Russian hackers exploit Roundcube zero-day to steal govt emails

Russian hackers exploit Roundcube zero-day to steal govt emails

October 25, 2023 at 09:19AM

The Winter Vivern Russian hacking group has been targeting European government entities and think tanks since at least October 11. They have been exploiting a Roundcube Webmail zero-day vulnerability and using phishing emails to inject arbitrary JavaScript code. The group has also targeted Zimbra and previously exploited vulnerabilities in Roundcube and Zimbra. They pose a significant threat due to their persistence and the lack of regular updates to vulnerable applications.

Key Takeaways from the Meeting Notes:

1. The Winter Vivern Russian hacking group has been targeting European government entities and think tanks since at least October 11, using a Roundcube Webmail zero-day exploit.
2. The Roundcube development team released security updates to fix the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) on October 16, after the Russian threat actors were detected.
3. The cyberespionage group, also known as TA473, used HTML email messages with carefully crafted SVG documents to inject JavaScript code and exploit the Roundcube email server vulnerability.
4. Winter Vivern has been active since April 2021 and has targeted government entities worldwide, including India, Italy, Lithuania, Ukraine, and the Vatican.
5. Winter Vivern’s objectives align with the interests of the governments of Belarus and Russia.
6. The group has been targeting Zimbra and Roundcube email servers owned by governmental organizations since 2022 and has exploited vulnerabilities such as the Roundcube XSS vulnerability (CVE-2020-35730).
7. Russian APT28 military intelligence hackers have also exploited the same Roundcube vulnerability to compromise email servers of the Ukrainian government.
8. Winter Vivern has recently started using a zero-day vulnerability in Roundcube, previously relying on known vulnerabilities in Roundcube and Zimbra.
9. The group poses a significant threat to European governments due to their persistence, regular phishing campaigns, and the presence of unpatched vulnerabilities in internet-facing applications.

Full Article