Russian hackers exploit Zimbra flaw in Ukrainian govt attacks

pPayouts King ransomware uses QEMU VMs to bypass endpoint securityppApple account change alerts abused to send phishing emailsppCritical flaw in Protobuf library enables JavaScript code executionppNIST to stop rating nonpriority flaws due to volume increaseppMicrosoft releases emergency updates to fix Windows Server issuesppVercel confirms breach as hackers claim to be selling stolen datappApple account change alerts abused to send phishing emailsppNIST to stop rating nonpriority flaws due to volume increaseppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppHackers part of APT28 a statebacked threat group linked to Russias military intelligence service GRU are exploiting a Zimbra Collaboration Suite ZCS vulnerability in attacks targeting Ukrainian government entitiesppThis highseverity security flaw tracked as CVE202566376 and patched in early November stems from a stored crosssite scripting XSS that unauthenticated attackers can exploit to gain remote code execution RCE and compromise the Zimbra server and the targets email accountppOn Wednesday the Cybersecurity and Infrastructure Security Agency CISA added the vulnerability to its catalog of vulnerabilities exploited in the wild CISA also ordered Federal Civilian Executive Branch FCEB agencies to secure their servers within two weeks as mandated by the Binding Operational Directive BOD 2201 issued in November 2021ppWhile the US cybersecurity agency didnt provide further details on the ongoing exploitation of CVE202566376 security researchers at Seqrite Labs reported a day earlier that the Zimbra XSS vulnerability had been exploited by APT28 military hackers in attacks against UkraineppThe Ukrainian State Hydrology Agency a critical infrastructure entity under the Ministry of Infrastructure that provides navigational maritime and hydrographic support was one of the targets of this phishing campaign named Operation GhostMailppThe phishing email has no malicious attachments no suspicious links no macros The entire attack chain lives inside the HTML body of a single email there are no malicious attachments Seqrite Labs saidppThe APT28 aka Fancy Bear Strontium hackers malicious messages delivered an obfuscated JavaScript payload that exploits the CVE202566376 vulnerability when the recipient opens the email in a vulnerable Zimbra webmail sessionppThe script executes silently in the browser and begins harvesting credentials session tokens backup 2FA codes browsersaved passwords and the contents of the victims mailbox going back 90 days with all the data exfiltrated over both DNS and HTTPS the researchers addedppZimbra security flaws are frequently targeted in attacks including by Russian statesponsored threat groups and have been used to breach thousands of vulnerable email servers in recent yearsppFor instance starting in February 2023 the Russian Winter Vivern cyberespionage group used another reflected XSS exploit to breach Zimbra webmail portals and spy on the communications of NATOaligned organizations and persons including government officials military personnel and diplomatsppIn October 2024 US and UK cyber agencies also warned that APT29 aka Cozy Bear Midnight Blizzard hackers linked to Russias Foreign Intelligence Service SVR were attacking vulnerable Zimbra servers at a mass scale exploiting a vulnerability previously used to steal email account credentialsppZimbra is a widely popular email and collaboration software suite used by hundreds of millions of people including hundreds of government agencies and thousands of businesses worldwideppAI chained four zerodays into one exploit that bypassed both renderer and OS sandboxes A wave of new exploits is comingppAt the Autonomous Validation Summit May 12 14 see how autonomous contextrich validation finds whats exploitable proves controls hold and closes the remediation loopppCISA orders feds to patch Zimbra XSS flaw exploited in attacksppAPT28 hackers deploy customized variant of Covenant opensource toolppGrinex exchange blames Western intelligence for 137M crypto hackppCISA flags Apache ActiveMQ flaw as actively exploited in attacksppRecently leaked Windows zerodays now exploited in attacksppNot a member yet Register NowppVercel confirms breach as hackers claim to be selling stolen datappRecently leaked Windows zerodays now exploited in attacksppMicrosoft Some Windows servers enter reboot loops after April patchesppNAKIVO Backup Replication v112 brings realtime replication and ransomware resilience See the full releaseppCredit card fraud is getting more structured are you monitoring the sourcesppRead this new guide to AI adoption for IT and security teams before investing in AI tools ppOverdue a password healthcheck Audit your Active Directory for freeppFrom vehicle research to cyber defense NMFTA leads with cybersecurity research threat insights and practical resources Learn MoreppAI is a databreach time bomb Read the new reportppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2026 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp