Emails belonging to European government institutions were being harvested by a Russian state-sponsored threat actor for at least five days before the flaw they used was patched.
In the emails, the attackers would usually impersonate the Outlook Team as they tried to get the victims to open the message. If they succeed, the first-stage payload that exploits the XSS flaw will automatically be triggered. After that, the attackers would deploy the second payload capable of harvesting emails.
Going after EU targets
While the reports claim the attackers went after emails belonging to European government institutions, there are no more details shared, like which institutions, which countries, how many emails, and similar. BleepingComputer reminds that the Winter Vivern team was first spotted in April 2021 when it targeted government organizations around the world, including Italy, Lithuania, Ukraine, the Vatican, and India.
Furthermore, ESET observed Vinter Wivern exploiting a similar XSS vulnerability in Roundcube (CVE-2020-35730) between August and September this year, too. The attack was spotted on October 11 and fixed on October 16.
More from TechRadar Pro
- Update your iPhone and iPad now – Apple just fixed a big iOS and iPadOS security flaw
- Here's a list of the best firewalls today
- These are the best endpoint protection tools around
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.