Zero day in free Roundcube webmail service exploited to target governments

Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because... a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

CISA says a zero-day in a popular free webmail package has been exploited in the wild – as security researchers at ESET said that “governmental entities” have been targeted with exploits abusing the cross site scripting vulnerability in the Roundcube Webmail server since October 11 this year.

Roundcube is a free and open source webmail package with a desktop-like user interface which runs on a standard open source server. Thousands of services make use of Roundcube to provide webmail to millions of users.

The vulnerability, allocated CVE-2023-5631 has a base CVSS of just 5.4. It was reported by ESET to Roundcube’s open source maintainers on October 12 and patched within 48 hours – an impressive turnaround. 

The bug lets attackers target server-side script, which doesn’t properly sanitise malicious SVG documents before they are added to the HTML page interpreted by Roundcube user, ESET’s researchers said this week. 

They attributed the attacks to “Winter Vivern” – a cyberespionage group that, according to security company SentinelOne, is aligned with the interests of Belarus and Russia’s governments. The group (also tracked as TA473 and UAC-0114) has targeted a range of government organizations, as well as telecoms companies, and typically starts its campaigns with phishing

In this Winter Vivern campaign, the emails had the subject line ‘Get started in your Outlook’. Its HTML source code reveals an SVG tag at the end, which contains a base64-encoded payload – the JavaScript injection: “By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. 

The second stage of the attack is a simple JavaScript loader, while the final JavaScript payload lists folders and emails in the Roundcube account, and then exfiltrates email messages to a C2 server by making HTTP requests.

“No manual interaction other than viewing the message in a web browser is required,” ESET explained on October 25 – adding that “despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

The flaw is patched in versions 1.6.4, 1.5.5, and 1.4.15. 

See also: Kroll blasts T-Mobile after SIM swapping attack enables data breach: CISOs, listen up...