A team of Russia-linked hackers is exploiting a zero-day vulnerability to target government agencies and think tanks in Europe, according to Ars Technica.
The vulnerability was caused by a critical bug in the Roundcube server application, which is used by more than 1,000 webmail services and millions of their users.
Winter Vivern used an XSS bug to inject JavaScript into a Roundcube server application. The injection was triggered by simply viewing a malicious email, causing the server to send emails from selected targets to the compromised attacker’s server.
In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required.
ESET detected the hackers’ intervention on October 12, a day after the injection, informing Roundcube developers about the zero-day vulnerability. As a result, a patch was released on October 14 to fix the vulnerability in some versions of Roundcube.
Winter Vivern has been operating since at least 2020 and is targeting governments and think tanks, primarily in Europe and Central Asia. The hacker group stole emails of US government officials who expressed support for Ukraine in its war with Russia.
“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe. Since late 2022, [Winter Vivern] has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”
The infected Winter Vivern email came from [email protected] and had the subject line “Get Started in your Outlook.”
Computer attackers hid an invalid SVG tag element in the HTML source code that, when decoded, triggered a command in case of an error. Since the tag contained an intentional error, Roundcube’s execution of the resulting JavaScript was guaranteed.
The JavaScript instructed the vulnerable servers to list folders and emails in the target’s email account and forward the emails to a server controlled by the hacker.
Winter Vivern’s previous success in exploiting the already patched Zimbra vulnerability should serve as a warning.