Winter Vivern exploits zero-day vulnerability in RoundcubeWebmail servers

Posted on by ESET Ireland

ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible.

ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. This is a different vulnerability than CVE-2020-35730, which was also exploited by the group according to our research.

According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe.

Vulnerability disclosure timeline:

  • 2023-10-12: ESET Research reported the vulnerability to the Roundcube team.
  • 2023-10-14: The Roundcube team responded and acknowledged the vulnerability.
  • 2023-10-14: The Roundcube team patched the vulnerability.
  • 2023-10-16: The Roundcube team released security updates to address the vulnerability (1.6.4, 1.5.5, and 1.4.15).
  • 2023-10-18: ESET CNA issues a CVE for the vulnerability (CVE-2023-5631).
  • 2023-10-25: ESET Research blogpost published.

We would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short time frame.

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.

Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022 – see this article from Proofpoint. In particular, we observed that the group exploited CVE-2020-35730, another XSS vulnerability in Roundcube, in August and September 2023. Note that Sednit (also known as APT28) is exploiting this old XSS vulnerability in Roundcube as well, sometimes against the same targets.

For technical details of the campaign, see ESET’s We Live Security blogpost.

Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.

Despite the low sophistication of the group’s toolset, it is a serious threat because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.

by Matthieu Faou, ESET

Leave a comment