European governments see emails hacked by Russian zero-day

News
By published

A Russian threat actor was leveraging a zero-day in Roundcube

A woman shocked at the email she just accidentally sent
(Image credit: Shutterstock)

Emails belonging to European government institutions were being harvested by a Russian state-sponsored threat actor for at least five days before the flaw they used was patched. 

Cybersecurity researchers from ESET found a group known as Winter Vivern leveraged a zero-day in the Roundcube webmail client, now tracked as CVE-2023-5631, to exfiltrate the emails. Being a Stored Cross-Site Scripting (XSS) vulnerability, the attackers were able to leverage it by sending a specially crafted email that contained a .SVG document (scalable vector graphic) to inject malicious JavaScript code.

In the emails, the attackers would usually impersonate the Outlook Team as they tried to get the victims to open the message. If they succeed, the first-stage payload that exploits the XSS flaw will automatically be triggered. After that, the attackers would deploy the second payload capable of harvesting emails.

Going after EU targets

"By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user's browser window. No manual intervention other than viewing the message in a web browser is required," ESET said.

"The final JavaScript payload [..] is able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server."

While the reports claim the attackers went after emails belonging to European government institutions, there are no more details shared, like which institutions, which countries, how many emails, and similar. BleepingComputer reminds that the Winter Vivern team was first spotted in April 2021 when it targeted government organizations around the world, including Italy, Lithuania, Ukraine, the Vatican, and India.

Furthermore, ESET observed Vinter Wivern exploiting a similar XSS vulnerability in Roundcube (CVE-2020-35730) between August and September this year, too. The attack was spotted on October 11 and fixed on October 16.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Avast cybersecurity
An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
Trojan
WhatsApp patches security flaw which let hackers install spyware
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
More about security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Isometric demonstrating multi-factor authentication using a mobile device.

NCSC gets influencers to sing the praises of 2FA
cheap Nintendo Switch game deals sales

Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
See more latest
Most Popular
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
The cast of Black Mirror season 7
Everything new on Netflix in April 2025 – including Black Mirror season 7 and Love on the Spectrum
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does