Security News > 2023 > October > New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail
ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus.
The attack focuses on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server.
This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics.
Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.
ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia's Military Intelligence Agency, previously known as GRU. In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus.
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5.
News URL
https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/
Related news
- CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability (source)
- XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells (source)
- North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack (source)
- Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability (source)
- PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks (source)
- ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Targets Over 6,000 Devices (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-18 | CVE-2023-5631 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. | 5.4 |
| 2020-12-28 | CVE-2020-35730 | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. | 6.1 |