Last summer, governments in five countries across Europe, Africa and Asia made a mistake familiar to just about anyone with a computer: They didn’t update their software, ignoring the warnings from the program’s developer that they absolutely needed to do so. The result? They left a backdoor open for a band of opportunistic hackers, according to new research compiled by Google.
Four separate hacking campaigns targeted government agencies in Greece, Moldova, Tunisia, Vietnam and Pakistan using a vulnerability in a widely used email platform from Buffalo, N.Y.-based Zimbra, Google said in a blog post. Three of the attacks came after Zimbra published a fix for the problem, offering fresh evidence that many victims routinely fail to install vital security updates that could protect them from cyberattacks.
Zimbra is an open-source alternative to the expensive enterprise email platforms sold by Microsoft and Google. Its lower cost could make it popular with low- and middle-income governments that can’t afford or don’t want to pay for U.S. tech giants’ better-known products.
The Greek attack occurred on June 29, six days before Zimbra published an emergency fix. But the attacks on Moldova, Tunisia, Vietnam and Pakistan occurred over the following two months, with the Pakistani intrusion even taking place after Zimbra published a more formal patch on July 25.
The timeline of the attacks “demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google researchers wrote. It also highlighted how hackers monitor code-hosting websites like Github, where Zimbra published its emergency fix, “to opportunistically exploit vulnerabilities” in the window between emergency fix and official patch.
Google did not identify the hackers in the Greek, Vietnamese or Pakistan incidents, but it attributed the attacks on Moldova and Tunisia to a hacking team closely aligned with the Russian and Belarusian governments. That group has exploited Zimbra flaws before.
In the attack on the Greek government agency, the hackers were able to not only steal data from their targets’ mailboxes but also set up an auto-forward to capture messages that those targets received in the future.
The Moldovan and Tunisian attacks began on July 11, two weeks before Zimbra released an official patch for the vulnerability, and were carefully planned to trick their intended targets. Each link that the hackers used to trigger the Zimbra flaw “contained a unique official email address for specific organizations in those governments,” Google said.
In the third campaign, which targeted Vietnam, the hackers directed their targets to email login pages that were designed to look legitimate but actually transmitted victims’ passwords to the hackers. Interestingly, the passwords were delivered to a website “hosted on an official government domain,” suggesting that the hackers had previously taken control of that system.