Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit

  /     /     /  
Publicated : 23/11/2024   Category : security


Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit


A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.



Low-profile threat group
Winter Vivern
has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.
Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube users browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as
CVE-2023-5631
. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported
in a blog post
published Oct. 25.
Roundcube is a freely available, open source webmail solution thats especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of program/lib/Roundcube/rcube_washtml.php, according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.
ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions
1.6.4
,
1.5.5, and 1.4.15
to address the flaw.
Winter Viverns activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group
MoustachedBouncer
.
The latest activity observed by ESET— which
has been tracking Winter Vivern
closely for about a year — is consistent with the groups typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.
Since at least 2022, they have been exploiting XSS vulnerabilities in
Zimbra
and Roundcube to load arbitrary JavaScript code and steal emails, he tells Dark Reading. However, most of those vulnerabilities were known and as such they could only work on unpatched mail servers.
The fact that the group is now burning zero-day vulnerabilities and attacking even updated versions of widely-used webmail servers could be a harbinger of future activity, as it demonstrates a long-term interest in European governmental organizations as primary targets, Faou says.
The latest campaign begins with a
phishing
email to targets sent from the address [email protected] with the subject line Get started in your Outlook. The message purports to be from The Microsoft Accounts Team and aims to guide users with their Outlook accounts, seeming innocent enough.
However, just viewing the email sets into motion a process spurred by an SVG tag at the end of the emails HTML source code that includes a base64-encoded payload. Decoding the payload produces a JavaScript code that is executed in the browser of the victim in the context of their Roundcube session, according to ESET.
The researchers realized that the exploit was for a zero-day flaw when the JavaScript injection worked on a fully patched Roundcube instance. They found that the XSS vulnerability being exploited affected the server-side script rcube_washtml.php, which doesnt properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user.
The final JavaScript payload in the attack can list folders and emails in the current Roundcube account and exfiltrate email messages to Winter Viverns command and control server by making HTTP requests to https://recsecas[.]com/controlserver/saveMessage.
Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise. However, in the case of any future
zero-day flaws
discovered and subsequently exploited by Winter Vivern, this defense would not be sufficient enough, Faou notes.
Other endpoint-defense practices that can protect vulnerable systems in the event of similar zero-day exploits would be to put technology in place that automatically block the loading of JavaScript payloads and exfiltration of emails, he advises. As such, it is also recommended to deploy an endpoint security solution on all machines.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Winter Vivern APT Blasts Webmail Zero-Day Bug With One-Click Exploit