The Russia-linked advanced persistent threat (APT) actor Winter Vivern has been observed exploiting a zero-day vulnerability in the Roundcube webmail server in attacks aimed at government entities and a think tank in Europe, ESET reports.
Also tracked as TA473 and mainly focused on espionage, Winter Vivern is known to launch cyberattacks in support of Russian and Belarusian objectives, especially in the context of the Russia-Ukraine war, and was previously seen targeting NATO countries.
Since at least 2022, Winter Vivern has been targeting the Zimbra and Roundcube email servers of government organizations in Europe and Central Asia, using known vulnerabilities for which proof-of-concept (PoC) exploits are available online.
As part of the recently observed attacks, however, the APT stepped up its game, exploiting CVE-2023-5631, a zero-day cross-site scripting (XSS) vulnerability in Roundcube’s open source webmail server.
The final payload in the execution chain was designed to list folders and emails in the current Roundcube account and to exfiltrate emails to the attacker’s command-and-control (C&C) server.
According to ESET, Winter Vivern exploited CVE-2023-5631 on October 11. The zero-day was reported to the vendor the next day and a patch was released on October 16.
“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” ESET researcher Matthieu Faou says.