October 25, 2023 at 09:45AM
The Winter Vivern threat actor has been using a zero-day vulnerability in Roundcube webmail software to access victim’s email accounts. Winter Vivern has previously targeted Ukraine, Poland, and government entities in Europe and India. The newly discovered vulnerability, CVE-2023-5631, allows for the injection of arbitrary JavaScript code. Attackers employ a phishing message to load this code and exfiltrate email messages to a command-and-control server. Governments in Europe are at risk due to the group’s persistence and regular phishing campaigns, combined with the lack of regular updates on vulnerable applications.
From the meeting notes, it is clear that Winter Vivern, also known as TA473 and UAC-0114, is a threat actor that has been exploiting vulnerabilities in Roundcube webmail software. Previously, they were using known vulnerabilities, but they have now stepped up their operations by exploiting a zero-day vulnerability (CVE-2023-5631). This vulnerability is a stored cross-site scripting flaw that could allow a remote attacker to load arbitrary JavaScript code. A fix for this vulnerability was released on October 14, 2023.
Winter Vivern’s attack chain starts with a phishing message that contains a Base64-encoded payload in the HTML source code. This payload decodes to a JavaScript injection that takes advantage of the XSS flaw. Once the JavaScript is executed, it facilitates the exfiltration of email messages to a command-and-control server.
It is important to note that Winter Vivern’s toolset may have low sophistication, but they pose a threat to governments in Europe due to their persistence, regular phishing campaigns, and the presence of unpatched vulnerabilities in internet-facing applications.
Please let me know if there is anything specific you would like to focus on or if you need any further information.