Skip to content Skip to footer

Russian-Linked Hackers Target Organizations via Roundcube Flaws

A new campaign has been linked to threat actors with interests aligned to Belarus and Russia. The campaign exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers and targeted more than 80 organizations, primarily located in Georgia, Poland, and Ukraine. Recorded Future, a cybersecurity firm, attributed the intrusion set to a threat actor known as Winter Vivern, also known as TA473 and UAC0114. The hacking outfit is being tracked by Recorded Future under the moniker Threat Activity Group 70 (TAG-70).

Winter Vivern, a Russia-linked threat actor group, has previously been highlighted by ESET in October 2023, for exploiting security flaws in Roundcube and other software. Other Russia-linked threat actors, such as APT28, APT29, and Sandworm, are also known to target email software. Winter Vivern has been active since at least December 2020 and has been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

The campaign discovered by Recorded Future took place from the start of October 2023 and continued until the middle of the month. The primary goal of the attack was to collect intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers that were detected in March 2023.

According to Recorded Future, “TAG-70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations.” The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a command-and-control (C2) server.

Recorded Future has also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden. The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Never send a human to do a machine's jobAgent Smith

Deitasoft © 2024. All Rights Reserved.