European governments see emails hacked by Russian zero-day

A woman shocked at the email she just accidentally sent
(Image credit: Shutterstock)

Emails belonging to European government institutions were being harvested by a Russian state-sponsored threat actor for at least five days before the flaw they used was patched. 

Cybersecurity researchers from ESET found a group known as Winter Vivern leveraged a zero-day in the Roundcube webmail client, now tracked as CVE-2023-5631, to exfiltrate the emails. Being a Stored Cross-Site Scripting (XSS) vulnerability, the attackers were able to leverage it by sending a specially crafted email that contained a .SVG document (scalable vector graphic) to inject malicious JavaScript code.

In the emails, the attackers would usually impersonate the Outlook Team as they tried to get the victims to open the message. If they succeed, the first-stage payload that exploits the XSS flaw will automatically be triggered. After that, the attackers would deploy the second payload capable of harvesting emails.

Going after EU targets

"By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window. No manual intervention other than viewing the message in a web browser is required," ESET said.

"The final JavaScript payload [..] is able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server."

While the reports claim the attackers went after emails belonging to European government institutions, there are no more details shared, like which institutions, which countries, how many emails, and similar. BleepingComputer reminds that the Winter Vivern team was first spotted in April 2021 when it targeted government organizations around the world, including Italy, Lithuania, Ukraine, the Vatican, and India.

Furthermore, ESET observed Vinter Wivern exploiting a similar XSS vulnerability in Roundcube (CVE-2020-35730) between August and September this year, too. The attack was spotted on October 11 and fixed on October 16.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.