October 25, 2023 at 11:41AM
Winter Vivern, a low-profile threat group, has been exploiting a zero-day flaw in Roundcube Webmail servers to target governmental organizations and a think tank in Europe. The group sends a specially crafted email that loads an arbitrary JavaScript code, exploiting a newly discovered cross-site scripting flaw. Roundcube has released security updates to address the vulnerability. Winter Vivern’s long-term interest in European governmental organizations suggests future activity. Users are advised to update their Roundcube instances and deploy endpoint security solutions.
Key Takeaways from Meeting Notes:
– A low-profile threat group called Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers.
– They have targeted governmental organizations and a think tank in Europe through a malicious email campaign.
– The malicious email requires users to view a message, and it loads an arbitrary JavaScript code in the Roundcube user’s browser window.
– The group has been active since at least December 2020 and shows sympathies with Russia and Belarus.
– They typically use malicious documents, phishing websites, and a custom PowerShell backdoor to compromise their targets.
– Winter Vivern has previously exploited known vulnerabilities in Zimbra and Roundcube, but now they are using zero-day vulnerabilities.
– The latest campaign begins with a phishing email from a fake Microsoft Accounts Team address and contains an SVG tag with a payload.
– Decoding the payload produces JavaScript code executed in the victim’s Roundcube session, leading to the exfiltration of email messages.
– Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise.
– In the event of future zero-day exploits, additional endpoint-defense practices should be implemented, such as blocking JavaScript payloads and deploying an endpoint security solution on all machines.