Russia-aligned Winter Vivern (aka TA473 and UAC-0114) is once again making headlines for targeting government organizations and think tanks in Europe. The group was found exploiting a zero-day vulnerability in the Roundcube webmail servers to compromise the targeted systems remotely.
Vulnerability in question
- It is a Cross-Site Scripting issue (CVE-2023-5631) in RoundCube, which could be exploited remotely by sending a specially crafted email message.
- The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
Diving into the campaign
- In this particular campaign, the emails were sent from the address team.managment@outlook[.]com with the subject line ‘Get started in your Outlook’.
- These emails included a malicious SVG file that contained a base64-encoded payload.
- Once the payload is decoded, it leads to the execution of JavaScript code in the victim’s browser.
- Surprisingly, the JavaScript injection worked even on fully patched Roundcube instances.
Implications
- Winter Vivern has been exploiting previously known vulnerabilities in RoundCube and Zimbra email servers as part of its infection process to launch attacks against European entities.
- It abused CVE-2020-35730 in RoundCube in a campaign between August and September.
Winter Vivern's transition to abuse a zero-day vulnerability indicates that the group has stepped up its operation to infiltrate high-value targets.
Conclusion
Despite the low sophistication of the group’s toolset, Winter Vivern remains a significant threat to organizations in Europe. Hence, it is recommended to apply the latest security patches to mitigate the risk of such attacks. Refer to IoCs containing file hashes and malicious domains to block the threat at the initial stage.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/ae32_shutterstock_489638770.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/a852_Shutterstock_1991004686.jpg)
