Cyber threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited Cross-Site Scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations. According to investigators, these entities are primarily located in Georgia, Poland, and Ukraine and attributed the intrusion set to a threat actor known as Winter Vivern, also known as TA473 and UAC0114. The cybersecurity firm tracks the hacking outfit under Threat Activity Group 70 (TAG-70).[1]
The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies must remediate this vulnerability by 04 March 2024 to protect their devices against active threats. Analysts urge other Roundcube Webmail users to take this seriously, too.
Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple devices, and it’s why when you read an email on your laptop, it’s marked as “read” on your phone, too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them are situated in the US and China.
Winter Vivern, whose name is a derivative of the wyvern, is a type of biped dragon with a poisonous tail. The group’s most defining characteristic is its phishing lures, usually documents that mimic legitimate and publicly available records, which drop a malicious payload upon opening. The group has also used false government websites to distribute their malware. Vivern has also been known to copy the homepages of Ukraine and Poland's primary cyber defense agencies. Winter Vivern's exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm, known to target email software.
The adversary, active since at least December 2020, has been linked to abusing a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023. The campaign began in October 2023 and continued until the middle of the month to collect intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers detected in March 2023.
TAG70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations.
The attack chains exploit Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials to a command-and-control (C2) server. Investigators found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden. The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine. Similarly, espionage against Georgian government entities reflects an interest in monitoring Georgia's aspirations for European Union (EU) and NATO membership.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/02/russian-linked-hackers-breach-80.html
Comments