A new Proofpoint report indicates that in late 2022, threat actor TA473 targeted elected officials and staffers in the U.S., as well as experts in European politics and economics. Proofpoint also states that “social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict” and notes that the email mailboxes of NATO-aligned government entities were targeted in Europe.
SEE: Security risk assessment checklist (TechRepublic Premium)
In older phishing campaigns from TA473, targets included Polish government agencies, Ukraine’s and Italy’s Ministries of Foreign Affairs, and individuals within the Indian government.
- Who is TA473?
- How TA473’s phishing campaigns work
- How TA473 exploits a Zimbra vulnerability
- How to protect from this security threat
Who is TA473?
TA473 is a threat actor, known since 2021, that has targeted several countries aligned against the interests of Belarus and Russia; the group is also known as Winter Vivern for some security companies and governmental entities.
Although there is no confirmed evidence, a few elements support the theory that the threat actor originates from Russia. For instance, a Russian word used in malware samples and documents has leaked. Beyond this leak, TA473’s frequent alignment with Russian interests makes it believable that the threat actor would originate from that country.
The threat actor mostly creates phishing campaigns to deliver payloads and harvest credentials. Payloads often target vulnerabilities in internet-facing webmail services and allow attackers to get access to email mailboxes.
Rather than developing tools to automate parts of its attacks, the group invests time and resources to compromise specific entities with custom payloads for the targeted webmail portal.
How TA473’s phishing campaigns work
TA473 often sends emails from compromised email addresses, originating from unpatched or insecure WordPress-hosted domains. The emails contain benign URLs from the targeted organization or a relevant peer organization, while the sender email is spoofed to look as if it comes from the organization. Then, they hyperlink this benign URL to either deliver a first-stage payload or redirect victims to a credential-harvesting landing page with actor-controlled or compromised infrastructure (Figure A).
In some cases, TA473 uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets.
How TA473 exploits a Zimbra vulnerability
Proofpoint has observed that the threat actor sometimes targets specific RoundCube webmail request tokens as well, which reveals that the threat actor has already done reconnaissance on the target prior to attacking it.
How to protect from this security threat
- Patch Zimbra Collaboration, which will prevent attackers from exploiting the CVE-2022-27926 vulnerability.
- Ensure multifactor authentication is enabled on internet-facing services such as web portals; even if an attacker owns valid credentials, they might not be able to use them. Strong password policies also need to be enforced.
- Put network policies in place so that, even though the webmail portal faces the internet, it should only be accessible from a corporate VPN connection.
- Educate users about phishing threats and social engineering tricks that attackers might employ.
- Keep operating systems and software updated and patched.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.