ESET Analysis has found a major cybersecurity risk because the Winter Vivern group exploited a zero-day cross-site scripting (XSS) vulnerability within the Roundcube Webmail server.
The brand new marketing campaign, described in an advisory printed at this time, focused Roundcube Webmail servers of governmental entities and a suppose tank in Europe. ESET Analysis promptly reported the vulnerability to the Roundcube workforce on October 12, and the workforce acknowledged and patched it inside a brief timeframe, releasing safety updates on October 16.
Winter Vivern, a cyber-espionage group recognized for concentrating on governments in Europe and Central Asia, has been energetic since not less than 2020. To infiltrate its targets, the group employs numerous strategies, together with malicious paperwork, phishing web sites and a customized PowerShell backdoor. It’s suspected of being linked to MoustachedBouncer, a Belarus-aligned group.
Learn extra about this risk: ESET Unmasks Cyber-Espionage Group Concentrating on Embassies in Belarus
This isn’t the primary time Winter Vivern has focused Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also called APT28, has been concentrating on the identical vulnerability as nicely.
The newly exploited XSS vulnerability, CVE-2023-5631, permits distant exploitation by sending a specifically crafted electronic mail message. Even totally patched Roundcube situations have been weak on account of a server-side script flaw in rcube_washtml.php, which the attackers exploited.
By sending this electronic mail, attackers might inject arbitrary JavaScript code into the sufferer’s Roundcube session, finally enabling them to entry and exfiltrate electronic mail messages. ESET warned that Winter Vivern’s skill to take advantage of a zero-day vulnerability in Roundcube represents a regarding improvement within the realm of cyber-espionage.
“Winter Vivern has stepped up its operations by utilizing a zero-day vulnerability in Roundcube. Beforehand, it was utilizing recognized vulnerabilities in Roundcube and Zimbra, for which proofs of idea can be found on-line,” reads the advisory.
“Regardless of the low sophistication of the group’s toolset, it’s a risk to governments in Europe due to its persistence, very common operating of phishing campaigns, and since a major variety of internet-facing purposes aren’t recurrently up to date though they’re recognized to include vulnerabilities.”