CISA has issued an urgent directive for government agencies to patch actively exploited vulnerabilities in Synacor Zimbra Collaboration Suite and Microsoft Office SharePoint. These security flaws are being weaponized by sophisticated threat actors to execute remote code and steal sensitive data from federal networks.
The Cybersecurity and Infrastructure Security Agency recently expanded its Known Exploited Vulnerabilities catalog to include a cross-site scripting flaw in Zimbra and a remote code execution vulnerability in SharePoint. The Zimbra vulnerability allows attackers to bypass security using malicious style sheets, while the SharePoint issue stems from the unsafe processing of untrusted data. Federal agencies have been given a strict timeline to apply the necessary security updates to mitigate these risks.
Reports from cybersecurity researchers indicate that the Zimbra flaw is being used in a campaign dubbed Operation GhostMail, which is linked to Russian state-sponsored actors. The attack utilizes a deceptive internship inquiry email that contains no traditional attachments or links. Instead, an obfuscated JavaScript payload is embedded directly in the email body, triggering automatically when the message is viewed in a vulnerable webmail session.
Once the exploit is successful, the malware functions as a browser-resident stealer designed to harvest a wide array of sensitive information. This includes user credentials, session tokens, two-factor authentication recovery codes, and archived emails from the past three months. The stolen data is then funneled out of the victim’s network through DNS and HTTPS protocols, allowing the attackers to maintain a low profile.
While specific details regarding the exploitation of the SharePoint vulnerability remain limited, the broader threat landscape shows a dangerous trend of targeting edge network devices. Recent disclosures also highlight a maximum-severity flaw in Cisco firewall software that was used as a zero-day by ransomware groups. This suggests that high-level threat actors are increasingly investing in discovering unknown vulnerabilities to gain initial access to high-value targets.
These ongoing campaigns emphasize the shift away from traditional malware binaries toward fileless, browser-based intrusions that can evade standard endpoint detections. By exploiting webmail and management software, attackers can achieve full session interception without the need for macros or malicious downloads. Organizations are encouraged to prioritize patching and remain vigilant against social engineering tactics that deliver these sophisticated payloads.
Source: https://www.seqrite.com/blog/operation-ghostmail-zimbra-xss-russian-apt-ukraine/