Security News > 2023 > October > Pro-Russia group exploits Roundcube zero-day in attacks on European government emails
The Winter Vivern cyber spy group is exploiting an XSS zero-day vulnerability in attacks on European governments.
Researchers at ESET, who discovered the activity, didn't name the specific government entities it targeted but given Winter Vivern's nexus to Russia and Belarus, they are likely to be adversaries of those countries.
Winter Vivern has exploited known vulnerabilities in Roundcube and Zimbra for its espionage campaigns since 2022, but this zero-day observation shows an advancement in its operations, according to the researchers.
Researchers observed Winter Vivern exploiting CVE-2020-35730 as recently as August and September, despite the vulnerability being three years old.
Fancy Bear, the advanced persistent threat group believed to have ties with Russia's GRU, was also spotted exploiting the same old XSS vulnerability in Roundcube, and sometimes targeting the same victims as Winter Vivern.
The group is known for mainly targeting entities in Europe and Central Asia, but earlier this year had attacks against US government officials, as well as European lawmakers, pinned to it.
News URL
Related news
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-28 | CVE-2020-35730 | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. | 6.1 |