Skip to content Skip to footer

Russian-Linked Hackers Target Organizations via Roundcube Flaws

A new cyber espionage campaign has been linked to threat actors with interests aligned to Belarus and Russia. The campaign exploited cross-site scripting (XSS) in Roundcube webmail servers and targeted more than 80 organizations, primarily located in Georgia, Poland, and Ukraine. Recorded Future, a firm, attributed the intrusion set to a known as Winter Vivern, also known as TA473 and UAC0114. The hacking outfit is being tracked by Recorded Future under the moniker Threat Activity Group 70 (TAG-70).

Winter Vivern, a Russia-linked group, has previously been highlighted by ESET in October 2023, for exploiting security flaws in Roundcube and other software. Other Russia-linked threat actors, such as APT28, APT29, and , are also known to target email software. Winter Vivern has been active since at least December 2020 and has been linked to the abuse of a now-patched in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

The campaign discovered by Recorded Future took place from the start of October 2023 and continued until the middle of the month. The primary goal of the attack was to collect intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan mail servers that were detected in March 2023.

According to Recorded Future, “TAG-70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of and military organizations.” The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a (C2) server.

Recorded Future has also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden. The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You've enjoyed all the power you've been given, haven't you? I wonder how you'd take to working in a pocket calculator.Master Control Program

Deitasoft © 2024. All Rights Reserved.