Government agencies and a think tank in Europe were attacked by the APT group Winter Vivern. Here, the hackers use so-called cross-site scripting attacks to exploit a zero day vulnerability in the Roundcube webmail servers used in order to then read (confidential) emails.
Roundcube is an open source webmail software used by many government departments and organizations such as universities and research institutes. ESET recommends that users update to the latest available version of the software as soon as possible. ESET discovered the vulnerability on October 12, 2023 and immediately reported it to the Roundcube team, which patched the vulnerability with a security update two days later. “We would like to thank the Roundcube developers for their quick response and for patching the vulnerability in such a short time,” says Matthieu Faou, who discovered the vulnerability and the Winter Vivern attacks. “Winter Vivern is an immense threat to governments in Europe. This group acts extremely stubbornly to achieve their goal. “In their activities, they rely on phishing campaigns and exploiting security vulnerabilities, as many applications are not updated regularly,” explains Faou.
Attack from a distance
The XSS vulnerability CVE-2023-5631 on the target server is attacked with a specially crafted email. “At first glance, the email does not appear to be malicious – but when examining the HTML source code, it becomes apparent that there is an SVG graphics tag at the end that contains malicious content,” says Faou. By sending such a message, attackers can load arbitrary JavaScript code in the Roundcube user's open browser window. No user interaction is necessary to execute the malicious code. The downloaded malware can filter out emails and send them to the group's command and control server.
Winter Vivern is a cyber espionage group that is believed to have been attacking governments in Europe and Central Asia since at least 2020. It primarily uses malicious documents, phishing websites and a custom PowerShell backdoor. Presumably since 2022, Winter Vivern has targeted government agencies' Roundcube email servers. ESET believes that Winter Vivern is connected to the Belarusian hacker gang MoustachedBouncer. The latter drew attention to itself in August 2023 by spying on embassies in Belarus.
More at Eset.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.