A prolific APT group linked to the Russian government has been caught exploiting security flaws in the open-source Roundcube webmail software to spy on organizations in Ukraine, including government institutions and military entities involved in aircraft infrastructure.
According to an advisory [PDF] from threat intelligence firm Recorded Future, the Roundcube server infections are being used to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books.
Recorded Future teamed up with Ukraine’s Computer Emergency Response Team (CERT-UA) to document the activity, which is being attributed to Russia’s GRU military spy unit.
“The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails with attachments, which immediately compromised vulnerable Roundcube servers without engaging with the attachment,” Recorded Future explained.
The company said the attachment contained JavaScript code that executed additional JavaScript payloads from the hacking team’s infrastructure. “The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spear-phishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources,” Recorded Future said.
The GRU-linked group, which has been operational since at least November 2021, has been blamed for previous use of zero-day flaws in Microsoft’s flagship Outlook software. According to public documentation, the group is focused on digital spying on entities in Ukraine and across Europe, primarily among government and military/defense organizations.
Recorded Future released IOCs and technical artifacts from the latest discovery to help defenders and recommended that organizations configure intrusion detection systems (IDS), intrusion prevention systems (IPS) or network defense mechanisms to pinpoint malicious activity from malicious domains.
The company is also recommending that organizations implement measures to disable HTML and/or JavaScript within email attachments, and filter incoming email traffic using anti-spoofing and authentication mechanisms (such as SPF or DKIM) that check the validity of the sender’s records.
Related: Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
Related: Microsoft Pins Outlook Zero-Day Attacks on Russia, Ships Detection Script
Related: Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
