Highlights:

  • The critical aspect here is the “zero-click” attack, which requires no action from the victims other than opening the incoming emails in their web browser.
  • The malware group directs its attacks toward multiple government employees, employing malicious phishing documents, emails, and websites.

A malware group has been active in generating a new and dangerous vulnerability in the Roundcube webmail service, which is widely used in European government circles.

Several security researchers, including DomainTools, Sentinel One, and Proofpoint, have been keeping an eye on the group known by the name Winter Vivern. It sends malicious phishing emails, documents, and websites to a large number of government employees.

The crucial aspect of this problem is that it’s a “zero-click” attack, requiring victims to do nothing more than simply open incoming emails in their web browsers. Further elaboration on this topic can be found in a blog post from Check Point Software Technologies Ltd., saying these messages “don’t require user interaction; smartphones display notifications based on the contents of a message before the user decides to open and read it. Zero-click exploits may infect a device invisibly.”

This is the primary reason these methods are highly sought after, but it also makes them dangerous. Other zero-click exploits that have gained notoriety include Pegasus from the NSO Group and Predator from Cytrox, both of which have the ability to start hidden spyware tools.

In a recent blog post, researcher Matthieu Faou of ESET spol. s.r.o. discovered the exploit, expanding on previous work that he had done earlier to find a less serious and older exploit in both Roundcube and Zimbra servers. The year 2020 was when that vulnerability first appeared.

This month, the most recent problem was found. Roundcube quickly addressed it, releasing several security updates in a matter of days. The researchers came across an email message that appeared innocuous, prompting recipients to update their Microsoft Outlook settings. A link to a Javascript malware payload was included in the message.

That was the zero-click exploit. “By sending this specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window. No manual interaction other than viewing the message in a web browser is required.” Faou wrote in his post.

He cautioned that this exploit is part of ongoing phishing campaigns “because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

The fixes are included in Roundcube versions 1.6.4, 1.5.5, and 1.4.15, which should be installed right away. The exploit is also present in earlier versions.