Email security, Patch/Configuration Management, Security Staff Acquisition & Development, Threat Intelligence

Roundcube 0-day used to steal European government emails


Cyberespionage gang Winter Vivern exploited a now-patched zero-day bug in Roundcube’s open source webmail service to steal emails from European government entities and think tanks.

The Russia- and Belarus-aligned Winter Vivern (also known as TA473) is believed to have been active since 2020 and has a history of spying on governments in Europe and Central Asia. The group is known for exploiting vulnerabilities in Zimbra and Roundcube email servers.

ESET researchers observed the group carrying out its latest attacks — exploiting a cross-site scripting (XSS) vulnerability — on Oct. 11. The bug was patched by Roundcube three days later.

In an Oct. 25 post, ESET malware researcher Matthieu Faou said Winter Vivern had stepped-up its operations with the latest zero-day attacks.

“Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” he said.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

Attackers sent victims malicious emails

To exploit the new Roundcube XSS vulnerability, ESET discovered — now tracked as CVE-2023-5631 — required sending the victim a specially crafted email that allows the attackers to load arbitrary JavaScript code in the context of the Roundcube user’s browser window.

“No manual interaction other than viewing the message in a web browser is required,” Faou said.

As threat groups often do, Winter Vivern decided to feign authenticity by crafting the attack email so that it appeared to be a communication from Microsoft.

The emails used the address team.managment@outlook[.]com, had the subject line “Get started in your Outlook,” and were signed off by “The Microsoft Accounts Team.”

The final JavaScript payload delivered in the attack chain was able to generate a list of folders and emails in the victim’s Roundcube account, and exfiltrate email messages to the threat group’s command-and-control server.

Roundcube released security updates to address the vulnerability on Oct. 16. The bug affects Roundcube versions 1.4.x before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4.

Why Winter Vivern likes Roundcube

Faou said Winter Vivern was targeting Zimbra and Roundcube email servers belonging to governmental entities since at least last year.

ESET observed the group exploiting another XSS vulnerability in Roundcube (CVE-2020-35730), which was first discovered three years ago, as recently as last month.

Threat groups find the opportunity to exploit vulnerabilities in services like Zimbra and Roundcube appealing because they expect organizations using such services will have lower IT budgets than those with top-end solutions. As a result, the targets are likely to have less sophisticated security measures in place, making it easier to compromise their systems.

Faou said well-known Russian state actor APT28 (also known as Fancy Bear, Sednit and BlueDelta) was also exploiting the three-year-old CVE-2020-35730 bug, often against the same targets as Winter Vivern.

In June, after a joint investigation with Ukraine’s Computer Emergency Response Team (CERT-UA), Recorded Future's Insikt Group said APT28 had incorporated the vulnerability into a campaign targeting Roundcube email servers used by a Ukrainian military aviation organization and several of the country’s government entities.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.