Security News > 2023 > October > New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail

New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail
2023-10-27 17:26

ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus.

The attack focuses on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server.

This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics.

Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.

ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia's Military Intelligence Agency, previously known as GRU. In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus.

ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5.


News URL

https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-18 CVE-2023-5631 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior.
network
low complexity
roundcube debian fedoraproject CWE-79
5.4
2020-12-28 CVE-2020-35730 Cross-site Scripting vulnerability in multiple products
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10.
network
low complexity
roundcube fedoraproject debian CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Roundcube 3 0 27 12 5 44