HQ/EMEAFind out how we can help your business
The notorious Russian hacking group Winter Vivern exploits a zero-day vulnerability in the Roundcube Webmail to compromise European government email servers.
Based on reports, these attacks allegedly started earlier this month and primarily focused on targeting European government entities and think tanks. Fortunately, the Roundcube development team immediately addressed the situation by releasing security updates that fixed CVE-2023-5631.
In addition, separate research revealed that the Russian threat actors use the newly discovered zero-day flaw in real-world campaigns. The cyberespionage group allegedly adopted HTML email messages that contain specially crafted SVG documents to inject arbitrary JavaScript code remotely onto targeted devices.
These phishing messages posed as Outlook Team aimed to deceive potential victims into opening malicious emails, automatically initiating a first-stage payload that exploits the Roundcube email server vulnerability. Subsequently, the campaign operators will deploy a JavaScript payload that would allow them to collect and steal emails from compromised webmail servers.
Winter Vivern has acquired a reputation of being a pest to government entities globally.
Winter Vivern first emerged in the threat landscape in April 2021. This group gained notoriety for its focus on government entities worldwide, including countries such as India, Italy, Lithuania, Ukraine, and the Vatican.
Researchers claimed that the group’s objectives closely benefit the interests of the Belarusian and Russian governments.
Furthermore, the Winter Vivern group has actively targeted Zimbra and Roundcube email servers owned by governmental organisations since 2022. These attacks have exploited the Roundcube XSS vulnerability (CVE-2020-35730) between August and September 2023.
The researchers also noted that the Russian state-sponsored APT28 group used this same vulnerability to compromise Roundcube email servers belonging to the Ukrainian government.
On the other hand, the Winter Vivern is the current flaw user and has escalated its operations by abusing the vulnerability.
The group relied on known vulnerabilities in Roundcube and Zimbra, which enabled security researchers to generate proof of concept against their tactics. However, the persistent nature of their campaigns, the efficiency of their phishing efforts, and the widespread failure to keep internet-facing applications up-to-date, even when known vulnerabilities exist, make Winter Vivern a significant threat to European governments.
