Russian APT group Winter Vivern (aka TA473) has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023.
ESET researchers pointed out that is a different vulnerability than CVE-2020-35730, that the group exploited in other attacks.
The Winter Vivern group was first analyzed in 2021, it has been active since at least 2020 and it targets governments in Europe and Central Asia.
In March 2023, security firm Proofpoint observed the group actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats.
In recent attacks, the group was observed exploiting a XSS vulnerability, tracked as CVE-2023-5631, by sending a specially crafted email message. The messages were sent from team.managment@outlook[.]com and had the subject Get started in your Outlook.
The analysis of the email HTML source code revealed the presence of a SVG tag at the end, which contains a base64-encoded payload.
“Once we decode the base64-encoded value in the href attribute of the use tag, we have:
<svg id=”x” xmlns=”http://www.w3.org/2000/svg”> <image href=”x” onerror=”eval(atob(‘<base64-encoded payload>’))” /></svg>
ESET reported the zero-day to Roundcube, the company patched the issue on October 14th, 2023. The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” ESET concludes. “Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”
(SecurityAffairs – hacking, Winter Vivern)