AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Russian hackers attack ukrainian infrastructure: Roundcube software is the target

Russian APT group exploits open-source webmail vulnerabilities to infiltrate ukrainian government and military entities

This pill is also available in Italian language

A well-known Advanced Persistent Attack (APT) group, linked to the Russian government, has been discovered exploiting security vulnerabilities in the open-source email software Roundcube to spy on organizations in Ukraine. These include government institutions and military entities involved in aviation infrastructure.

Attack techniques and collaboration for defense

As reported by an alert from threat intelligence firm, Recorded Future, Roundcube server infections were used to run reconnaissance and exfiltration scripts, hijacking incoming emails and harvesting session cookies, user information, and address books. In cooperation with Ukraine's Computer Emergency Response Team (CERT-UA), Recorded Future documented the activity, attributing it to Russia's GRU military espionage unit.

Details of the phishing campaign

The campaign used news of the Russia-Ukraine war to trick recipients into opening emails with attachments, which immediately compromised vulnerable Roundcube servers without interacting with the attachment. According to Recorded Future, the attachment contained JavaScript code that executed additional JavaScript payloads originating from the hacker team's infrastructure. The level of campaign preparation was high, quickly turning news content into exploitative lure for target audiences. The spear-phishing emails contained current affairs related to Ukraine, with subject lines and content that mirrored legitimate media sources.

Background and proposed preventive measures

The GRU-linked group, which has been in operation since at least November 2021, has been blamed for earlier use of zero-day vulnerabilities in Microsoft's flagship software, Outlook. As publicly documented, the group focuses on digital espionage of entities in Ukraine and across Europe, primarily between government and military/defense organizations. To help defenders, Recorded Future has released Indicators of Compromise (IOCs) and technical artifacts from the most recent discovery. The company recommends that organizations set up intrusion detection and prevention systems (IDS and IPS) or network defense mechanisms to detect malicious activity from malicious domains. Additionally, it suggests implementing measures to disable HTML and/or JavaScript within email attachments and filter incoming email traffic using anti-spoofing and authentication mechanisms (such as SPF or DKIM) that check the validity of sender records.

Follow us on Threads for more pills like this

06/21/2023 08:00

Editorial AI

Complementary pills

CISA alert: vulnerability in Roundcube exploited by attackersMeasures immediately necessary to mitigate the exploitation of a critical bug in Roundcube

Growing threat: Russian cyber warfare operations in UkraineThe increase in Russian attacks highlighted in the report of the Ukrainian cyber defense organization

Last pills

Serious vulnerability discovered in Rabbit R1: all user data at riskVulnerability in Rabbit R1 exposes sensitive API keys. What are the privacy risks?

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat