In October 2023, it was revealed that a group of hackers had exploited a zero-day vulnerability in the Roundcube webmail software to hack into the email servers of several European governments. The hackers were able to gain access to sensitive information, including emails, contacts, and calendars.

What to Know About the European Government Email Server Hack

The exact number of governments affected by the hack is unknown, but it is believed to be in the dozens. The affected governments include both NATO and non-NATO members.

The hackers who exploited the Roundcube zero-day are believed to be affiliated with a Russian state-sponsored group known as APT Winter Vivern. This group has been targeting European governments for several years.

Roundcube Zero-Day Vulnerability (CVE-2023-5631)

On October 16, 2023, ESET researchers reported a zero-day vulnerability (CVE-2023-5631) in the Roundcube webmail software. This vulnerability is in the Stored Cross-Site Scripting (XSS), which means that it can be exploited to inject malicious JavaScript code into Roundcube webmail pages.

Russian threat actors were observed exploiting this vulnerability in real-world attacks just five days before ESET reported it. The attackers used HTML email messages containing carefully crafted SVG documents to remotely inject arbitrary JavaScript code into the victim’s Roundcube webmail browser window.

The final JavaScript payload dropped in the attacks helped the malicious actors harvest and steal emails from compromised webmail servers.

“By sending a specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual intervention other than viewing the message in a web browser is required,” ESET said. “The final JavaScript payload [..] is able to list folders and emails in the current Roundcube account, and to exfiltrate email messages to the C&C server.”

Winter Vivern APT Group’s Email Server Attacks

Winter Vivern is an APT group that has been targeting government entities across the globe since at least 2021. The group’s objectives closely align with the interests of the governments of Belarus and Russia.

They have been actively targeting Zimbra and Roundcube email servers owned by governmental organizations since at least 2022. The group has exploited known vulnerabilities in these email servers to gain access to sensitive information, such as emails, contacts, and calendars.

Winter Vivern’s email server attacks have had a significant impact on the government entities that have been targeted. The group has been able to steal sensitive information, such as emails, contacts, and calendars. This information could be used to blackmail or influence government officials, or to gather intelligence on government activities.

“Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” ESET said.

“The group is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

Keep in touch with our blog to read the latest news and innovations in the cybersecurity world. 

Facebook: Eagle Tech Corp

Instagram: @eagletech_corp

Twitter: @eagletechcorp

LinkedIn: Eagle Tech

YouTube: Eagle Tech Corp