Security News > 2023 > October > New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail
ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus.
The attack focuses on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server.
This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics.
Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.
ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia's Military Intelligence Agency, previously known as GRU. In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus.
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5.
News URL
https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/
Related news
- Volt Typhoon Hackers Exploit Zero-Day Vulnerability in Versa Director Servers Used by MSPs, ISPs (source)
- Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor (source)
- Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control (source)
- Versa fixes Director zero-day vulnerability exploited in attacks (source)
- APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262) (source)
- Malware exploits 5-year-old zero-day to infect end-of-life IP cameras (source)
- Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack (source)
- North Korean hackers exploit Chrome zero-day to deploy rootkit (source)
- North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit (source)
- Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-18 | CVE-2023-5631 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. | 5.4 |
| 2020-12-28 | CVE-2020-35730 | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. | 6.1 |