Get all your news in one place.

100’s of premium titles.
One app.

Get all your news in one place.

100’s of premium titles. One news app.

TechRadar

Sead Fadilpašić

Google blocks a zero-day flaw used to target government emails

Google TAG

X.

Cybersecurity researchers from Google’s Threat Analysis Group (TAG) recently discovered a zero-day vulnerability in a popular email server platform that hackers were using to steal sensitive data from government organizations around the world.

In a blog post published by researchers Clement Lecigne and Maddie Stone of TAG, it was said that a cross-site scripting (XSS) flaw was found in June this year, in a popular email server platform Zimbra Collaboration. An XSS flaw allows threat actors to inject malicious scripts into vulnerable websites. These scripts can pull sensitive information such as email data, user credentials, and authentication tokens, from unsuspecting visitors.

The flaw is now tracked as CVE-2023-37580.

Hackers flocking

In the timeframe between the flaw being discovered and being patched, Google observed four threat actors abusing it to target various government organizations.

One threat actor was sending emails with an exploit URL to people working for a government organization in Greece. If the victim, who was logged into a Zimbra session, clicked the link, the URL loaded a framework that used XSS to steal emails and attachments and set up an auto-forwarding rule to an attacker-controlled address.

The second campaign targeted government organizations in Moldova and Tunisia, while the third one went after a Vietnamese organization. Finally, someone tried to steal Zimbra authentication tokens from people working for a Pakistani government organization.

The first campaign leveraging the zero-day was discovered in late June 2023, while Zimbra pushed the official patch a month later, in late July. The Pakistani campaign was conducted after the release of the patch, Google said, highlighting the importance of timely patching:

“The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible,” Google concluded.

More from TechRadar Pro

Google Chrome releases security fix for this major flaw, so update now
Here's a list of the best firewalls today
These are the best endpoint security tools right now

Sign up to read this article

Read news from 100’s of titles, curated specifically for you.

Already a member? Sign in here

Top stories on inkl right now

Michael Cohen to continue testimony at Trump hush-money trial

Michael Cohen to continue testimony at Trump hush-money trial

Former fixer told Manhattan court on Monday that Trump had asked him to keep stories about his personal life out of the media

The Guardian - US

Australian war crimes whistleblower David McBride jailed for six years

Australian war crimes whistleblower David McBride jailed for six years

Eight years after Australia began investigating war crimes in Afghanistan, a whistleblower is the first to be punished.

New Caledonia imposes curfew after day of violent protests against constitutional change

New Caledonia imposes curfew after day of violent protests against constitutional change

Car dealerships have been set on fire and supermarkets looted in Pacific French territory as protests against changes to voter eligibility spread

The Guardian - AU

Miami appeals ruling that found city had racially gerrymandered voting districts

Miami appeals ruling that found city had racially gerrymandered voting districts

A judge invalidated the boundaries of the city's five districts and ordered they be redrawn earlier this month

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

‘Take care of it’: Michael Cohen says Trump was directly involved in Stormy Daniels payoff

‘Take care of it’: Michael Cohen says Trump was directly involved in Stormy Daniels payoff

The witness that could make or break Trump’s hush-money trial took the witness stand on Monday – and did not disappoint

The Guardian - US

University of North Carolina to divert $2.3m DEI budget to safety and policing

University of North Carolina to divert $2.3m DEI budget to safety and policing

Some members of board of trustees, which voted for divestment, cited students’ Gaza protests as reason for redesignation of funds

The Guardian - US

Related Stories

Top stories on inkl right now

Michael Cohen to continue testimony at Trump hush-money trial

Michael Cohen to continue testimony at Trump hush-money trial

Former fixer told Manhattan court on Monday that Trump had asked him to keep stories about his personal life out of the media

The Guardian - US

Australian war crimes whistleblower David McBride jailed for six years

Australian war crimes whistleblower David McBride jailed for six years

Eight years after Australia began investigating war crimes in Afghanistan, a whistleblower is the first to be punished.

New Caledonia imposes curfew after day of violent protests against constitutional change

New Caledonia imposes curfew after day of violent protests against constitutional change

Car dealerships have been set on fire and supermarkets looted in Pacific French territory as protests against changes to voter eligibility spread

The Guardian - AU

Miami appeals ruling that found city had racially gerrymandered voting districts

Miami appeals ruling that found city had racially gerrymandered voting districts

A judge invalidated the boundaries of the city's five districts and ordered they be redrawn earlier this month

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

‘Take care of it’: Michael Cohen says Trump was directly involved in Stormy Daniels payoff

‘Take care of it’: Michael Cohen says Trump was directly involved in Stormy Daniels payoff

The witness that could make or break Trump’s hush-money trial took the witness stand on Monday – and did not disappoint

The Guardian - US

University of North Carolina to divert $2.3m DEI budget to safety and policing

University of North Carolina to divert $2.3m DEI budget to safety and policing

Some members of board of trustees, which voted for divestment, cited students’ Gaza protests as reason for redesignation of funds

The Guardian - US

Our Picks

Baby Reindeer’s Richard Gadd: ‘If I wanted the real people to be found, I would’ve made a documentary’

Speaking to the Hollywood Reporter, the comedian says he’ll stop pleading with internet sleuths trying to find the real people who inspired the show as ‘I’m almost adding to it’

The Guardian - AU

Bumble responds to outrage over controversial ads on celibacy

The dating app has made a harsh decision amid backlash over its new billboard ads.

One of Marvel's most famous mutants wasn't allowed to be in X-Men '97

"Yeah, he was off-limits"

Why you should keep a bowl of vinegar next to your stove

Tired of strange smells lingering in your kitchen after cooking? A simple bowl of vinegar could be the perfect solution for you

Homes & Gardens

Legendary Alien star Sigourney Weaver set to join the Star Wars universe

Signourney Weaver is in talks for The Mandalorian & Grogu

Parents 'don’t always need to validate their kids’ feelings' - expert argues 'obsession' with validation results in ‘less emotional regulation’, not more

A parenting expert has revealed that we don't always need to validate our kids' feelings, and the 'obsession' to do so can actually fuel dysregulation.

Fourteen days free

Download the app

One app. One membership.
100+ trusted global sources.

Download on the AppStore

Get it on Google Play