Getty Images
A team of relentless hackers aligned with Russia has recently exploited a zero-day vulnerability found in widely used webmail software, targeting various European governmental entities and a prominent think tank. ESET, a renowned security firm, released a statement on Wednesday providing details about these cyberattacks.
According to ESET, these hackers, known as Winter Vivern, have successfully attacked organizations using Roundcube, a server application prominently used by over 1,000 webmail services and millions of their users. Through a critical cross-site scripting (XSS) error, Winter Vivern injected JavaScript into the Roundcube server application, enabling them to execute commands by simply tricking recipients into opening a malicious email. As a result, the compromised server sent emails from specific targets to a server controlled by the hackers.
No Human Interaction Required
ESET researcher Matthieu Faou explained, “By sending a carefully designed email message, attackers can load malicious JavaScript code within the context of the Roundcube user’s web browser window. No manual action is needed other than viewing the message in a web browser.”
ESET detected the attacks on October 11 and immediately reported the zero-day vulnerability to Roundcube developers, who promptly issued a patch on October 14. The vulnerability, known as CVE-2023-5631, affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
Winter Vivern, an active hacking group since at least 2020, has primarily targeted European and Central Asian governments, as well as influential think tanks. In March, they targeted US government officials who voiced their support for Ukraine in countering Russia’s invasion. These attacks, similar to their current activity, stole victim’s emails, but utilized a different XSS vulnerability in Zimbra Collaboration, a software used for hosting webmail portals, which had already been patched.
Security firm Proofpoint, which disclosed the Zimbra exploits, commented, “This actor has demonstrated a persistent interest in targeting American and European officials, military personnel, and diplomats in Europe. Since late 2022, Winter Vivern has invested considerable time studying the webmail portals of European government entities and scanning publicly exposed infrastructure for vulnerabilities. All their actions speak to their ultimate goal of accessing the emails of key figures involved in government affairs and the Russia-Ukraine war.”
The recent Winter Vivern campaign utilized an email sent from [email protected] with the subject line “Get started in your Outlook.”
The email sent in the campaign.
The attackers concealed their malicious code within the HTML source code, using a malformed code element called an SVG tag. This tag contained base-64 encoded text, which when decoded, revealed JavaScript instructions. These instructions caused Roundcube to execute the injected JavaScript commands due to an intentional error in the tag. The resulting JavaScript payload instructed vulnerable servers to list folders and emails from the victim’s email account, exfiltrating them to an attacker-controlled server through HTTP requests to https://recsecas[.]com/controlserver/saveMessage.
ESET
Considering Winter Vivern’s previous success with the patched Zimbra vulnerability, caution is advised for anyone using Roundcube as a server administrator or end user. It is crucial to ensure that the software is running the latest patched version.
