With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Longer Support Periods Raise the Bar for Mobile Security

The cybercrime recruitment and mentoring hub conducted a variety of cybercrimes including business email compromise.

Nigerian police arrested six men they believe are associated with a cybercrime recruitment and mentoring hub.

During interrogation, the six men — aged from 19 to 27 — admitted to activities including identity theft, hacking and trading of hacked Facebook accounts, romance scams, computer-related forgery, and other computer-related fraud, according to a statement from the Nigerian police force.

Police also said intelligence reports indicated involvement by the syndicate in other high-level cybercrimes, including business email compromise and high-yield investment program fraud.

A police spokesperson said in a statement that the arrested suspects will be charged upon the conclusion of the investigation, while "efforts to apprehend the fleeing members of this criminal network are underway," suggesting there are more people involved.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nigerian Cybercrime Hub Shut Down With 6 Arrests

Companies are advised to act now to protect networks while federal employee paychecks are still forthcoming. Public agencies are updating contingency plans before the November extension ends, while cyber stalkers get an extra month to plan, too.

At the last moment on Sept. 30, Congress passed a bipartisan bill to fund the federal government for another 45 days, avoiding a government shutdown for now. Given the uncertainty regarding funding, the Office of Management and Budget has instructed agency leaders to prepare for a potential shutdown, and those plans must remain in motion until longer-term spending bills are approved. If the government does shut down in mid-November, hundreds of thousands of federal employees will be furloughed. Many more will continue working, with or without pay. With so many variables at play, what could a shutdown in November mean for the nation's cybersecurity?

**The Potential for Insider Threats and Disgruntled Employees

The potential shutdown sends a powerful message to government employees — either that they are not essential, or that their work is but paying them is not. This could create insider threats, as employees feel their work is devalued at the same time that they lack the funds to pay their own bills at home. It's not hard to imagine some upset people trying to find another way to get paid, even if that involves working with — or for — a cybercriminal.

****Nation-State Opportunities**

A shutdown might motivate nation-state actors to conduct an attack, taking advantage of the uncertainty to increase the chance of further disruption. Reportedly, the Cybersecurity and Infrastructure Security Agency (CISA) was already preparing to furlough more than 80% of its workforce.

Given that a significant portion of CISA's mission involves proactively monitoring threats and educating public and private sector stakeholders about emerging dangers, the ability to effectively communicate and raise awareness among stakeholders may become constrained. The question remains: Can we afford to operate our cyber agency at such a reduced level — and could malicious actors take advantage of its impact? If nation-state actors weren't already prepared for this possibility, the 45-day extension provides more opportunity to put such plans in place.

**Meeting Regulatory Requirements**

It's not just the public sector and critical infrastructure that will be affected, either. If malicious actors seize this opportunity, how will public companies handle material incident disclosure? The Securities and Exchange Commission (SEC) recently adopted new rules (PDF) to "enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934." But if a serious cybersecurity incident occurs, how will public companies report it within the allotted four-day time frame? Who will help these entities respond to, analyze, and investigate those incidents if most of CISA is furloughed, along with other government agencies that assist in incident response? Will every organization, public or private, have to turn to incident response companies, and just hope that they can get the support they need?

**Are Understaffed Agencies Prepared?**

Despite the looming possibility of a government shutdown, various other governmental policies and decisions persist in their progression. Take, for instance, the resumption of student loan repayments in October, which have been on a three-year hiatus due to the COVID-19 pandemic. It is imperative that the system continues to anticipate a surge in new activity but also bolsters its defenses against potential cyberattacks. During the last government shutdown in 2019, .gov websites also became inaccessible because of expired TLS certificates, which can put personal information at risk of man-in-the-middle attacks and users susceptible to fraud and identity theft.

**Prepare for Disruption**

There have been 14 shutdowns since 1981, according to the Congressional Research Service, many lasting only a day or two, so it's hard to know what to expect. Many of the government agencies have not updated their contingency plans in 2023 (just 39 out of 114 have updated plans). While the government continues to urge public and private sectors to improve cybersecurity readiness, it's easier said than done.

As the government agencies continue preparations for a potential shutdown, the private sector must prepare for the potential fallout. Regardless of whether a significant attack occurs during a government shutdown — in November or sometime in the future, it's certainly a risk to be considered. All organizations would be best served by doing their best to protect their complex networks now, regardless of whether long-term government funding is in place.

What Would a Government Shutdown Mean for Cybersecurity?

Sophisticated Windows and Linux malware for stealing data and conducting cyber espionage has flown under the radar, disguised as a cryptominer.

Malware thought to be a mere cryptominer was actually a sophisticated spy platform for both Windows and Linux systems; it already has infected more than 1 million victims.

StripedFly was classified and widely dismissed as a largely ineffective malware for mining crypto when it was first detected in 2017. But since then, it has actually been operating as an intricate piece of modular malware that allows attackers to achieve persistence on networks and comprehensive visibility into their activity, as well as exfiltrate credentials and other data at will, researchers from Kaspersky revealed in a blog post published Oct. 26.

While StripedFly can indeed mine Monero cryptocurrency, that's just the tip of the iceberg for its capabilities — something the researchers discovered last year and investigated thoroughly before releasing their findings publicly.

"What we discovered was completely unexpected; the cryptocurrency miner was just one component of a much larger entity," Kaspersky researchers Sergey Belov, Vilen Kamalov, and Sergey Lozhkin wrote in the post.

Overall, the platform appears to be "a hallmark of APT malware" that includes a built-in Tor network tunnel for communication with command-and-control (C2) servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives, they revealed.

Moreover, StripedFly appears to have already infected more than 1 million systems based on updates the researchers obtained from a Bitbucket repository associated with the malware and created on June 21, 2018, under the account of someone using the name Julie Heilman.

The researchers said the discovery of the breadth of StripedFly is "astonishing," especially given that it has successfully evaded detection for some six years.

**Breaking Down StripedFly**

The core structure of the malware is as a monolithic binary executable code that supports various pluggable modules so attackers can extend or update its functionality. Each module — which either is there to provide a service or extended functionality — is responsible for implementing and managing its own callback function for communication with a C2 server.

The platform first manifests itself on a network as a PowerShell that appears to use as its initial entry mechanism a server message block (SMB) exploit that appears to be a custom version of EternalBlue, which was leaked in April 2017 and continues to threaten unpatched Windows servers.

StripedFly uses various methods for persistence depending on the availability of the PowerShell interpreter and the privileges granted to the process. "Typically, the malware would be running with administrative privileges when installed via the exploit, and with user-level privileges when delivered via the Cygwin SSH server," the researchers wrote.

In terms of its modules, the malware has three to perform specific services related to its functionality, and six that actually execute that functionality. The service modules are for configuration storage, upgrading and uninstalling the malware, and reverse proxy.

The functionality modules are varied and comprehensive to provide attackers with a laundry list of capabilities, allowing them to consistently spy on the activities of a victim's network. In addition to the aforementioned Monero cryptominer, the modules are: a miscellaneous command handler; credential harvester, repeatable tasks that can take screenshots, record microphone input, and perform other tasks on a scheduled basis; a reconnaissance module that compiles extensive system information; SMBv1 and SSH infectors for penetration and worming capabilities.

The researchers also discovered a related ransomware variant called ThunderCrypt that shares the same underlying codebase and communicates with the same C2 server as StripedFly.

**Unsolved Mysteries**

The blog post includes numerous indicators of compromise and other websites and relevant data related to StripedFly to help organizations identify if they've been infected.

In the meantime, numerous questions still hover around StripedFly, including the true motive of its perpetrators — a question further muddled by the existence of a related ransomware component.

"While ThunderCrypt ransomware suggests a commercial motive for its authors, it raises the question of why they didn’t opt for the potentially more lucrative path instead," the researchers wrote.

It's also still unclear if StripedFly is still active, since at the time of writing, the researchers observed only eight updates for Windows systems and four for Linux systems in the Bitbucket repository. This could indicate that "either there are minimal active infections," or that all the victims already infected by StripedFly are still actively communicating with its C2, they noted.

"Only those who crafted this enigmatic malware hold the answer," the researchers acknowledged. "It's difficult to accept the notion that such sophisticated and professionally designed malware would serve such a trivial purpose, given all the evidence to the contrary."

Complex Spy Platform StripedFly Bites 1M Victims

The threat actor exfiltrated 690GB of uncompressed data, or 767,035 files.

Westinghouse subsidiary BHI Energy, an energy services provider, confirmed that it experienced an Akira ransomware attack in June.

BHI's IT team at BHI discovered network data being encrypted in late June; as it proceeded to investigate the incident, it brought in outside counsel and a third-party cybersecurity firm.

The cybersecurity firm found that Akira, the threat actor, gained initial access in late May through the compromised account of a third-party contractor, resulting in the threat actor reaching "the internal BHI network through a VPN connection."

According to the notice sent to Iowa's consumer protection agency, in the week after first gaining access, the threat actor performed reconnaissance of the internal network on two different occasions. In late June, the threat actor started exfiltrating 690GB of data over nine days, including data like BHI's Active Directory database. Once the threat actor completed this, they then deployed the Akira ransomware.

The threat actor was removed from BHI's network in July, and the company took several steps to secure its environment. Since BHI's cloud backup solution was unaffected, the company was able to recover data without needing a ransomware decryption tool.

In reviewing the affected systems, BHI found that the data affected included personal information such as full names, dates of birth, Social Security numbers, and health information of 896 Iowa residents, who have since been notified. BHI is offering a 24-month membership to Experian's IdentityWorks to these people.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BHI Energy Releases Details of Akira Ransomware Attack

In the race over Citrix's latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.

A critical security update is now available for the latest high-profile Citrix NetScaler vulnerability. But so is an exploit. And in some cases, the latter may be simpler to use than the former.

It's been a busy week so far for Citrix customers. On Sept. 23, following reports of active exploitation in the wild, the company released an urgent update for CVE-2023-4966, a sensitive information disclosure vulnerability in its NetScaler application delivery controller (ADC) and Gateway products. The vulnerability was assigned a "High" 7.5 out of 10 CVSS rating by NIST, but a "Critical" 9.4 by Citrix itself.

Then on Sept. 24, researchers from Assetnote published a proof-of-concept (PoC) exploit to GitHub. The widely available exploit is, relative to the severe consequences it can wreak, remarkably simple.

"It's a remote access solution in the vast majority of places and, as a result, it's exposed to the Internet most of the time," explains Andy Hornegold, VP of product at Intruder. "The risk is somebody will be able to exploit this vulnerability, read session tokens, connect to your device as one of your standard users, and then access your environment with those privileges."

**The New Citrix Exploit**

Researchers from Assetnote discovered two related functions at the heart of CVE-2023-4966 — _ns\_aaa\_oauth\_send\_openid\_config_ and _ns\_aaa\_oauthrp\_send\_openid\_config_ — both responsible for implementing the OpenID Connect (OIDC) Discovery endpoint. OIDC is an open protocol used for authentication and authorization.

On an unpatched NetScaler device, an attacker could easily overload the buffer by sending a request exceeding 24,812 bytes. With a request hardly three lines long, the researchers discovered they could cause the device to leak memory.

"It feels like hacking back in 1999," Hornegold says, only half-jokingly. "Back in the day it was, like, the default way of trying to carry out these kinds of attacks — to just stuff a whole load of 'a's into a packet and see what comes back."

In this case, he explains, "I can send one request with a whole bunch of 'a's in one go, and then in the body of the response, it starts to expose session tokens for people who are logged in to that NetScaler device, which I can reuse to log in as those users." By hijacking an authenticated session, a malicious actor could potentially bypass any checks, including multifactor authentication (MFA).

**Why Patching Isn't Enough**

According to Citrix, its software is used by more than 400,000 organizations across the globe, including 98% of Fortune 500 companies. According to Enlyft, NetScaler in particular is used by nearly 84,000 companies, including brand names like eBay and Fujitsu.

NetScaler isn't just popular. As Intruder noted in a Sept. 25 blog post, it's popular most notably within critical industries, which often prefer to run infrastructure on-premises rather than in the cloud.

So while Citrix advised customers on Sept. 23 to patch as soon as possible, doing so won't be equally easy for everyone. For organizations that require 24/7 uptime, "It's a bit of a balancing act," Hornegold says, "because you obviously need to keep that service live for as long as possible, especially when you're talking about critical national infrastructure. Any downtime needs to be taken as part of a risk consideration."

Regular businesses won't be able to just patch and forget about it, either. As Mandiant pointed out last week, hijacked sessions could persist even through patches, so organizations have to take the extra step of terminating all active sessions.

And even that may not be enough. Mandiant observed threat actors exploiting CVE-2023-4966 as early as August, leaving a healthy window of time for further post-exploitation persistence and downstream access.

"There's a whole two months of opportunity there," Hornegold points out. "So if the question is 'what is the worst that could happen if you don't patch this?' —realistically, the worst may well have happened already."

As Citrix Urges Its Clients to Patch, Researchers Release an Exploit

VMware vCenter Servers need immediate patch against critical RCE bug as race against threat actors begins.

VMware urged customers to update VMware vCenter Servers against a critical flaw that could potentially lead to remote code execution (RCE) and assigned a CVSS severity score of 9.8.

The vCenter Server flaw, tracked under CVE-2023-34048, could allow an attacker with network access the ability to trigger an out-of-bounds write, the VMware advisory explained. Software for "vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol," the vendor added.

The vCenter Server platform is used for managing vSphere installations in hybrid cloud environments.

John Gallagher, vice president with Viakoo Labs, characterized the bug in a statement as "serious as it gets," because it's both dangerous and impacts VMware vCenter Servers, which are widely used across a variety of organizations and industry sectors.

"The reason for it having a severity score of 9.8 is in how it devastates the entire CIA Triad of confidentiality, integrity, and availability," Gallgher explained. "Successful exploit of this CVE gives complete access to the environment, and enables remote code execution for further exploitation."

Another sure sign of the severity is VMware taking the unusual step of offering up patches for old versions, Mayuresh Dani, security research manager at Qualys, explained in a statement.

"The fact that VMware released patches for end of life (EOL) versions that are affected by this vulnerability speaks to how critical it is, since EOL software seldom gets patched," Dani added.

The advisory said patches will be issued for vCenter Server 6.7U3, 6.5U3, and VCF 3.x, as well as vCenter Server 8.0U1.

**Second Patch for VMware Cloud Foundation**

An additional flaw was reported by VMware in its VMware Cloud Foundation, but this bug, tracked under CVE-2023-34056, has been assigned a less urgent CVSS score of 4.3. The vulnerability could allow an unauthorized user access data, the advisory explained.

Both flaws were responsibly reported by researchers, VMware added in its advisory, however as organizations rush to patch, there will be an inevitable "window of vulnerability" for threat actors to take advantage of unpatched systems, Gallagher added.

"Organizations using vCenter Server should ensure they have a current inventory of its usage, and a plan to patch," Gallagher advised. "Mitigation for this directly appears limited, but using network access control and monitoring might catch lateral movement once a threat actor uses this to gain a foothold."

Virtual Alarm: VMware Issues Major Security Advisory

The YoroTrooper group claims to be from Azerbaijan and even routes its phishing traffic through the former Soviet republic.

A Kazakhstan attack group with a penchant for sending phishing messages is doing its dirty work in an Azerbaijani disguise.

YoroTrooper was first detected in June 2022 and often targets former Soviet republics, including Russia, Armenia, Belarus, and Moldova, as well as Azerbaijan, and typically targets government entities.

But given YoroTrooper's language preferences, its use of Kazakhstani currency, and very limited targeting of Kazakhstani entities, researchers from Cisco Talos have concluded that the group is from Kazakhstan.

Researchers also determined "with high confidence" that YoroTrooper made numerous efforts to disguise its origin by hosting a majority of their infrastructure in Azerbaijan, while still targeting institutions in that country.

Most of YoroTrooper's operations are routed via Azerbaijan, although the attackers do not appear to speak the Azerbaijani language.

"Our primary observation that points toward the actor being of Kazakh origin is that they speak Kazakh and Russian, both of which are official languages of Kazakhstan," researchers said. "YoroTrooper frequently visits websites written in Kazakh and has used Russian in debugging and logging messages in their custom Python Remote Access Trojans."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Kazakh Attackers, Disguised as Azerbaijanis, Hit Former Soviet States

We have too much cybersecurity awareness. It's time to implement repeatable, real-world practice that ingrains positive habits and security behaviors.

I know I shouldn't drink Diet Coke, but every few weeks I find myself happily sipping from another silver can. I'm not oblivious to the health risks. I've read the latest WHO report on aspartame. Heck, it even says right on the can, "Warning: Contains phenylalanine." (If I can't pronounce it, and Coca-Cola has to warn me about it, _surely_ it can't be good for me.) But awareness of some mysterious chemical isn't going to stop me from enjoying an occasional Diet Coke; I need help changing my behavior.

To borrow a line from social scientists, "abundant research shows that people who are simply given more information are unlikely to change their beliefs or behavior." And yet, here we are again, another Cybersecurity _Awareness_ Month: the industry's Hallmark holiday that promotes spending on cybersecurity training videos, phishing simulators, and free lunches to feed employees a smorgasbord of security education, training, and awareness.

**Awareness Isn't the Issue**

But employees are already aware of cybersecurity. Whether it's the obligatory training they suffer through, the fake phishing traps we send, the steady drip of cyberattacks making headlines, or the family member who was recently scammed online, cybersecurity awareness has never been greater. And yet, it's made little difference in reducing the volume of successful cyberattacks involving the human element.

It's time to shift our collective efforts from awareness to actual behaviors. Instead of a month-long campaign, we should focus on creating real-world opportunities for employees to build and flex their cyber judgment muscle memory all year long.

Consider the 15-year-old pursuing that coveted freedom of a driver's license. With an outsized motivation to learn, they start in a classroom, absorbing everything they possibly can about driving, observing adults driving, and passing a written test to obtain a permit. But, that first time behind the wheel, a new learning curve begins — one with higher, real-world stakes. It ultimately takes months of practice, driving in all sorts of conditions, to prepare someone to drive safely on their own.

Why assume cybersecurity is any different?

**Training Isn't the Answer**

The universal approach to addressing the human element of cybersecurity has been to "train" employees to deal with whatever threat du jour occupies our attention. Training is preventative, theoretical, and out of context: a memo, a webinar, a campy click-through video with a quiz — all in hopes that an employee will remember _exactly_ what they are supposed to do should a similar situation arise in some unknown future. This is not how we learn in any other context, but for some reason, we continue to pursue this failed approach in cybersecurity. Why? To check a box in a compliance audit?

To create true, lasting security behavior change, we must put our employees behind the wheel on the open Internet superhighway. This seems hard and scary, I know. But it doesn't have to be. Small, simple changes in how we engage employees and intervene with cybersecurity information can have an outsized impact.

For example, instead of arbitrarily "training" employees in October to use multifactor authentication (MFA) on all of their accounts and hoping they'll remember to do so when they sign up for a new generative AI tool in July, that message should arrive at the moment they create a new account, while they're in the right context. With additional bits of information, such as the benefits of using MFA or preempting questions or doubts, we can further encourage the desired behavior and thus, desired security outcomes.

**It's Time to Take the Next Step**

We have reached a collective fever pitch of cybersecurity awareness. We don't need more of the same this month. It's time to take the next step toward implementing repeatable, real-world practice that ingrains positive habits and security behaviors. By leveraging our modern understanding of neuropsychology and behavioral science, lessons learned from other industries and disciplines, and emerging human-centered cybersecurity technologies, we can make cybersecurity understanding a reality today and every day.

Cybersecurity Awareness Doesn't Cut It; It's Time to Focus on Behavior

A campaign targeting European governmental organizations and a think tank shows consistency from the low-profile threat group, which has ties to Belarus and Russia.

Low-profile threat group Winter Vivern has been exploiting a zero-day flaw in Roundcube Webmail servers with a malicious email campaign targeting governmental organizations and a think tank in Europe that requires only that a user view a message.

Earlier this month, researchers at ESET Research observed the group sending a specially crafted email message that loads an arbitrary JavaScript code in the context of the Roundcube user's browser window to exploit a newly discovered cross-site scripting (XSS) flaw tracked as CVE-2023-5631. The one-click exploit requires no manual interaction on the part of the user other than viewing the message in a Web browser, the researchers reported in a blog post published Oct. 25.

Roundcube is a freely available, open source webmail solution that's especially popular with small-to-midsize organizations. The flaw affects versions before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4, and allows for stored XSS via an HTML email message with a crafted SVG document due to the behavior of "program/lib/Roundcube/rcube\_washtml.php," according to its CVE listing. This, in turn, allows a remote attacker to load arbitrary JavaScript code.

ESET Research reported the vulnerability to the Roundcube team on Oct. 12 and received a response and patch from the company two days later on Oct. 14. On Oct. 16, Roundcube released security updates with new versions 1.6.4, 1.5.5, and 1.4.15 to address the flaw.

**Long-Term Targeting**

Winter Vivern's activity is often underreported by security researchers but the group has been active since at least December 2020 and shows sympathies with Russia and Belarus, conducting cyber espionage that serves the interest of those nations. The group typically uses malicious documents, phishing websites, and a custom PowerShell backdoor to compromise its targets and may be linked to a sophisticated Belarus-aligned group MoustachedBouncer.

The latest activity observed by ESET— which has been tracking Winter Vivern closely for about a year — is consistent with the group's typical methods, though previously they exploited flaws that already were public, notes ESET Researcher Mathieu Faou.

"Since at least 2022, they have been exploiting XSS vulnerabilities in Zimbra and Roundcube to load arbitrary JavaScript code and steal emails," he tells Dark Reading. "However, most of those vulnerabilities were known and as such they could only work on unpatched mail servers."

The fact that the group is now "burning zero-day vulnerabilities" and attacking even updated versions of widely-used webmail servers could be a harbinger of future activity, as it demonstrates a long-term interest in European governmental organizations as primary targets, Faou says.

**How the Campaign Works**

The latest campaign begins with a phishing email to targets sent from the address \[email protected\] with the subject line "Get started in your Outlook." The message purports to be from The Microsoft Accounts Team and aims to guide users with their Outlook accounts, seeming innocent enough.

However, just viewing the email sets into motion a process spurred by an SVG tag at the end of the email's HTML source code that includes a base64-encoded payload. Decoding the payload produces a JavaScript code that is executed in the browser of the victim in the context of their Roundcube session, according to ESET.

The researchers realized that the exploit was for a zero-day flaw when the JavaScript injection worked on a fully patched Roundcube instance. They found that the XSS vulnerability being exploited affected the server-side "script rcube\_washtml.php," which doesn't properly sanitize the malicious SVG document before being added to the HTML page interpreted by a Roundcube user.

The final JavaScript payload in the attack can list folders and emails in the current Roundcube account and exfiltrate email messages to Winter Vivern's command and control server by making HTTP requests to "https://recsecas\[.\]com/controlserver/saveMessage."

**Patch Now**

Users of vulnerable Roundcube instances are urged to update to the patched versions to avoid compromise. However, in the case of any future zero-day flaws discovered and subsequently exploited by Winter Vivern, this defense would not be sufficient enough, Faou notes.

Other endpoint-defense practices that can protect vulnerable systems in the event of similar zero-day exploits would be to put technology in place that automatically block the loading of JavaScript payloads and exfiltration of emails, he advises. "As such, it is also recommended to deploy an endpoint security solution on all machines."

Source

DARKReading