Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631)

The Winter Vivern APT group has been exploiting a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail servers to spy on email communications of European governmental entities and a think tank, according to ESET researchers.

CVE-2023-5631

“Exploitation of the XSS vulnerability can be done remotely by sending a specially crafted email message,” the researchers noted. “No manual interaction other than viewing the message in a web browser is required.”

Exploting CVE-2023-5631

Roundcube is an open-source browser-based email client with application-like user interface.

CVE-2023-5631 is a cross-site scripting (XSS) vulnerability in Roundcube’s server-side script rcube_washtml.php, which can be triggered to load arbitrary JavaScript code via an HTML e-mail message with a specially crafted SVG document.

On October 11, 2023, the Winter Vivern hackers sent out to their targets an email impersonating the “Microsoft Accounts Team”, carrying an SVG tag containing a base64-encoded payload – the exploit script.

CVE-2023-5631

The malicious email (Source: ESET)

In the final stage of the attack, the attackers loaded another JavaScript payload that lists folders and emails in the current Roundcube account and exfiltrate email messages to the attackers’ C2 server.

What to do?

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube [CVE-2020-35730] and Zimbra [CVE-2022-27926], for which proofs of concept are available online,” ESET researchers said.

“We believe with low confidence that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group that we first published about in August, 2023.”

CVE-2023-5631 has been reported to the Roundcube team separately by Matthieu Faou (ESET) and Denys Klymenko, and has been patched a few days after. It affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.

Admins are advised to upgrade their installation to one of the fixed versions as soon as possible. If they believe they may have been targeted in these attacks, they should also look for indicators of compromise (provided by ESET).

Don't miss