Home Cyber Security New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail


After studying the technical particulars about this zero-day that focused governmental entities and a assume tank in Europe and studying in regards to the Winter Vivern risk actor, get tips about mitigating this cybersecurity assault.

ESET researcher Matthieu Faou has uncovered a brand new cyberattack from a cyberespionage risk actor generally known as Winter Vivern, whose pursuits align with Russia and Belarus. The assault centered on exploiting a zero-day vulnerability in Roundcube webmail, with the outcome being the flexibility to checklist folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity firm ESET famous the marketing campaign has focused governmental entities and a assume tank in Europe. This cyberattack is now not lively.

Leap to:

Technical particulars about this cyberattack exploiting a 0day in Roundcube

The risk actor begins the assault by sending a specifically crafted e mail message with the topic line “Get began in your Outlook” and coming from “crew.administration@outlook(.)com” (Determine A).

Determine A

figure A ESET Roundcube.
Malicious e mail message despatched by Winter Vivern to its targets. Picture: ESET

On the finish of the e-mail, a SVG tag comprises a base64-encoded malicious payload; that is hidden for the person however current within the HTML supply code. As soon as decoded, the malicious content material is:

<svg id="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" xmlns="http://www.w3.org/2000/svg"> <picture href="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The aim of the malicious code is to set off the onerror attribute by utilizing an invalid URL within the x parameter.

Decoding the payload within the onerror attribute ends in a line of JavaScript code that will probably be executed within the sufferer’s browser within the context of the person’s Roundcube session:

var fe=doc.createElement('script');

The JavaScript injection labored on totally patched Roundcube cases on the time of Faou’s discovery. The researcher may set up that this zero-day vulnerability was positioned within the server-side script rcube_washtml.php, which did not ” … correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube person,” as acknowledged by Faou.

The vulnerability doesn’t want any interplay with the person aside from viewing the message in an internet browser, which perhaps explains why the risk actor didn’t want to make use of a really sophisticated social engineering approach; any content material seen triggers the exploit.

After this preliminary execution of JavaScript code, a second-stage loader, additionally developed in JavaScript and named checkupdate.js, is being executed and triggers the ultimate stage, as soon as once more written in JavaScript (Determine B).

Determine B

Figure B ESET Roundcube.
A part of the ultimate JavaScript payload that exfiltrates emails from the sufferer. Picture: ESET

The ultimate payload offers the potential for the attacker to checklist all folders and emails within the present Roundcube e mail account along with exfiltrate e mail messages to a command and management server by way of HTTP requests.

When TechRepublic requested Faou about additional compromise of the system, he replied by way of a written message: “We haven’t noticed any lateral motion. The JavaScript code is simply executed within the context of (the) sufferer’s browser, within the Roundcube window. So it doesn’t have entry to the backend of Roundcube and escaping the browser would require a far more sophisticated exploit. Nevertheless, they may re-use their entry to launch additional phishing campaigns originating from the sender who was compromised (we haven’t noticed this).”

Who’s Winter Vivern?

Winter Vivern, aka TA473, is a cyberespionage risk actor whose pursuits are intently aligned with the governments of Russia and Belarus. The first public publicity of the Winter Vivern risk actor occurred in 2021 when it focused a number of governmental entities in numerous nations together with Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.

This risk actor has a historical past of exploiting webmail software program, because it already abused older Roundcube vulnerabilities and recognized Zimbra webmail vulnerabilities to focus on elected officers and staffers within the U.S. in addition to consultants in European politics and economics. The risk actor additionally focused mailboxes from NATO-aligned authorities entities in Europe.

The risk actor usually makes use of malicious paperwork and typically a PowerShell backdoor to efficiently compromise its targets. Winter Vivern makes use of vulnerability scanners akin to Acunetix in all probability to scan focused networks.

ESET famous that Winter Vivern has been noticed exploiting CVE-2020-35730, which is a recognized Roundcube vulnerability towards entities which are additionally focused by risk actor APT28, which has been described because the army unit 26165 of Russia’s Navy Intelligence Company, beforehand generally known as GRU.

As well as, ESET identified a attainable hyperlink to risk actor MoustachedBouncer, who runs assaults towards international diplomats in Belarus. Requested about it, Faou informed TechRepublic that “there are fairly distinctive similarities within the community infrastructure of each teams, suggesting {that a} widespread entity may present it to each of them.”

As acknowledged by ESET, relating to the present risk, “Regardless of the low sophistication of the group’s toolset, it’s a risk to governments in Europe due to its persistence, very common working of phishing campaigns, and since a major variety of internet-facing purposes aren’t recurrently up to date though they’re recognized to include vulnerabilities.”

Easy methods to defend customers from this cybersecurity risk

ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and launched safety updates to deal with the vulnerability on Oct. 16, 2023 for variations 1.6.4, 1.4.15 and 1.5.5. It’s strongly suggested to patch Roundcube for this vulnerability.

It’s advisable to maintain all working programs and software program updated and patched to keep away from additional compromise that might occur by way of widespread vulnerabilities.

Disabling JavaScript execution within the browser would mitigate this risk, but it could enormously scale back the person’s expertise as a result of a whole lot of web sites closely depend on JavaScript to operate.

Disclosure: I work for Development Micro, however the views expressed on this article are mine.



Please enter your comment!
Please enter your name here