October 25, 2023 at 09:41AM
The Winter Vivern Russian hacking group has been targeting European government entities and think tanks since at least October 11 by exploiting a zero-day vulnerability in Roundcube Webmail. The Roundcube development team has released security updates to fix the vulnerability. The group, also known as TA473, uses phishing emails containing malicious code to steal emails from compromised servers. Winter Vivern has a history of targeting government organizations and has recently started using zero-day vulnerabilities in their attacks. It is a persistent threat to European governments due to their regular phishing campaigns and the lack of regular updates for vulnerable applications.
Key takeaways from the meeting notes:
1. Winter Vivern Russian hacking group has been exploiting a zero-day vulnerability in Roundcube Webmail since October 11, targeting European government entities and think tanks.
2. The Roundcube development team released security updates to fix the vulnerability (CVE-2023-5631) on October 16, five days after it was reported by ESET researchers.
3. ESET’s findings reveal that Winter Vivern used HTML email messages containing carefully crafted SVG documents to inject arbitrary JavaScript code and exploit the Roundcube email server vulnerability.
4. The phishing messages impersonated the Outlook Team and aimed to trick victims into opening malicious emails, which triggered a first-stage payload to exploit the vulnerability.
5. The final JavaScript payload allowed the hackers to harvest and steal emails from compromised webmail servers.
6. Winter Vivern has been targeting government entities globally since April 2021, particularly in countries like India, Italy, Lithuania, Ukraine, and the Vatican.
7. The group’s objectives align with the interests of the governments of Belarus and Russia.
8. Winter Vivern has been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since at least 2022.
9. Previous attacks by Winter Vivern involved exploiting another Roundcube vulnerability (CVE-2020-35730) and a Zimbra vulnerability (CVE-2022-27926) to compromise email servers belonging to governments and NATO.
10. Winter Vivern is considered a significant threat due to its persistence, regular phishing campaigns, and the failure to regularly update vulnerable internet-facing applications.