Pro-Russia Hackers Exploit New Roundcube Bug to Steal Gov Emails

Previously unknown XSS vulnerability in Roundcube webmail app exploited by pro-Russia hacking group Winter Vivern to steal government emails.

Attacks began October 11 by sending specially crafted emails to trigger server-side code execution when viewed in browser.

Vulnerability patched by Roundcube on October 14, tracked as CVE-2023-5631, affects versions before 1.6.4, 1.5.5, and 1.4.15.

Winter Vivern has targeted European governments and think tanks since 2020, recently used separate Zimbra vulnerability to target US officials supporting Ukraine.

Attack email sent from team.management@outlook.com, contained obfuscated JS payload to exfiltrate emails from vulnerable servers.