Winter Vivern: “The Latest Cyber Threat Targeting European Governments”

Reading Time: ( Word Count: )

April 1, 2023
Nextdoorsec-course

Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting officials in Europe and the U.S. This campaign involves leveraging an unpatched Zimbra vulnerability in publicly facing webmail portals, allowing the group to access the email mailboxes of government entities in Europe.

Proofpoint, an enterprise security firm, is tracking the activity under its name, TA473 (UAC-0114). The firm describes TA473 as an adversarial crew whose operations align with Russian and Belarussian geopolitical objectives. 

Despite its lack of sophistication, the group has been linked to recent attacks targeting state authorities of Ukraine and Poland, government officials in India, Lithuania, Slovakia, and even the Vatican.

The group uses scanning tools such as Acunetix to find unpatched webmail portals belonging to targeted companies. They then send phishing emails under the guise of benign government agencies, with messages containing booby-trapped URLs. 

Also Read: “MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users.”

Winter Vivern

These URLs manipulate the cross-site scripting (XSS) error in Zimbra to manage custom Base64-encoded JavaScript payloads within victims’ webmail portals, allowing the group to exfiltrate usernames, passwords, and access tokens.

Each JavaScript payload is monitored to the targeted webmail portal, indicating that the group is willing to invest time and resources to decrease the possibility of detection. According to Proofpoint, TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities is a key factor in its success.

These findings coincide with revelations that at least three Russian intelligence agencies (FSB, GRU, and SVR) use software and hacking tools designed by a Moscow-based IT contractor called NTC Vulkan. 

This includes frameworks like Scan, Amesit, and Krystal-2B, which simulate coordinated IO/OT attacks against rail and pipeline control systems.

Mandiant, a threat intelligence firm, notes that contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services in inventing abilities to deploy more efficient functions within the beginning of the attack lifecycle, a part of procedures often concealed from sight.

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Top AI Cybersecurity Companies to Consider in 2023

Top AI Cybersecurity Companies to Consider in 2023

Artificial intelligence (AI) has appeared as a powerful tool in cybersecurity. As the rate and sophistication of ...
60 Chat GPT Prompts for Cyber Security by Experts

60 Chat GPT Prompts for Cyber Security by Experts

Chat GPT, powered by advanced natural language processing and artificial intelligence techniques, has emerged as a ...
Penetration Testing vs. Security Testing: Unraveling the Differences

Penetration Testing vs. Security Testing: Unraveling the Differences

In today's increasingly interconnected world, ensuring the security of digital systems and networks is paramount. ...
Internal vs. External Penetration Testing: Making the Right Choice

Internal vs. External Penetration Testing: Making the Right Choice

Penetration testing, often called pen testing, is crucial to ensuring the security and resilience of computer ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *