Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

October 25, 2023 at 12:50PM

The Winter Vivern cyber spy group has targeted European governments by exploiting an XSS zero-day vulnerability in the Roundcube webmail client. The group, linked to Russia and Belarus, used a convincing phishing email to launch a malicious payload, allowing them to access victims’ Roundcube accounts. Researchers warn that the group’s persistence and regular running of phishing campaigns make it a threat to European governments. Winter Vivern has been previously observed exploiting vulnerabilities in Roundcube and Zimbra, and this instance highlights an advancement in its operations.

Key takeaways from the meeting notes:

1. Winter Vivern, a cyber spy group, has been exploiting an XSS zero-day vulnerability in attacks on European governments.
2. The specific government entities targeted have not been named, but they are likely adversaries of Russia and Belarus, given Winter Vivern’s connection to these countries.
3. The zero-day vulnerability, tracked as CVE-2023-5631, was found in the Roundcube webmail client. ESET reported it to the Roundcube team, and a patch was developed.
4. The attack started with a convincing phishing email spoofing the Microsoft Outlook team.
5. Opening the email in a web browser launched a malicious payload hidden in an SVG tag.
6. The payload loaded JavaScript code to access and send the victim’s Roundcube account emails back to the attackers.
7. Winter Vivern has previously exploited vulnerabilities in Roundcube and Zimbra for espionage campaigns since 2022.
8. Fancy Bear, an APT group believed to have ties with Russia’s GRU, has also been observed exploiting the same XSS vulnerability in Roundcube.
9. Winter Vivern mainly targets entities in Europe and Central Asia but has also carried out attacks against US government officials and European lawmakers.
10. The group has shown persistence, regularly running phishing campaigns and targeting applications with known vulnerabilities.
11. Winter Vivern operates with limited resources but has proven to be creative in problem-solving.
12. The group was discovered by DomainTools in 2021, but it is believed to have begun operations in 2020.

Full Article