Vulnerabilities affecting popular software products, like Zimbra Collaboration Suite (ZCS), continuously expose organizations in multiple industry vectors, including the public sector, to increasing risks. Defenders exposed a minimum of four offensive operations employing a Zimbra zero-day vulnerability tracked as CVE-2023-37580, specifically designed to extract sensitive data from government entities across multiple countries.

Detect CVE-2023-37580 Exploitation Attempts

With a constantly increasing number of exploits weaponized for in-the-wild exploitation, security professionals require tailored detection content to detect possible attacks at the earliest stages. SOC Prime Platform for collective cyber defense aggregates two Sigma rules specifically addressing CVE-2023-37580 exploitation attempts: 

Possible CVE-2023-37580 (Zimbra Classic Web Client XSS) Exploitation Attempt (via webserver) 

This Sigma rule by the SOC Prime Team helps to identify exploitation attempts of  Zimbra Classic Web Client XSS vulnerability. The detection is compatible with 18 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework, addressing Initial Acces, with Drive-by Compromise (T1189) as a corresponding technique. 

Suspicious Zimbra Collaboration XSS Vulnerability [CVE-2023-37580] Exploitation Attempt With Associated Web Request (via webserver)

Another Sigma rule, by our seasoned Threat Bounty developer Mustafa Gurkam KARAKAYA, detects possible CVE-2023-37580 exploitation attempts by sending a malicious XSS payload. The algorithm is compatible with 18 security analytics solutions and mapped to MITRE ATT&CK, addressing Initial Access & Discovery tactics, with Exploit Public-Facing Applications (T1190) and File and Directory Discovery (T1083) as main techniques.

To explore the entire detection stack aimed at trending CVE detection, cyber defenders might hit the Explore Detections button below. Instantly reach rules, take advantage of actionable metadata, and leave no chance for attackers to strike first.  

Explore Detections

Eager to develop your detection engineering skills and contribute to collective cyber defense while earning money for your contribution? Join the ranks of SOC Prime’s Threat Bounty Program to train your detection coding skills, advance your engineering career, and code your CV, while enriching industry expertise and earning financial perks for your input. 

CVE-2023-37580 Analysis

In the early summer of 2023, Google’s Threat Analysis Group (TAG) unveiled a new zero-day exploit in ZCS tracked as CVE-2023-37580 with a severity score of 6.1 (CVSS). Since over 20K businesses rely on Zimbra Collaboration email software, the discovery of this security gap poses a severe menace to global businesses in multiple industry sectors, including the public sector systems. Since the bug disclosure, TAG has observed four multiple hacking collectives behind exploitation attempts aimed to steal email data, user credentials, and authentication tokens. Notably, most of the intrusions took place after took place following the public disclosure of the CVE-2023-37580 initial fix on GitHub.

CVE-2023-37580 is a medium-severity XSS vulnerability in Zimbra Classic Web Client affecting ZCS versions prior to 8.8.15 Patch 41. Effective exploitation of this vulnerability enables the execution of malicious scripts on the victims’ web browsers by luring them into clicking on a carefully crafted URL. This action triggers the XSS request to Zimbra and reflects the attack back to the user. The remediation guidance has been addressed by Zimbra in the corresponding advisory

The initial real-world exploitation of the CVE-2023-37580 zero-day flaw in late June 2023 involved a campaign directed at a government entity in Greece leveraging emails with exploit URLs sent to the targeted users. Another hacking group took advantage of the security bug for a complete two-week period starting until the official patch was released at the end of July 2023. Defenders uncovered numerous exploit URLs directed at government entities in Moldova and Tunisia. The hacking collective behind the second campaign can be linked to Winter Vivern aka UAC-0114, which launched a set of phishing attacks against the Ukrainian and Polish government entities in February 2023. 

A third campaign just a couple of days before the official patch release was linked to an unknown group striving to steal credentials from a public sector organization in Vietnam. 

In August 2023, following the patch release, defenders unveiled another campaign weaponizing  CVE-2023-37580 to target the public sector institutions in Pakistan. Hackers abused the exploit to steal the Zimbra authentication token, which was then exfiltrated to the ntcpk[.]org domain.

The identification of a series of offensive operations exploiting CVE-2023-37580 in different countries underscores the critical need for global businesses to promptly apply patches to their mail servers. As CVE-2023-37580 urgent mitigation measures, organizations are prompted to immediately install the fixes and constantly keep software regularly updated for their comprehensive protection. 

To help your team streamline detection engineering operations while proactively defending against in-the-wild zero-day exploits and other emerging threats, get started with Uncoder IO, which enables sub-second cross-platform content translation to multiple language formats and supports automated IOC packaging.