Russian hackers exploit Roundcube zero-day to steal govt emails

Trending 1 month ago


The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day successful attacks targeting European authorities entities and deliberation tanks since astatine slightest October 11.

The Roundcube improvement squad released security updates fixing nan Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) reported by ESET researchers connected October 16.

These information patches were pushed 5 days aft nan Slovak cybersecurity institution detected Russian threat actors utilizing nan zero-day successful real-world attacks.

According to ESET's findings, nan cyberespionage group (also known arsenic TA473) utilized HTML email messages containing cautiously crafted SVG documents to remotely inject arbitrary JavaScript code.

Their phishing messages impersonated nan Outlook Team and tried to instrumentality imaginable victims into opening malicious emails, automatically triggering a first-stage payload that exploited nan Roundcube email server vulnerability.

The last JavaScript payload dropped successful nan attacks helped nan malicious actors harvest and bargain emails from compromised webmail servers.

"By sending a specially crafted email message, attackers are capable to load arbitrary JavaScript codification successful nan discourse of nan Roundcube user's browser window. No manual involution different than viewing nan connection successful a web browser is required," ESET said.

"The last JavaScript payload [..] is capable to database folders and emails successful nan existent Roundcube account, and to exfiltrate email messages to nan C&C server."

Roundcube phishing email sampleRoundcube phishing email sample (ESET)

First spotted in April 2021, Winter Vivern has garnered attraction for its deliberate targeting of authorities entities crossed nan globe, including nations specified arsenic India, Italy, Lithuania, Ukraine, and nan Vatican.

According to SentinelLabs researchers, nan group's objectives intimately align pinch nan interests of nan governments of Belarus and Russia.

Winter Vivern has been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since astatine slightest 2022.

These attacks included exploiting nan Roundcube XSS vulnerability (CVE-2020-35730) betwixt August and September 2023, per ESET telemetry data.

Notably, this aforesaid vulnerability was exploited by Russian APT28 subject intelligence hackers affiliated pinch Russia's General Staff Main Intelligence Directorate (GRU) to discuss Roundcube email servers belonging to nan Ukrainian government.

The Russian cyberspies besides exploited nan Zimbra CVE-2022-27926 XSS vulnerability successful attacks against NATO countries to bargain emails belonging to NATO officials, governments, and subject personnel.

"Winter Vivern has stepped up its operations by utilizing a zero-day vulnerability successful Roundcube. Previously, it was utilizing known vulnerabilities successful Roundcube and Zimbra, for which proofs of conception are disposable online," ESET said.

"The group is simply a threat to governments successful Europe because of its persistence, very regular moving of phishing campaigns, and because a important number of internet-facing applications are not regularly updated though they are known to incorporate vulnerabilities."