Russian Hackers Exploit Roundcube Zero-Day to Target European Governments

October 25, 2023

Winter Vivern, a Russian hacking group, has been leveraging a zero-day vulnerability in Roundcube Webmail to attack European government entities and think tanks since at least October 11. This was revealed by the cybersecurity company ESET, which reported the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) to the Roundcube development team on October 16. The security patches were released five days after ESET discovered the Russian threat actors exploiting the zero-day in real-world attacks.

The cyberespionage group, also known as TA473, used HTML email messages containing specially designed SVG documents to remotely inject arbitrary JavaScript code. The phishing emails, impersonating the Outlook Team, were designed to trick recipients into opening them, thereby automatically triggering a first-stage payload that exploited the Roundcube email server vulnerability. The final JavaScript payload delivered in the attacks enabled the hackers to harvest and steal emails from the compromised webmail servers.

ESET explained the process: 'By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window. No manual intervention other than viewing the message in a web browser is required,' and added, 'The final JavaScript payload [..] is able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server.'

Winter Vivern first appeared on the radar in April 2021 and has since drawn attention for its targeted attacks on government entities worldwide, including India, Italy, Lithuania, Ukraine, and the Vatican. SentinelLabs researchers suggest that the group's objectives are closely aligned with the interests of the Belarusian and Russian governments. The group has been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since at least 2022.

These attacks included exploiting the Roundcube XSS vulnerability (CVE-2020-35730) between August and September 2023, according to ESET telemetry data. Notably, this same vulnerability was exploited by Russian APT28 military intelligence hackers affiliated with Russia's General Staff Main Intelligence Directorate (GRU) to compromise Roundcube email servers of the Ukrainian government. The Russian cyber spies also exploited the Zimbra CVE-2022-27926 XSS vulnerability in attacks against NATO countries to steal emails belonging to NATO officials, governments, and military personnel.

ESET noted the group's increasing threat: 'Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,' and warned, 'The group is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.'

Related News

• Global Phishing Campaign Targets Zimbra Email Servers
• Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft
• CISA Updates Known Exploited Vulnerabilities Catalog with Six New Flaws
• CISA Issues Warning on Zimbra Bug Exploited in NATO Country Attacks
• Russian Hackers Exploit Zimbra Flaw to Access NATO Emails

Latest News

• VMware Alerts Users to Public Exploit for vRealize RCE Vulnerability
• Microsoft Exchange Server Vulnerability: PoC Exploit for CVE-2023-36745 Published
• Citrix Urges Immediate Patching of NetScaler CVE-2023-4966 Vulnerability Amid Ongoing Attacks
• Cisco Addresses Zero-Day Vulnerabilities in IOS XE Devices
• Hackers Modify Cisco IOS XE Backdoor to Evade Detection