Headline
APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities
By Waqas ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks. This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities
The new 0-Day vulnerability was actively exploited by the Winter Vivern cyberespionage group before its discovery and subsequent patch by Roundcube, a web-based IMAP email client, with ESET’s report.
The Russian cyberespionage group Winter Vivern (aka TA473, and UAC-0114), known for its persistent attacks on European and Central Asian governments, has once again made headlines. ESET, a Slovak cybersecurity firm, has recently revealed the group’s utilization of a 0-day (zero-day) cross-site scripting (XSS) vulnerability in the Roundcube Webmail server, signaling an alarming escalation in their tactics.
ESET researchers, who have been closely monitoring Winter Vivern’s activities for over a year, discovered the exploitation of this new vulnerability on October 11th, 2023. This XSS vulnerability, identified as CVE-2023-5631, allowed attackers to remotely compromise Roundcube Webmail servers, a popular email platform.
Notably, this vulnerability is distinct from CVE-2020-35730, a previously exploited flaw by the same group, as outlined in ESET’s research.
****Targeted Entities****
The campaign orchestrated by Winter Vivern focused on Roundcube Webmail servers belonging to governmental entities and a think tank, all situated within Europe. This is in line with the group’s primary objective of targeting government institutions and organizations in Europe and Central Asia.
****Modus Operandi****
Winter Vivern is infamous for employing a variety of tactics to infiltrate their targets, including the use of malicious documents, phishing websites, and a custom PowerShell backdoor. While there is a low level of confidence, ESET researchers suggest a potential connection between Winter Vivern and MoustachedBouncer, a Belarus-aligned group.
Since at least 2022, as reported by Hackread.com, Winter Vivern has been known to target Zimbra and Roundcube email servers owned by governmental entities. Additionally, the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023.
It is worth mentioning that Winter Vivern is not the only threat actor exploiting Roundcube vulnerabilities. Sednit (also known as APT28) has been seen using the same XSS vulnerability in Roundcube, occasionally targeting the same victims.
****The Exploited Vulnerability (CVE-2023-5631)****
This XSS vulnerability, according to ESET’s blog post, could be exploited remotely by sending a specially crafted email message. In this particular campaign, the emails were sent from the address team.managment@outlookcom with the subject line “Get started in your Outlook.”
The malicious email appeared ordinary at first glance, but upon examining the HTML source code, a concealed SVG tag containing a base64-encoded payload was revealed. The payload was concealed within the onerror attribute of an image tag in the SVG. When decoded, this payload led to the execution of JavaScript code in the victim’s browser.
Surprisingly, the JavaScript injection worked even on fully patched Roundcube instances. The vulnerability was traced back to the server-side script rcube_washtml.php, which did not adequately sanitize the malicious SVG document before incorporating it into the HTML page interpreted by the user.
ESET researchers reported the issue to Roundcube, and the vulnerability was patched promptly on October 14th, 2023. The affected Roundcube versions include 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
The malicious email (ESET)
****Implications and Conclusion****
Winter Vivern’s transition to a 0-day vulnerability is a clear indication of their determination to infiltrate high-value targets. Despite the group’s relatively unsophisticated toolset, they remain a significant threat to European governments. Their success can be attributed to their persistent phishing campaigns and the prevalence of outdated, vulnerable applications used by targeted organizations.
In response to ESET’s discovery, the Roundcube team acted swiftly to address the vulnerability. A disclosure timeline reveals that the vulnerability was reported on October 12, and the necessary patches were released just two days later, ensuring the security of Roundcube Webmail servers.
ESET Research commended the Roundcube developers for their rapid response and collaboration in resolving the issue. It is vital that organizations and government entities keep their software up to date to mitigate the risk of such attacks in the future.
- ProtonMail Code Vulnerabilities Leaked Emails
- APTs Exploiting WinRAR 0day Flaw Despite Patch Availability
- Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study
- Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks
- Mozilla Rushes to Fix Critical Vulnerability in Firefox and Thunderbird
- EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability
Related news
Ubuntu Security Notice 6848-1 - Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.
The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou said in a new report published today. Previously, it was using known
Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat