Google blocks a zero-day flaw used to target government emails

x
(Image credit: Shutterstock)

Cybersecurity researchers from Google’s Threat Analysis Group (TAG) recently discovered a zero-day vulnerability in a popular email server platform that hackers were using to steal sensitive data from government organizations around the world.

In a blog post published by researchers Clement Lecigne and Maddie Stone of TAG, it was said that a cross-site scripting (XSS) flaw was found in June this year, in a popular email server platform Zimbra Collaboration. An XSS flaw allows threat actors to inject malicious scripts into vulnerable websites. These scripts can pull sensitive information such as email data, user credentials, and authentication tokens, from unsuspecting visitors.

The flaw is now tracked as CVE-2023-37580. 


Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?

Hackers flocking

In the timeframe between the flaw being discovered and being patched, Google observed four threat actors abusing it to target various government organizations. 

One threat actor was sending emails with an exploit URL to people working for a government organization in Greece. If the victim, who was logged into a Zimbra session, clicked the link, the URL loaded a framework that used XSS to steal emails and attachments and set up an auto-forwarding rule to an attacker-controlled address. 

The second campaign targeted government organizations in Moldova and Tunisia, while the third one went after a Vietnamese organization. Finally, someone tried to steal Zimbra authentication tokens from people working for a Pakistani government organization.

The first campaign leveraging the zero-day was discovered in late June 2023, while Zimbra pushed the official patch a month later, in late July. The Pakistani campaign was conducted after the release of the patch, Google said, highlighting the importance of timely patching:

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google concluded.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
Representational image depecting cybersecurity protection
Hackers are breaking SonicWall products to target business networks
Trojan
WhatsApp patches security flaw which let hackers install spyware
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring