Pro-Russia group exploits Roundcube zero-day in attacks on European government emails

The Winter Vivern cyber spy group is exploiting an XSS zero-day vulnerability in attacks on European governments.

Researchers at ESET, who discovered the activity, didn't name the specific government entities it targeted but given Winter Vivern's nexus to Russia and Belarus, they are likely to be adversaries of those countries.

Tracked as CVE-2023-5631, the zero-day was found in the free and open-source webmail client Roundcube. ESET reported the vulnerability to the Roundcube team on October 12 and a patch was developed two days later.

The exploit started with a convincing-looking phishing email that aimed to spoof the Microsoft Outlook team. The display name was set as "Team Outlook" but one giveaway was a typo in the spoofed email address "team.managment@outlook.com." 

All a victim was required to do was open the email in a web browser, the subject line of which was "Get started in your Outlook," and a malicious payload would be launched. It was hidden in an SVG tag at the end of the email's HTML source code.

JavaScript code would then be loaded to enumerate folders and emails within the victim's Roundcube account and send the messages back to the attackers using their C2 server.

"Despite the low sophistication of the group's toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities," ESET said.

Winter Vivern has exploited known vulnerabilities in Roundcube and Zimbra for its espionage campaigns since 2022, but this zero-day observation shows an advancement in its operations, according to the researchers.

For example, researchers observed Winter Vivern exploiting CVE-2020-35730 as recently as August and September, despite the vulnerability being three years old.

Fancy Bear, the advanced persistent threat group (APT) believed to have ties with Russia's GRU, was also spotted exploiting the same old XSS vulnerability in Roundcube, and sometimes targeting the same victims as Winter Vivern.

The group is known for mainly targeting entities in Europe and Central Asia, but earlier this year had attacks against US government officials, as well as European lawmakers, pinned to it.

• Ex-NSA techie pleads guilty to selling state secrets to Russia
• After six days and thousands of pwned users, Cisco poised to patch IOS XE flaw
• International Criminal Court blames spies for 'targeted and sophisticated attack'
• Mimecast bins SolarWinds and compromised servers alike in wake of supply chain hack

In this case, officials from an array of other European governments were targeted by the "scrappy" group, as one researcher put it, and its widespread exploitation of a one-year-old Zimbra XSS vulnerability.

Tom Hegel, senior threat researcher at SentinelOne, said at the time that Winter Vivern found success in campaigns with limited resources, and showed high degrees of creativity when it came to solving problems.

The group is believed to have begun operations in 2020 after DomainTools discovered it in 2021. ®