmail services and allow attackers to get access to email mailboxes.
Rather than developing tools to automate parts of its attacks, the group invests time and resources to compromise specific entities with custom payloads for the targeted webmail portal.
How TA473’s phishing campaigns work
TA473 often sends emails from compromised email addresses, originating from unpatched or insecure WordPress-hosted domains. The emails contain benign URLs from the targeted organization or a relevant peer organization, while the sender email is spoofed to look as if it comes from the organization. Then, they hyperlink this benign URL to either deliver a first-stage payload or redirect victims to a credential-harvesting landing page with actor-controlled or compromised infrastructure (Figure A).
Figure A
In some cases, TA473 uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets.
How TA473 exploits a Zimbra vulnerability
In early 2023, the threat actor started exploiting a known vulnerability in Zimbra Collaboration versions 9.0.0 that was often used to host internet-accessible webmail portals. To successfully achieve that exploitation, the malicious link in the phishing email sends a hexadecimal-encoded JavaScript snippet to the Zimbra software, which is executed as an error parameter (Figure B).
Figure B
Once the JavaScript snippet is decoded, it downloads the next stage payload that triggers cross-site request forgery to steal usernames, passwords and CSRF tokens from the user who clicked the malicious link (Figure C).
Figure C
The JavaScript used by TA473 attackers also attempts to log in to the legitimate email portal with active tokens.
Proofpoint has observed that the threat actor sometimes targets specific RoundCube webmail request tokens as well, which reveals that the threat actor has already done reconnaissance on the target prior to attacking it.
How to protect from this security threat
- Patch Zimbra Collaboration, which will prevent attackers from exploiting the CVE-2022-27926 vulnerability.
- Ensure multifactor authentication is enabled on internet-facing services such as web portals; even if an attacker owns valid credentials, they might not be able to use them. Strong password policies also need to be enforced.
- Put network policies in place so that, even though the webmail portal faces the internet, it should only be accessible from a corporate VPN connection.
- Educate users about phishing threats and social engineering tricks that attackers might employ.
- Keep operating systems and software updated and patched.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.