Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

Trending 1 month ago

The Winter Vivern cyber spy group is exploiting an XSS zero-day vulnerability successful attacks connected European governments.

Researchers astatine ESET, who discovered nan activity, didn't sanction nan circumstantial authorities entities it targeted but fixed Winter Vivern's nexus to Russia and Belarus, they are apt to beryllium adversaries of those countries.

Tracked arsenic CVE-2023-5631, nan zero-day was recovered successful nan free and open-source webmail customer Roundcube. ESET reported nan vulnerability to nan Roundcube squad connected October 12 and a spot was developed 2 days later.

The utilization started pinch a convincing-looking phishing email that aimed to spoof nan Microsoft Outlook team. The show sanction was group arsenic "Team Outlook" but 1 giveaway was a typo successful nan spoofed email reside "" 

All a unfortunate was required to do was unfastened nan email successful a web browser, nan taxable statement of which was "Get started successful your Outlook," and a malicious payload would beryllium launched. It was hidden successful an SVG tag astatine nan extremity of nan email's HTML root code.

JavaScript codification would past beryllium loaded to enumerate folders and emails wrong nan victim's Roundcube relationship and nonstop nan messages backmost to nan attackers utilizing their C2 server.

"Despite nan debased sophistication of nan group's toolset, it is simply a threat to governments successful Europe because of its persistence, very regular moving of phishing campaigns, and because a important number of internet-facing applications are not regularly updated though they are known to incorporate vulnerabilities," ESET said.

Winter Vivern has exploited known vulnerabilities successful Roundcube and Zimbra for its espionage campaigns since 2022, but this zero-day study shows an advancement successful its operations, according to nan researchers.

For example, researchers observed Winter Vivern exploiting CVE-2020-35730 arsenic precocious arsenic August and September, contempt nan vulnerability being 3 years old.

Fancy Bear, nan precocious persistent threat group (APT) believed to person ties pinch Russia's GRU, was besides spotted exploiting nan aforesaid aged XSS vulnerability successful Roundcube, and sometimes targeting nan aforesaid victims arsenic Winter Vivern.

The group is known for chiefly targeting entities successful Europe and Central Asia, but earlier this twelvemonth had attacks against US authorities officials, arsenic good arsenic European lawmakers, pinned to it.

  • Ex-NSA techie pleads blameworthy to trading authorities secrets to Russia
  • After six days and thousands of pwned users, Cisco poised to spot IOS XE flaw
  • International Criminal Court blames spies for 'targeted and blase attack'
  • Mimecast bins SolarWinds and compromised servers alike successful aftermath of proviso concatenation hack

In this case, officials from an array of different European governments were targeted by nan "scrappy" group, arsenic 1 interrogator put it, and its wide exploitation of a one-year-old Zimbra XSS vulnerability.

Tom Hegel, elder threat interrogator astatine SentinelOne, said astatine nan clip that Winter Vivern recovered occurrence successful campaigns pinch constricted resources, and showed precocious degrees of productivity erstwhile it came to solving problems.

The group is believed to person begun operations successful 2020 aft DomainTools discovered it successful 2021. ®