Winter Vivern, a Russian hacking group, has been leveraging a zero-day vulnerability in Roundcube Webmail to attack European government entities and think tanks since at least October 11. This was revealed by the cybersecurity company ESET, which reported the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) to the Roundcube development team on October 16. The security patches were released five days after ESET discovered the Russian threat actors exploiting the zero-day in real-world attacks.
Winter Vivern first appeared on the radar in April 2021 and has since drawn attention for its targeted attacks on government entities worldwide, including India, Italy, Lithuania, Ukraine, and the Vatican. SentinelLabs researchers suggest that the group's objectives are closely aligned with the interests of the Belarusian and Russian governments. The group has been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since at least 2022.
These attacks included exploiting the Roundcube XSS vulnerability (CVE-2020-35730) between August and September 2023, according to ESET telemetry data. Notably, this same vulnerability was exploited by Russian APT28 military intelligence hackers affiliated with Russia's General Staff Main Intelligence Directorate (GRU) to compromise Roundcube email servers of the Ukrainian government. The Russian cyber spies also exploited the Zimbra CVE-2022-27926 XSS vulnerability in attacks against NATO countries to steal emails belonging to NATO officials, governments, and military personnel.
ESET noted the group's increasing threat: 'Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,' and warned, 'The group is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.'