Espionage group uses webmail server zero-day to target European governments

A well-known espionage group typically seen supporting Russia and Belarus was caught exploiting a zero-day vulnerability affecting a popular webmail service used by governments across Europe.

Researchers at security firm ESET said they have been tracking a new campaign by Winter Vivern —- an advanced persistent threat (APT) group previously implicated in cyberattacks on the governments of Poland, Ukraine and India.

The latest campaign involved the exploitation of a previously unknown bug affecting Roundcube Webmail software, which is free and open-source.

ESET said it informed Roundcube of the vulnerability, tracked as CVE-2023-5631, after discovering it on October 12. A patch was released on October 14.

ESET researcher Matthieu Faou explained that the campaign targeted Roundcube servers belonging to governmental entities and a think tank, all based in Europe.

The vulnerability was notable because it required no manual interaction other than simply viewing a malicious email message in a web browser. Hackers could use the issue to exfiltrate email messages.

“Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities,” Faou said.

Faou noted that the attack was novel because the related emails did not seem malicious. But when examined, the messages revealed payloads that gave the hackers access to the email account information.

Faou and ESET have been tracking Winter Vivern since the group emerged in 2020. The group specifically targets government organizations in Europe and Central Asia, using an array of malicious documents, phishing websites and other tools in their attacks.

ESET tied the group to another Belarus-linked espionage group, known as MoustachedBouncer, in August.

The company noted that Winter Vivern has long targeted Zimbra and Roundcube email servers, specifically going after government entities using the services since 2022. ESET noted that the group previously targeted CVE-2020-35730, which affects Roundcube as well. SentinelOne reported attacks by Winter Vivern in March that involved phishing sites, malware and more.

Other Russia-based hacking groups have targeted Roundcube in the past.

Hackers with the infamous Russian military cyber group APT28 — also known as Fancy Bear and BlueDelta — were accused in June of targeting the Ukrainian government and a company involved in military aviation through three different vulnerabilities in Roundcube’s Webmail service.

ESET said it saw APT28 using CVE-2020-35730 in attacks, at times attacking the same organizations as Winter Vivern with the vulnerability.

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube,” ESET said. “Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.”