The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day in attacks targeting European government entities and think tanks since at least October 11.
These security patches were pushed five days after the Slovak cybersecurity company detected Russian threat actors using the zero-day in real-world attacks.
Their phishing messages impersonated the Outlook Team and tried to trick potential victims into opening malicious emails, automatically triggering a first-stage payload that exploited the Roundcube email server vulnerability.
First spotted in April 2021, Winter Vivern has garnered attention for its deliberate targeting of government entities across the globe, including nations such as India, Italy, Lithuania, Ukraine, and the Vatican.
According to SentinelLabs researchers, the group’s objectives closely align with the interests of the governments of Belarus and Russia.
Winter Vivern has been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since at least 2022.
These attacks included exploiting the Roundcube XSS vulnerability (CVE-2020-35730) between August and September 2023, per ESET telemetry data.
Notably, this same vulnerability was exploited by Russian APT28 military intelligence hackers affiliated with Russia’s General Staff Main Intelligence Directorate (GRU) to compromise Roundcube email servers belonging to the Ukrainian government.
The Russian cyberspies also exploited the Zimbra CVE-2022-27926 XSS vulnerability in attacks against NATO countries to steal emails belonging to NATO officials, governments, and military personnel.
“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” ESET said.
“The group is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”