ESET researchers have been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during their routine monitoring, they found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by the group according to their research.
According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe.
Who is Winter Vivern?
Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor (see the articles from the State Cyber Protection Centre of Ukraine and SentinelLabs). They believe with low confidence that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group that they first published about in August 2023.
Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022 – see this article from Proofpoint. In particular, they observed that the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023. Note that Sednit (also known as APT28) is exploiting this old XSS vulnerability in Roundcube as well, sometimes against the same targets.
The Zero-Day’s Technical Details
Exploitation of the XSS vulnerability, assigned CVE-2023-5631, can be done remotely by sending a specially crafted email message. In this Winter Vivern campaign, the emails were sent from team.managment@outlook[.]com and had the subject Get started in your Outlook.
At first sight, the email doesn’t seem malicious – but if the HTML source code is examined, they can see an SVG tag at the end, which contains a base64-encoded payload.
Surprisingly, ESET noticed that the JavaScript injection worked on a fully patched Roundcube instance. It turned out that this was a zero-day XSS vulnerability affecting the server-side script rcube_washtml.php, which doesn’t properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user. ESET reported it to Roundcube and it was patched on October 14th, 2023 (see this commit). The vulnerability affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.
Winter Vivern has escalated its activities by capitalizing on a zero-day vulnerability within the Roundcube system. In the past, the group relied on known vulnerabilities in Roundcube and Zimbra, even resorting to readily available online proofs of concept.
While the group’s toolset may lack sophistication, it remains a substantial concern for European governments. This is primarily due to its unwavering persistence, frequent execution of phishing campaigns, and the prevalent neglect of regular updates for numerous internet-facing applications, despite the well-documented vulnerabilities they harbor.