The threat actor exploits an XSS flaw in Roundcube webmail servers to target critical government infrastructure. Credit: Shutterstock A Russian advanced persistent threat (APT) actor has been using the cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target critical government infrastructures in Europe, according to a research by Recorded Future. The threat group, known as Winter Vivern, was tracked as TAG-70 and was found conducting espionage campaigns targeting over 80 organizations, mainly in Georgia, Poland, and Ukraine. “The latest TAG-70 activity ran between October and December 2023, (and) is reminiscent of other Russian-aligned threat groups such as BlueDelta (APT28) and Sandworm, which have targeted email solutions, including Roundcube, in previous campaigns,” Insikt Group, the threat research arm of Recorded Future, said in a report. Insikt Group was also able to link the campaign to a previous Winter Vivern activity against Uzbekistan government mail servers, which it had reported in February 2023. Espionage using less critical mail server vulnerabilities Winter Vivern, also tracked as TA473 or UAC-0114, has been repeatedly found to effectively take advantage of medium-severity vulnerabilities. In this case, it used vulnerable Roundcube mail servers that allow a remote attacker to load arbitrary JavaScript code. Tracked as CVE-2023-5631, the vulnerability is a cross-site scripting flaw with a medium-severity CVSS score of 6.1. According to the report, the group conducts cyber-espionage campaigns to serve the interests of Belarus and Russia and has been active since at least December 2020. Previously in March 2023, the group had exploited a medium-severity Zimbra webmail flaw to target European government entities. Vulnerable webmail servers seem to be a part of the general modus operandi the Russian hackers use for espionage campaigns. Previously in June 2023, another Russian state-sponsored cyber espionage group BlueDelta (aka FancyBear, APT28) was targeting vulnerable Roundcube installations across Ukraine and had also exploited CVE202323397, a critical zero-day vulnerability in Microsoft Outlook in 2022, according to Insikt Group. Other well-known Russian threat actor groups, such as Sandworm and BlueBravo APT29, Midnight Blizzard, have also targeted email solutions in various campaigns in the past, Insikt Group added. CVE-2023-5631 affects Roundcube versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4. “To mitigate the risk posed by TAG-70’s campaign, organizations should ensure that their Roundcube installations are patched and up-to-date, while actively hunting for indicators of compromise (IoCs) in their environments,” the report added. Campaign with geo-political motives The research notes that email servers represent a significant risk in the context of the ongoing Russia-Ukraine conflict, exposing sensitive information regarding Ukraine’s war effort and planning. Thirty-one percent of Wintern Vivern victims were from Ukraine, according to Insikt Group findings. “Additionally, Insikt Group detected TAG70 targeting Iran’s embassies in Russia and the Netherlands, which is notable given Iran’s support of Russia’s war effort in Ukraine,” the report added. “Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.” In March 2023, the threat group was reported to have targeted elected officials in the United States and their staffers. Around the same time, SentinelLabs revealed the group’s other espionage campaigns with global targets. Related content news AT&T suffers critical breach impacting 73 million customers Data released on the dark web impacts 7.6 million existing account holders and 65.4 million past subscribers. By Shweta Sharma 01 Apr 2024 4 mins Data Breach feature Recruit for diversity: Practical ways to remove bias from the hiring process Changing the wording on job descriptions and introducing a diverse hiring panel are some of the ways to remove bias when hiring cybersecurity professionals. By Aimee Chanthadavong 01 Apr 2024 8 mins Careers feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff 01 Apr 2024 17 mins Technology Industry IT Skills Events news Top cybersecurity product news of the week New product and service announcements from Bedrock Security, GitGuardian, Legit Security, Nametag, and Cybereason and Observe By CSO staff 29 Mar 2024 70 mins Generative AI Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe