Winter Vivern [1] [2] [3] [4] [5] [6] [7], a pro-Russia hacking group [3] [4], has been targeting government organizations in Europe and Asia, as well as a think tank. They have exploited a zero-day vulnerability in Roundcube webmail servers [2] [3] [4] [5] [6], known as CVE-2023-5631 [4] [6] [7]. This vulnerability allows attackers to remotely exploit Roundcube through a malicious email [6].
Description
Winter Vivern has been sending seemingly harmless emails containing a payload for JavaScript injection. By doing so, they have successfully gained control of the Roundcube server and accessed victims’ email messages. The attackers have exfiltrated these messages to their own server. Surprisingly, this JavaScript injection has worked even on fully patched instances of Roundcube, revealing a previously unknown XSS vulnerability in the server-side script rcube_washtml.php [6]. Winter Vivern has a history of targeting Roundcube servers and is suspected to have connections to the MoustachedBouncer group.
The cybersecurity company ESET detected these attacks and promptly reported the vulnerability to Roundcube developers on October 16. Security patches were released five days later to address the vulnerability [3], after ESET observed the Russian threat actors actively exploiting it in real-world attacks [3]. Administrators are strongly advised to upgrade their installations to the fixed versions and remain vigilant for any signs of compromise if they suspect they may have been targeted. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5 [2] [4] [6], and 1.4.x before 1.4.15 [2] [4] [6].
Conclusion
The Winter Vivern hacking group’s targeting of government organizations and a think tank, exploiting a zero-day vulnerability in Roundcube webmail servers [1] [2] [3] [4] [5] [6], has significant implications. The successful exploitation of this vulnerability, even on fully patched instances of Roundcube, highlights the need for constant vigilance and prompt patching of software vulnerabilities. Administrators should upgrade their installations to the fixed versions and remain alert for any signs of compromise. This incident also underscores the importance of cybersecurity companies like ESET in detecting and reporting such threats, enabling developers to release security patches promptly.
References
[1] https://thehackernews.com/2023/10/nation-state-hackers-exploiting-zero.html
[2] https://cyber.vumetric.com/security-news/2023/10/25/roundcube-webmail-zero-day-exploited-to-spy-on-government-entities-cve-2023-5631/
[3] https://vulnera.com/newswire/russian-hackers-exploit-roundcube-zero-day-to-target-european-governments/
[4] https://arstechnica.com/security/2023/10/pro-russia-hackers-target-inboxes-with-0-day-in-webmail-app-used-by-millions/
[5] https://www.helpnetsecurity.com/2023/10/25/roundcube-webmail-zero-day-exploited-to-spy-on-government-entities-cve-2023-5631/
[6] https://duo.com/decipher/winter-vivern-apt-targets-zero-day-in-roundcube
[7] https://www.infosecurity-magazine.com/news/winter-vivern-zero-day-targets/
