After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.
ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.
Technical details about this cyberattack exploiting a 0day in Roundcube
The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).
At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:
<svg id="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" xmlns="http://www.w3.org/2000/svg"> <image href="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>
The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.
The vulnerability doesn’t need any interaction with the user other than viewing the message in a web browser, which maybe explains why the threat actor didn’t need to use a very complicated social engineering technique; any content viewed triggers the exploit.
The final payload provides the capability for the attacker to list all folders and emails in the current Roundcube email account in addition to exfiltrate email messages to a command and control server via HTTP requests.
Who is Winter Vivern?
Winter Vivern, aka TA473, is a cyberespionage threat actor whose interests are closely aligned with the governments of Russia and Belarus. The first public exposure of the Winter Vivern threat actor occurred in 2021 when it targeted several governmental entities in different countries including Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.
This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics. The threat actor also targeted mailboxes from NATO-aligned government entities in Europe.
The threat actor often uses malicious documents and sometimes a PowerShell backdoor to successfully compromise its targets. Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.
ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia’s Military Intelligence Agency, previously known as GRU.
In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus. Asked about it, Faou told TechRepublic that “there are quite unique similarities in the network infrastructure of both groups, suggesting that a common entity might provide it to both of them.”
As stated by ESET, regarding the current threat, “Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”
How to protect users from this cybersecurity threat
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5. It’s strongly advised to patch Roundcube for this vulnerability.
It’s recommended to keep all operating systems and software up to date and patched to avoid further compromise that could happen via common vulnerabilities.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.