A relatively new attack group that has targeted European and Asian government organizations for several months has been exploiting a zero day XSS vulnerability in the open source Roundcube webmail server software in recent weeks.
The group is known as Winter Vivern, and researchers from several organizations have been tracking its activities since at least 2020. Many of the group’s targets have been government agencies, think tanks, and other government-connected organizations, and Winter Vivern has shown a propensity for exploiting flaws in email and collaboration software. The most recent campaign targeted CVE-2023-5631, an XSS vulnerability that attackers can exploit remotely through a malicious email.
“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”
Roundcube is a free and open source webmail server first released in 2008 and runs on many different platforms.
The bug affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15. ESET reported the vulnerability to the Roundcube maintainers on Oct. 14 and the team released updated versions to address it on Oct. 16.
Researchers believe that Winter Vivern may be working in alignment with the interests of the Belarussian government. The group has exploited known vulnerabilities in other software in the past, including a separate bug in Roundcube and one in Zimbra. Winter Vivern historically has targeted government organizations in Europe and Asia in its campaigns.