ESET: Winter Vivern Exploits Zero-Day Vulnerability in Roundcube Webmail Servers

Cyber Security Threat Summary:
As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

This group, whose objectives align with those of Belarus and Russia, has been implicated in attacks against Ukraine, Poland, and various government entities in Europe and India. Winter Vivern previously targeted Roundcube with a different flaw (CVE-2020-35730). The recent security vulnerability, CVE-2023-5631, is a stored cross-site scripting flaw that could allow a remote attacker via the use phishing messages to exfiltrate email messages to command-and-control servers.

Security Officer Comments:
Despite relying on a relatively unsophisticated toolset, Winter Vivern represents a significant threat due to its persistence and consistent phishing campaigns. The recent revelation of their exploitation of Roundcube and servers, along with data exfiltration, suggests that we may witness an increase in phishing attacks targeting various individuals and industries worldwide.

Winter Vivern, as a long-standing threat actor, is likely to persist in its exploitation of vulnerabilities in public-facing appliances. Nevertheless, their approach has intensified with the employment of this zero-day vulnerability in Roundcube. In the past, the group focused on exploiting known vulnerabilities in Roundcube and Zimbra, for which proofs of concept can be found online.

Suggested Correction(s):
Administrators of Roundcube infrastructure are strongly advised to promptly upgrade their installations to one of the fixed versions. Additionally, if organizations suspect that they might have been targeted in these attacks, it is crucial for them to search for indicators of compromise.