ESET Research has been monitoring the cyberespionage operations of Winter Vivern for over a year and has found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by the group. According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all based in Europe.
Following the discovery of the vulnerability, ESET Research reported it to the Roundcube team on October 12th, 2023. The team responded quickly and acknowledged the vulnerability, subsequently patching it in such a short time frame. Security updates were released to address the vulnerability on October 16th, 2023. The Roundcube team also issued a CVE for the vulnerability (CVE-2023-5631), and ESET Research published a blog post about the exploit on October 25th, 2023.
Winter Vivern is a cyberespionage group that has been active since at least 2020 and targets governments in Europe and Central Asia. Their methods include using malicious documents, phishing websites, and a custom PowerShell backdoor. The group has been known to target Zimbra and Roundcube email servers belonging to governmental entities since at least 2022. ESET Research has observed that the group exploited the CVE-2020-35730 vulnerability in Roundcube in August and September 2023, and now has exploited the zero-day XSS vulnerability in October 2023.
The exploitation of the XSS vulnerability, assigned CVE-2023-5631, can be done remotely by sending a specially crafted email message. The emails were sent from a seemingly innocuous email address and contained a base64-encoded payload within an SVG tag in the HTML source code. Once decoded, the payload is able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. This enables the attacker to list folders and emails in the current Roundcube account, as well as exfiltrate email messages to a command and control server.
Despite the low sophistication of Winter Vivern’s toolset, the group poses a threat to governments in Europe due to its persistence and regular running of phishing campaigns. The group’s exploitation of known vulnerabilities in Roundcube and Zimbra, as well as the discovery of a zero-day vulnerability, underscores the importance of keeping internet-facing applications regularly updated to mitigate against potential threats.
In response to this latest exploit, ESET Research recommends that Roundcube Webmail users update to the latest available version as soon as possible. This will help protect against potential vulnerabilities and mitigate the risk of exploitation by threat actors like Winter Vivern.
For any inquiries about the research published on WeLiveSecurity, readers are encouraged to contact threatintel@eset.com. ESET Research also offers private APT intelligence reports and data feeds for those interested in further information. Additionally, ESET users are advised to remain vigilant and prioritize the security of their email systems to protect against potential cyber threats such as those posed by Winter Vivern.