A Russian advanced persistent threat (APT) actor has been using the cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target critical government infrastructures in Europe, according to a research by Recorded Future.
The threat group, known as Winter Vivern, was tracked as TAG-70 and was found conducting espionage campaigns targeting over 80 organizations, mainly in Georgia, Poland, and Ukraine.
âThe latest TAG-70 activity ran between October and December 2023, (and) is reminiscent of other Russian-aligned threat groups such as BlueDelta (APT28) and Sandworm, which have targeted email solutions, including Roundcube, in previous campaigns,â Insikt Group, the threat research arm of Recorded Future, said in a report.
Insikt Group was also able to link the campaign to a previous Winter Vivern activity against Uzbekistan government mail servers, which it had reported in February 2023.
Espionage using less critical mail server vulnerabilities
Winter Vivern, also tracked as TA473 or UAC-0114, has been repeatedly found to effectively take advantage of medium-severity vulnerabilities. In this case, it used vulnerable Roundcube mail servers that allow a remote attacker to load arbitrary JavaScript code. Tracked as CVE-2023-5631, the vulnerability is a cross-site scripting flaw with a medium-severity CVSS score of 6.1.
According to the report, the group conducts cyber-espionage campaigns to serve the interests of Belarus and Russia and has been active since at least December 2020. Previously in March 2023, the group had exploited a medium-severity Zimbra webmail flaw to target European government entities.
Vulnerable webmail servers seem to be a part of the general modus operandi the Russian hackers use for espionage campaigns. Previously in June 2023, another Russian state-sponsored cyber espionage group BlueDelta (aka FancyBear, APT28) was targeting vulnerable Roundcube installations across Ukraine and had also exploited CVE202323397, a critical zero-day vulnerability in Microsoft Outlook in 2022, according to Insikt Group.
Other well-known Russian threat actor groups, such as Sandworm and BlueBravo APT29, Midnight Blizzard, have also targeted email solutions in various campaigns in the past, Insikt Group added.
CVE-2023-5631 affects Roundcube versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. âTo mitigate the risk posed by TAG-70’s campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments,â the report added.
Campaign with geo-political motives
The research notes that email servers represent a significant risk in the context of the ongoing Russia-Ukraine conflict, exposing sensitive information regarding Ukraineâs war effort and planning. Thirty-one percent of Wintern Vivern victims were from Ukraine, according to Insikt Group findings.
âAdditionally, Insikt Group detected TAG70 targeting Iranâs embassies in Russia and the Netherlands, which is notable given Iranâs support of Russiaâs war effort in Ukraine,â the report added. âSimilarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.â
In March 2023, the threat group was reported to have targeted elected officials in the United States and their staffers. Around the same time, SentinelLabs revealed the groupâs other espionage campaigns with global targets.