Russian hacking group seen exploiting Roundcube webmail zero-day
Winter Vivern group targets European governments and think tanks
ESET researchers have revealed that the Winter Vivern Russian hacking group has exploited a zero-day vulnerability in Roundcube Webmail, targeting various European government entities and think tanks.
This exploitation, which is thought to have begun on 11th October, continued until the security flaw, dubbed CVE-2023-5631, was addressed by the Roundcube development team on 16th October, following a report from ESET researchers.
The cyberattack utilised a sophisticated approach, involving the use of HTML email messages carrying meticulously crafted SVG documents.
This enabled the threat actors, also known as TA473, to execute arbitrary JavaScript code remotely, thereby compromising the Roundcube email servers.
The malevolent actors disguised their phishing attempts as emails from the Outlook Team, tricking recipients into triggering the malicious payload upon opening the message.
According to ESET, the exploited vulnerability facilitated the unauthorised extraction of emails from compromised webmail servers.
The team stated: "By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window. No manual intervention other than viewing the message in a web browser is required."
Who is Winter Vivern?
Winter Vivern, a group with a history dating back to April 2021, has consistently targeted various global government entities, including those in India, Italy, Lithuania, Ukraine and the Vatican. Its recent attacks on governmental organisations have been primarily focused on exploiting vulnerabilities within Zimbra and Roundcube email servers, with previous exploits of the CVE-2020-35730 vulnerability in Roundcube occurring between August and September 2023.
In previous incidents, Winter Vivern exploited the same Roundcube vulnerability, along with the Zimbra CVE-2022-27926 XSS vulnerability, leading to successful compromises of email servers belonging to the Ukrainian government and NATO countries.
ESET said: "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online."
The group's persistent and sophisticated phishing campaigns, coupled with the lax approach to updating internet-facing applications despite known vulnerabilities, have highlighted the significant threat posed by Winter Vivern to European governments.
Another vulnerability in Roundcube software was exploited in June by the APT28 group, also known as Fancy Bear, in a cyberattack against Ukrainian government entities.