ESET reveals Winter Vivern group targeting Roundcube Webmail servers

ESET reveals Winter Vivern group targeting Roundcube Webmail servers

ESET researchers, during their regular monitoring of the cyberespionage operations of Winter Vivern, discovered that the group recently began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server. In an XSS attack, malicious scripts are injected into otherwise trusted websites.

According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe. ESET Research recommends updating Roundcube Webmail to the latest version as soon as possible.

ESET discovered the vulnerability on October 12 and immediately reported it to the Roundcube team, who patched the vulnerability and released security updates soon after, on October 14. “We would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short time frame,” says ESET researcher Matthieu Faou, who discovered the vulnerability and Winter Vivern attacks.

“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” explains Faou.

Exploitation of the XSS vulnerability CVE-2023-5631 can be done remotely by sending a specially crafted email message. “At first sight, the email doesn’t seem malicious – but if we examine the HTML source code, we can see a tag for SVG graphics at the end that contains an encoded malicious payload,” says Faou. By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required. The final JavaScript payload can exfiltrate email messages to the command and control server of the group.

Winter Vivern is a cyberespionage group that is thought to have been active since at least 2020 and targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor. ESET believes with low confidence that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group that we first published about in August 2023. Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Vertiv Outlines Best Practices of High-Density Cooling for Data Centers

Vertiv Outlines Best Practices of High-Density Cooling for Data Centers

Mahmoud Abdelmoneim, Sales Director for Middle East, Turkey & Central…
How Generative AI Accelerates Digital Transformation

How Generative AI Accelerates Digital Transformation

Lori MacVittie, F5 Distinguished Engineer discusses the impact of…
Maintaining Balance Between Performance and User Experience

Maintaining Balance Between Performance and User Experience

Gaurav Mohan, VP, SAARC & Middle East, NETSCOUT, discusses that…
Microsoft reveals Top Three teams for Imagine Cup!

Microsoft reveals Top Three teams for Imagine Cup!

Today marks a pivotal moment in the 2024 Imagine Cup as Microsoft reveal…
OPPO collaborates with startups for tech advancements

OPPO collaborates with startups for tech advancements

Today, with 150 million startups worldwide and another 50…
TikTok awards women entrepreneurs in Riyadh

TikTok awards women entrepreneurs in Riyadh

TikTok MENA celebrated the conclusion of the second edition of…