Zimbra Zero-Day Hits Users with Malicious ICS Files

A zero-day vulnerability in Zimbra Collaboration Suite was actively exploited by threat actors using malicious iCalendar (.ICS) attachments. The flaw, a stored cross-site scripting issue, allowed attackers to execute arbitrary JavaScript when a victim viewed an email with the malicious calendar entry. This enabled the attackers to hijack user sessions, steal credentials, exfiltrate emails and contacts, and set up email forwarding rules. The sophisticated malware used evasion techniques, such as delaying its execution and hiding UI elements to remain undetected. Although the attack has not been attributed to a specific group, it targeted a military organization and used TTPs similar to known state-sponsored actors.

Latest mentioned: 10-06

Earliest mentioned: 10-05

Sources

securityaffairs.com bleepingcomputer.com thehackernews.com cybersum.net

Also Read

PolarEdge ORB Network Unveiled: 25,000 IoT Devices Compromised

XLab has discovered RPX_Client, a new module in the PolarEdge ORB network, which hijacks IoT devices for global proxy operations. The malware, distributed via IP address 111.119.223.196, onboards infected devices into the PolarEdge proxy pool, providing relay services and executing remote commands. Over 25,000 devices have been compromised, primarily network video recorders and routers. The command-and-control infrastructure includes 140 active RPX_Server nodes, using a PolarSSL test certificate and listening on port 55555. The RPX_Client module functions as a relay agent, disguising its process name and maintaining configuration data encrypted via XOR. The malware maintains two persistent C2 channels for registration, proxy services, and remote command execution.

10-31Read more →