The Russia-linked advanced persistent threat (APT) actor Winter Vivern has been observed exploiting a zero-day vulnerability in the Roundcube webmail server in attacks aimed at government entities and a think tank in Europe, ESET reports.
Also tracked as TA473 and mainly focused on espionage, Winter Vivern is known to launch cyberattacks in support of Russian and Belarusian objectives, especially in the context of the Russia-Ukraine war, and was previously seen targeting NATO countries.
Since at least 2022, Winter Vivern has been targeting the Zimbra and Roundcube email servers of government organizations in Europe and Central Asia, using known vulnerabilities for which proof-of-concept (PoC) exploits are available online.
As part of the recently observed attacks, however, the APT stepped up its game, exploiting CVE-2023-5631, a zero-day cross-site scripting (XSS) vulnerability in Roundcube’s open source webmail server.
Because the Roundcube server did not properly sanitize SVG files in HTML messages, the threat actor could send crafted email messages carrying a malicious SVG document leading to JavaScript injection.
“By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required,” ESET explains.
The final payload in the execution chain was designed to list folders and emails in the current Roundcube account and to exfiltrate emails to the attacker’s command-and-control (C&C) server.
According to ESET, Winter Vivern exploited CVE-2023-5631 on October 11. The zero-day was reported to the vendor the next day and a patch was released on October 16.
Roundcube versions 1.4.15, 1.5.5, and 1.6.4 contain patches for the vulnerability. Organizations are advised to update their instances as soon as possible.
“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” ESET researcher Matthieu Faou says.
Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Related: Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military
Related: US Disrupts Russia’s Sophisticated ‘Snake’ Cyberespionage Malware