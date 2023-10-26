getty images

A relentless team of pro-Russian hackers exploited a zero-day vulnerability in widely used webmail software in attacks that targeted government entities across Europe and a think tank, researchers at security firm ESET said Wednesday. Has been.

The previously unknown vulnerability was caused by a critical cross-site scripting error in Roundcube, a server application used by over 1,000 webmail services and millions of their end users. Members of a pro-Russian and Belarus hacking group tracked as Winter Wyvern used an XSS bug to inject JavaScript into a Roundcube server application. The injection was triggered by simply seeing a malicious email, which caused the server to send emails from selected targets to a server controlled by the threat actor.

No manual interaction required

“In short, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of a Roundcube user’s browser window,” ESET researcher Matthew Fau wrote. “No manual interaction required other than viewing the message in a web browser.”

The attacks began on October 11 and were detected by ESET a day later. ESET reported the zero-day vulnerability to Roundcube developers the same day, and they released a patch on October 14. The vulnerability is tracked as CVE-2023-5631 and affects RoundCube versions 1.6.x before 1.6.4, before 1.5.x. 1.5.5, and 1.4.x before 1.4.15.

Winter Wyvern has been operating since at least 2020 and primarily targets governments and think tanks in Europe and Central Asia. In March, the threat group was seen targeting US government officials who had voiced support for Ukraine to stop Russia’s invasion. Those attacks also exfiltrated the target’s emails, but exploited a different, already patched XSS in Zimbra Collaboration, a software package that is also used to host webmail portals.

“This actor has been persistent in targeting U.S. and European officials, as well as military and diplomatic personnel in Europe,” said a threat researcher at security firm Proofpoint, which disclosed attacks exploiting the Zimbra vulnerability in March. “From the end of 2022, [Winter Vivern] Ultimately invested substantial time studying the webmail portals of European government entities and scanning their public-facing infrastructure for vulnerabilities in an effort to gain access to the emails of people involved in government affairs and the Russia-Ukraine war. Is.

Advertisement

The email used in the recent campaign came from Winter Wyvern, the address [email protected] and the subject line was “Get started in your Outlook.”

Email sent in the campaign.

Hidden deep in the HTML source code was a malformed code element known as an SVG tag. It contained Base-64 encoded text which, when decoded, was translated into JavaScript containing a command to run in the event of an error. Since there was an intentional error in the tag, the malicious command was executed, and the XSS bug ensured that Roundcube executed the resulting JavaScript.

Expand the HTML source code for the email, with an SVG tag at the end.

eset

The final JavaScript payload instructed vulnerable servers to list folders and emails in the target’s email account and send the email messages to an attacker-controlled server by making an HTTP request to https://recsecas.[.]com/controlserver/saveMessage.

Maximize / final JavaScript payload.

eset

Winter Wivern’s previous success in exploiting an already patched Zimbra vulnerability should be a warning. Anyone using Roundcube as a server administrator or end user should ensure that the software is running a patched version.

Source: arstechnica.com