A well-known espionage group, Winter Vivern, with ties to Russia and Belarus, has been identified exploiting a zero-day vulnerability within the widely used Roundcube Webmail service, targeting various European governments.
Furthermore, the cybersecurity firm ESET has been monitoring this campaign, which specifically focused on governmental entities and a think tank based in Europe. The zero-day vulnerability, tracked as CVE-2023-5631, allowed attackers to exfiltrate email messages without any manual interaction from victims. ESET researcher Matthieu Faou emphasized that Winter Vivern poses a persistent threat to European governments due to its consistent use of phishing campaigns and the neglect of security updates by targeted entities.
The attack was notable for its deceptive appearance, as the malicious emails seemed benign until closely examined, revealing payloads that provided the attackers with access to email account information. Winter Vivern has been under ESET’s surveillance since its emergence in 2020, primarily targeting government organizations in Europe and Central Asia. The group employs various malicious documents, phishing websites, and tools in its cyberattacks.
ESET previously linked Winter Vivern to another Belarus-related espionage group called MoustachedBouncer, and noted that the group had been targeting Zimbra and Roundcube email servers used by government entities since 2022, even exploiting CVE-2020-35730 in the past. Other Russia-based hacking groups have also targeted Roundcube in previous incidents.
