Following a search for ESET it was possible to identify a group of pro-Russian hackers who targeted a software by webmailputting a huge number of emails at risk.
The previously unknown vulnerability is the result of a critical cross-site scripting error Roundcubea server application used by over 1,000 services of webmail and millions of end users. Members of a hacker group, identified as Winter Wyvernhas already exploited a bug XSS to inject JavaScript in the Roundcube server application.
In fact, victims just need to open a malicious email to be infected: no click or active action is required on the part of the user.
ESET expert Matthieu Faou stated how “In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window“. He then added that “No manual interaction is required beyond viewing the message in a web browser“.
Pro-Russian Winter Vivern hackers are targeting government entities in Europe, Central Asia and beyond
Through ESET’s analysis it showed how the attacks began on October 11th, with the company reporting the zero-day vulnerability to Roundcube developers the following day, followed by the release of a patch on October 14th. The vulnerability was listed as CVE-2023-5631 and interests them Roundcube versions 1.6.x before 1.6.41.5.x before 1.5.5 and 1.4.x before 1.4.15.
Winter Vivern has been operational since at least 2020 and has been shown to primarily target government entities in Europe and Central Asia. In March, the threat group was spotted targeting US government officials who had expressed support for Ukraine during the ongoing conflict with Russia.
The security company Proofpoint also confirmed what was just stated, according to which “This actor has been persistent in targeting American and European officials, as well as military and diplomatic personnel in Europe“.