Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers

Written by

ESET Research has discovered a significant cybersecurity threat as the Winter Vivern group exploited a zero-day cross-site scripting (XSS) vulnerability in the Roundcube Webmail server. 

The new campaign, described in an advisory published today, targeted Roundcube Webmail servers of governmental entities and a think tank in Europe. ESET Research promptly reported the vulnerability to the Roundcube team on October 12, and the team acknowledged and patched it within a short timeframe, releasing security updates on October 16.

Winter Vivern, a cyber-espionage group known for targeting governments in Europe and Central Asia, has been active since at least 2020. To infiltrate its targets, the group employs various methods, including malicious documents, phishing websites and a custom PowerShell backdoor. It is suspected of being linked to MoustachedBouncer, a Belarus-aligned group.

Read more about this threat: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus

This is not the first time Winter Vivern has targeted Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also known as APT28, has been targeting the same vulnerability as well.

The newly exploited XSS vulnerability, CVE-2023-5631, allows remote exploitation by sending a specially crafted email message. Even fully patched Roundcube instances were vulnerable due to a server-side script flaw in rcube_washtml.php, which the attackers exploited.

By sending this email, attackers could inject arbitrary JavaScript code into the victim’s Roundcube session, ultimately enabling them to access and exfiltrate email messages. ESET warned that Winter Vivern’s ability to exploit a zero-day vulnerability in Roundcube represents a concerning development in the realm of cyber-espionage.

Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” reads the advisory.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

What’s hot on Infosecurity Magazine?