Espionage group uses webmail server zero-day to target European governments

Jason Macuray
A well-known espionage group typically seen supporting Russia and Belarus was caught exploiting a zero-day vulnerability affecting a popular webmail service used by governments across Europe.

A well-known espionage group typically seen supporting Russia and Belarus was caught exploiting a zero-day vulnerability affecting a popular webmail service used by governments across Europe.

Researchers at security firm ESET said they have been tracking a new campaign by Winter Vivern —- an advanced persistent threat (APT) group previously implicated in cyberattacks on the governments of Poland, Ukraine and India.

The latest campaign involved the exploitation of a previously unknown bug affecting Roundcube Webmail software, which is free and open-source.

ESET said it informed Roundcube of the vulnerability, tracked as CVE-2023-5631, after discovering it on October 12. A patch was released on October 14.

ESET researcher Matthieu Faou explained that the campaign targeted Roundcube servers belonging to governmental entities and a think tank, all based in Europe.

The vulnerability was notable because it required no manual interaction other than simply viewing a malicious email message in a web browser. Hackers could use the issue to exfiltrate email messages.

“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” Faou said.

Faou noted that the attack was novel because the related emails did not seem malicious. But when examined, the messages revealed payloads that gave the hackers access to the email account information.

Faou and ESET have been tracking Winter Vivern since the group emerged in 2020. The group specifically targets government organizations in Europe and Central Asia, using an array of malicious documents, phishing websites and other tools in their attacks.

ESET tied the group to another Belarus-linked espionage group, known as MoustachedBouncer, in August.

The company noted that Winter Vivern has long targeted Zimbra and Roundcube email servers, specifically going after government entities using the services since 2022. ESET noted that the group previously targeted CVE-2020-35730, which affects Roundcube as well. SentinelOne reported attacks by Winter Vivern in March that involved phishing sites, malware and more.

Other Russia-based hacking groups have targeted Roundcube in the past.

Hackers with the infamous Russian military cyber group APT28 — also known as Fancy Bear and BlueDelta — were accused in June of targeting the Ukrainian government and a company involved in military aviation through three different vulnerabilities in Roundcube’s Webmail service.

ESET said it saw APT28 using CVE-2020-35730 in attacks, at times attacking the same organizations as Winter Vivern with the vulnerability.

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube,” ESET said. “Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.”

MalwareNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Canada says China-linked influence campaign targeted lawmakers, prime minister

Next Post

Grammarly says it corrected sign-in vulnerabilities after alert from cyber researchers

Related Posts

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices. “This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs,
Avatar
Read More