Espionage group uses webmail server zero-day to target European governments

Jason Macuray
A well-known espionage group typically seen supporting Russia and Belarus was caught exploiting a zero-day vulnerability affecting a popular webmail service used by governments across Europe.

A well-known espionage group typically seen supporting Russia and Belarus was caught exploiting a zero-day vulnerability affecting a popular webmail service used by governments across Europe.

Researchers at security firm ESET said they have been tracking a new campaign by Winter Vivern —- an advanced persistent threat (APT) group previously implicated in cyberattacks on the governments of Poland, Ukraine and India.

The latest campaign involved the exploitation of a previously unknown bug affecting Roundcube Webmail software, which is free and open-source.

ESET said it informed Roundcube of the vulnerability, tracked as CVE-2023-5631, after discovering it on October 12. A patch was released on October 14.

ESET researcher Matthieu Faou explained that the campaign targeted Roundcube servers belonging to governmental entities and a think tank, all based in Europe.

The vulnerability was notable because it required no manual interaction other than simply viewing a malicious email message in a web browser. Hackers could use the issue to exfiltrate email messages.

“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” Faou said.

Faou noted that the attack was novel because the related emails did not seem malicious. But when examined, the messages revealed payloads that gave the hackers access to the email account information.

Faou and ESET have been tracking Winter Vivern since the group emerged in 2020. The group specifically targets government organizations in Europe and Central Asia, using an array of malicious documents, phishing websites and other tools in their attacks.

ESET tied the group to another Belarus-linked espionage group, known as MoustachedBouncer, in August.

The company noted that Winter Vivern has long targeted Zimbra and Roundcube email servers, specifically going after government entities using the services since 2022. ESET noted that the group previously targeted CVE-2020-35730, which affects Roundcube as well. SentinelOne reported attacks by Winter Vivern in March that involved phishing sites, malware and more.

Other Russia-based hacking groups have targeted Roundcube in the past.

Hackers with the infamous Russian military cyber group APT28 — also known as Fancy Bear and BlueDelta — were accused in June of targeting the Ukrainian government and a company involved in military aviation through three different vulnerabilities in Roundcube’s Webmail service.

ESET said it saw APT28 using CVE-2020-35730 in attacks, at times attacking the same organizations as Winter Vivern with the vulnerability.

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube,” ESET said. “Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Canada says China-linked influence campaign targeted lawmakers, prime minister

Next Post

Grammarly says it corrected sign-in vulnerabilities after alert from cyber researchers

Related Posts

North Korean Hackers Exploit Facebook Messenger in Targeted Malware Campaign

The North Korea-linked Kimsuky hacking group has been attributed to a new social engineering attack that employs fictitious Facebook accounts to targets via Messenger and ultimately delivers malware. "The threat actor created a Facebook account with a fake identity disguised as a public official working in the North Korean human rights field," South Korean cybersecurity company Genians
Read More