Get in Touch
Winter Vivern APT group exploits Zimbra vulnerability to steal NATO data
Defence sector organisations including:
– Government of India
– Ministry of Foreign Affairs of Ukraine
– Polish government
– Italian Ministry of Foreign Affairs.
The Russian threat actor group tracked as ‘Winter Vivern’ (a.k.a, TA473) has been actively exploiting CVE-2022-27926 (CVSSv3 Score: 6.1) on Zimbra Collaboration Suite (ZCS) endpoints, dating back to February 2023, with the objective of stealing sensitive data belonging to The North Atlantic Treaty Organization (NATO). The espionage-related activity relates to the theft of emails belonging to NATO officials and military personnel as well as US elected official targeting.
The attacks have been assessed to correlate with the support of Russian geopolitical objectives as they pertain to the Russia-Ukraine War.
CVE-2022-27926 involves a reflected cross-site scripting (XSS) vulnerability in the /public/launchNewWindow.jsp component of Zimbra Collaboration (aka ZCS) 9.0. Successful exploitation of the security flaw allows unauthenticated threat actors to execute arbitrary web script or HTML via request parameters.
Containment, Mitigations & Remediations
It is strongly advised that users ensure that their devices are updated in accordance with regular patching cycles. The latest ZCS patching information can be found on the official vendor security advisory page.
ZCS users are also advised to ensure that zero-trust principles, including the enforcement of multi-factor authentication (MFA) and virtual private networks (VPN) are in force to disrupt the ability of threat actors to implement email credential hacking techniques. It is also recommended that resources on publicly facing email portals from the public internet are restricted to prevent threat actor groups, such as Winter Vivern, from performing reconnaissance techniques and engineering custom scripts capable of credential theft and logging in to target email accounts.
Indicators of Compromise
Winter Vivern associated IP addresses:
Winter Vivern associated URLs:
– hxxps://oscp-avanguard[.]com/asn15180YHASIFHOP_< redacted >_ASNfas21/auth.js
– hxxps://ocs-romastassec[.]com/redirect/?id=[target specific ID]&url=[Base64 Encoded Hyperlink URL hochuzhit-com.translate.goog/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&x_tr_pto=wapp]
– hxxps://ocspdep[.]com/inotes.sejm.gov.pl?id=[Target Specific SHA256 Hash]
Winter Vivern associated Command-and-Control (C2) domains:
The objective of the attacks has been assessed to be the establishment of access to the email accounts of military, government and diplomatic organisations across Europe that are involved in the Russia-Ukraine conflict. As such, it is likely that the threat will persist for the remainder of 2023.
The current Winter Vivern espionage campaign follows a recently detected attack effort in which the threat actor group utilised websites masquerading as European agencies, fighting cybercrime, in an attempt to spread malware masked as a legitimate virus scanner.
Since 2021, there has been a trend of concerted attack efforts against European government, military and diplomatic entities with phishing campaigns. However, at the end of 2022, phishing campaigns were also observed to be targeting elected officials and associated staff in the US. Following the declaration of the current Russia-Ukraine conflict, there has been a commonality amongst observed targets with respect to social engineering and impersonation attacks. Such attack vectors often pertain to Ukraine in the context of armed conflict.
There have been reported instances of Winter Vivern specifically targeting RoundCube mail request tokens. This detail demonstrates the diligence of the threat actors engaged in pre-attack reconnaissance efforts, allowing them to determine which portal is used by their target prior to crafting the phishing emails and setting the landing page function.
Initial Access Techniques:
T1189– Drive-by Compromise
T1190– Exploit Public-Facing Application
T1566.001 – Phishing: Spearphishing Attachment
T1566.002– Phishing: Spearphishing Link
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1204.002– User Execution: Malicious File
T1053.005 – Scheduled Task/Job: Scheduled Task
Defence Evasion Techniques:
T1036 – Masquerading
T1070.004 – Indicator Removal: File Deletion
T1497.003– Virtualization/Sandbox Evasion: Time Based Evasion
T1564.003 – Hide Artifacts: Hidden Window
T1005 – Data from Local System
T1071.001 – Application Layer Protocol: Web Protocols
T1105– Ingress Tool Transfer
T1132.001 – Data Encoding: Standard Encoding
T1573.002– Encrypted Channel: Asymmetric Cryptography
T1041– Exfiltration Over C2 Channel