Headline
Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit
A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.
Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.
Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user’s browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.
Roundcube is a freely available, open source webmail solution that’s especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of “program/lib/Roundcube/rcube_washtml.php,” according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.
ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.
Long-Term Targeting
Winter Vivern’s activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.
The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year — is consistent with the group’s typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.
“Since at least 2022, they have been exploiting XSS vulnerabilities in Zimbra and Roundcube to load arbitrary JavaScript code and steal emails,” he tells Dark Reading. “However, most of those vulnerabilities were known and as such they could only work on unpatched mail servers.”
The fact that the group is now “burning zero-day vulnerabilities” and attacking even updated versions of widely-used webmail servers could be a harbinger of future activity, as it demonstrates a long-term interest in European governmental organizations as primary targets, Faou says.
How the Campaign Works
The latest campaign begins with a phishing email to targets sent from the address [email protected] with the subject line “Get started in your Outlook.” The message purports to be from The Microsoft Accounts Team and aims to guide users with their Outlook accounts, seeming innocent enough.
However, just viewing the email sets into motion a process spurred by an SVG tag at the end of the email’s HTML source code that includes a base64-encoded payload. Decoding the payload produces a JavaScript code that is executed in the browser of the victim in the context of their Roundcube session, according to ESET.
The researchers realized that the exploit was for a zero-day flaw when the JavaScript injection worked on a fully patched Roundcube instance. They found that the XSS vulnerability being exploited affected the server-side “script rcube_washtml.php,” which doesn’t properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user.
The final JavaScript payload in the attack can list folders and emails in the current Roundcube account and exfiltrate email messages to Winter Vivern’s command and control server by making HTTP requests to “https://recsecas[.]com/controlserver/saveMessage.”
Patch Now
Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise. However, in the case of any future zero-day flaws discovered and subsequently exploited by Winter Vivern, this defense would not be sufficient enough, Faou notes.
Other endpoint-defense practices that can protect vulnerable systems in the event of similar zero-day exploits would be to put technology in place that automatically block the loading of JavaScript payloads and exfiltration of emails, he advises. “As such, it is also recommended to deploy an endpoint security solution on all machines.”
Related news
Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known
By Waqas ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks. This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities
Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.