SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Winter Vivern exploits webmail server vulnerability targets European governments

Cybersecurity stalwart ESET has revealed that the malevolent Winter Vivern group has effectively manipulated a zero-day XSS vulnerability in the Roundcube Webmail server to target European governments and think tanks. The exploits were discovered by ESET researchers, and disclosed on 26th October 2023, reaffirming the persistent threat cyber crimes pose to governmental institutions.

The cybersecurity researchers working with ESET were alerted to the unsolicited activities of the Winter Vivern group during routine surveillance of its cyber espionage operations. They found that the group had recently commenced exploiting a zero-day XSS vulnerability within the Roundcube Webmail server, a freely accessible webmail server renowned for its use by a myriad of organisations.

In detailing the intricacies of such XSS attacks, ESET stated: "Malicious scripts are injected into otherwise trusted websites". The ensuing outcome is a compromise of the webmail servers. The victims of this campaign included various governmental entities and a certain think tank, all based in Europe. "ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible", advised the firm.

The XSS vulnerability in the Roundcube Webmail server was first identified by ESET on 12th October. Following its immediate report to the Roundcube team, patching of the vulnerability commenced promptly, culminating in the release of security updates on 14th October. ESET researcher Matthieu Faou, the individual responsible for the vulnerability discovery, commended the Roundcube developers for their quick response, underlining their speedy reply and their commitment to patch the vulnerability in such a brief time.

Winter Vivern is notorious for its targeted phishing campaigns and continuous attempts to infiltrate governmental systems in Europe. Faou explains why they pose a significant threat: "A significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities". The XSS vulnerability, tagged CVE-2023-5631, can be invasively manipulated by sending a carefully curated email message containing a malicious payload hidden within an SVG graphics tag.

Upon further examination of the HTML source code, the encoded malicious payload becomes visible. This could lead to arbitrary JavaScript code being loaded in the context of the Roundcube user's browser window. Being a cyber espionage group, Winter Vivern, presumed to have been active since at least 2020, has focused predominantly on targets in Europe and Central Asia. According to ESET, with low confidence, it is suggested that Winter Vivern is somehow connected to MoustachedBouncer, a sophisticated Belarus-aligned group that came to light in August 2023.

Since 2022, Winter Vivern has concentrated its efforts on governmental entities by specifically targeting Zimbra and Roundcube email servers. The intensity of the group's cyberattack efforts and the rapid response of developers highlight the importance of continuous surveillance and immediate action to ensure that cybersecurity is maintained.

Follow us on: