The espionage group Winter Vivern resurfaces, exploiting a critical zero-day vulnerability in the widely used Roundcube Webmail service.
Researchers at ESET, a prominent cybersecurity firm, have been closely monitoring Winter Vivern, an advanced persistent threat (APT) group. This group is known for its ties to Russia and Belarus.
In the past, this group has targeted governments in Poland, Ukraine, India, and more, and its latest campaign poses a significant threat to governmental entities and think tanks across Europe.
Zero-Day Vulnerability Strikes Roundcube Webmail
Winter Vivern’s most recent campaign hinges on a previously undisclosed vulnerability within the Roundcube Webmail software. It is a popular, free, and open-source email platform. ESET’s researchers discovered the vulnerability, labeled CVE-2023-5631, on October 12 and promptly reported it to Roundcube.
Roundcube acted swiftly, releasing a patch on October 14 to address the issue. But what made this vulnerability particularly concerning is that it required no user interaction beyond opening a seemingly innocent email in a web browser. It allowed the hackers to exfiltrate sensitive email messages with ease, leaving targets unaware of the matter.
Winter Vivern’s Persistent Threat
Matthieu Faou, a researcher at ESET, emphasized the ongoing Zero-Day vulnerability threat posed on Roundcube by Winter Vivern. This group’s persistence, coupled with its consistent execution of phishing campaigns, makes it a significant concern for governments as well as individuals.
Faou also noted that a substantial number of internet-facing applications are not regularly updated, despite having known vulnerabilities. Groups like Winter Vivern take advantage of this security negligence.
An intriguing aspect of this attack is that the initial emails sent by the hackers did not appear malicious. However, upon closer inspection, these seemingly harmless messages contained payloads that granted the attackers access to the email accounts, thereby compromising sensitive information. A sample of this seemingly harmless email (via Beeping Computer) is provided below.
ESET and Faou have been actively monitoring Winter Vivern since its appearance in 2020. The group’s primary focus is on government organizations within Europe and Central Asia. To achieve its goals, Winter Vivern employs various malicious documents, phishing websites, and an array of tools designed to infiltrate its targets.