Security researchers at ESET have discovered an unpatched weakness in Roundcube Webmail’s open-source software. Unfortunately, the vulnerability has already been used to target government entities using a fake Microsoft Outlook page as a lure.
ESET posted a summary of its findings on Twitter, in which it claimed a zero-day exploit – a vulnerability that has already been taken advantage of by a bad actor before security researchers became aware of it – had been detected in Roundcube Webmail servers used by governments.
It believes a gang known as Winter Vivern, with possible links to Belarus-based threat actor MoustachedBounder, was behind the attack. However, it did not specify which countries had been targeted.
“ESET discovered a zero-day XSS vulnerability (#CVE-2023-5631) in Roundcube Webmail servers,” it tweeted on October 25th. “It is actively used in the wild by Winter Vivern to target governments and a think tank in Europe. The exploit was contained in a legitimate-looking email about Outlook.”
It added: “The vulnerability can be used to load arbitrary JavaScript code in the Roundcube webpage, allowing an attacker to access and exfiltrate user data such as email messages.”
ESET said it notified Roundcube on October 14th and its developers promptly fixed the glitch.
Winter Vivern is a cyber espionage group thought to have been active since at least 2020. It targets governments in Europe and Central Asia using malicious documents, phishing websites, and a custom PowerShell backdoor.
Citing fellow cybersecurity analyst Proofpoint, ESET said that Winter Vivern has been targeting government-run Zimbra and Roundcube email servers since at least last year.
Your email address will not be published. Required fields are markedmarked