UPDATED 12:09 EST / OCTOBER 26 2023


A new and dangerous malware infects Roundcube webmail

A malware group has been busy creating a dangerous new vulnerability in the Roundcube webmail service, which is popular in European government circles.

The group goes by Winter Vivern and has been on the radar of several security researchers, including DomainToolsSentinel One and Proofpoint. It targets numerous government workers by sending malicious phishing documents, emails and websites.

What makes this issue so important is that is a so-called “zero-click” attack, meaning that victims don’t need to do anything, other than read the incoming emails in their web browser. Check Point Software Technologies Ltd.’s blog explains this further by saying, these messages “don’t require user interaction; smartphones display notifications based on the contents of a message before the user decides to open and read it. Zero-click exploits may infect a device invisibly.”

That’s the main reason they’re prized attack methods and also why they’re dangerous. Other zero-click exploits that have become infamous include Cytrox’s Predator and the NSO Group’s Pegasus, both of which can launch hidden spyware tools.

ESET spol. s.r.o. researcher Matthieu Faou identified the exploit in a recent blog post, building on earlier work finding a less dangerous and older exploit in both Roundcube and Zimbra servers earlier this summer. That vulnerability dated back to 2020.

The latest issue was discovered earlier this month. It was quickly fixed by Roundcube, which issued a series of security updates within a few days. The researchers found a seemingly innocuous email message asking recipients to update their Microsoft Outlook settings. The message contained a link to a Javascript malware payload.

That was the zero-click exploit. “By sending this specially crafted email message, attackers are able to load arbitrary JavaScript code in the context of the Roundcube user’s browser window,” Faou wrote in his post. “No manual interaction other than viewing the message in a web browser is required.”

He warned that this exploit is a part of a regular series of phishing campaigns “because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

Roundcube versions 1.6.4, 1.5.5, and 1.4.15 contain the fixes and should be installed as quickly as possible. Prior versions are subject to the exploit.

Image: Taskin Ashiq/Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy