Rewterz Threat Alert – Russian APT Group ‘Winter Vivern’ Exploits Zero-Day in Roundcube Webmail – Active IOCs

Severity

High

Analysis Summary

Cybersecurity researchers have observed the Russia-linked advanced persistent threat (APT) group called Winter Vivern (aka TA473) abusing a zero-day vulnerability in Roundcube webmail software on 11^th October, 2023. The threat group was first discovered in 2021, but it has been active since at least 2020. Its main targets are European and Central Asian governments.

In March of this year, security experts noticed the group was actively exploiting unpatched vulnerabilities in Zimbra instances in order to gain unauthorized access to emails of high-profile individuals like NATO officials, military personnel, governments, and diplomats.

The group has been observed exploiting a XSS flaw tracked as CVE-2023-5631 in the recent attacks, which they achieve by sending a specially crafted email to the unsuspecting victims. The threat actors pretended to be an official Outlook mail with the subject “Get started in your Outlook”.

“Once we decode the base64-encoded value in the href attribute of the use tag, we have:

<svg id=”x” xmlns=”http://www.w3.org/2000/svg”> <image href=”x” onerror=”eval(atob(‘<base64-encoded payload>’))” /></svg>

As the x value argument of the href attribute is not a valid URL, this object’s onerror attribute will be activated,” analyzed the researchers. “Decoding the payload in the onerror attribute gives us the following JavaScript code (with the malicious URL manually defanged), which will be executed in the browser of the victim in the context of their Roundcube session.”

The JavaScript code also operated successfully on fully patched Roundcube instances, revealing the zero-day XSS vulnerability impacting the server-side script rcube_washtml.php. This flaw is caused due to the poor sanitization of malicious SVG documents before being incorporated into the HTML page.

The company patched this vulnerability on 14^th October after it was reported to them by the researchers. Previous Roundcube versions are still affected by this zero-day flaw. Winter Vivern has evolved in its operations by leveraging a zero-day vulnerability in Roundcube, as it used to utilize already-known vulnerabilities in the past. The group remains a threat to government sectors due to its persistence and regular phishing campaigns.

Impact

• Cyber Espionage
• Sensitive Data Theft

Indicators of Compromise

MD5

• 4115431725abf3ccba92535cbdeb7e5d

SHA-256

• 05ae4c495c10835af57430ca2dfed387aad221ff0651bbe17fc75bbd1f96369a

SHA-1

• 97ed594ef2b5755f0549c6c5758377c0b87cfae0

Domain Name

• recsecas.com

IP

• 38.180.76.31

Remediation

• Upgrade to the latest version of Roundcube, available from their website.
• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Raise awareness among users about the risks associated with downloading apps from unknown or untrusted sources is crucial. Users should be educated about the importance of verifying app permissions and conducting background research on developers before installing apps.
• Implement reputable mobile security solutions on devices which can help detect and block malicious apps. Mobile antivirus and anti-malware software can provide an additional layer of protection against potential threats.
• Maintain regular and secure backups of critical data, ensuring that data can be restored in case of a cyberattack.
• Employ network monitoring and intrusion detection systems to detect and respond to suspicious activities in real-time.
• Enforce the principle of least privilege, granting users only the minimum access required to perform their tasks.