Contents:
Since at least October 11, the Russian hacker organization Winter Vivern has been using a Roundcube Webmail zero-day vulnerability in attacks against think tanks and government agencies in Europe.
According to security researchers, the cyberespionage group (also identified as TA473) was able to access the email servers of European governments through HTML email messages containing specially crafted SVG documents. These documents allowed the attackers to inject arbitrary JavaScript code remotely.
The Strategy Behind the Attack
As reported by BleepingComputer, the attackers’ phishing emails pretended to be from the Outlook Team and attempted to fool unsuspecting recipients into clicking on malicious links, which inadvertently launched a first-stage payload that took advantage of the Roundcube email server vulnerability.
The final JavaScript payload dropped in attacks helped the threat group harvest and steal emails from the compromised servers.
Security researchers reported the vulnerability (documented as CVE-2023-5631) on October 11, but the development team behind Roundcube released a set the security updates meant to fix the Stored Cross-Site Scripting (XSS) vulnerability five days later, on October 16.
The Winter Vivern Explained
The Winter Vivern threat group (also known as TA473) was first spotted in April 2021, gaining attention for its deliberate targeting of governmental organizations across the globe. Security researchers report that the group’s objectives are closely aligned with the governmental interests of Russia and Belarus.
The threat actors have been actively targeting Zimbra and Roundcube email servers owned by governmental entities since over a year ago.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube for more cybersecurity news and topics.