Russian hackers attack ukrainian infrastructure: Roundcube software is the target
Russian APT group exploits open-source webmail vulnerabilities to infiltrate ukrainian government and military entities
A well-known Advanced Persistent Attack (APT) group, linked to the Russian government, has been discovered exploiting security vulnerabilities in the open-source email software Roundcube to spy on organizations in Ukraine. These include government institutions and military entities involved in aviation infrastructure.
Attack techniques and collaboration for defense
As reported by an alert from threat intelligence firm, Recorded Future, Roundcube server infections were used to run reconnaissance and exfiltration scripts, hijacking incoming emails and harvesting session cookies, user information, and address books. In cooperation with Ukraine's Computer Emergency Response Team (CERT-UA), Recorded Future documented the activity, attributing it to Russia's GRU military espionage unit.
Details of the phishing campaign
The campaign used news of the Russia-Ukraine war to trick recipients into opening emails with attachments, which immediately compromised vulnerable Roundcube servers without interacting with the attachment. According to Recorded Future, the attachment contained JavaScript code that executed additional JavaScript payloads originating from the hacker team's infrastructure. The level of campaign preparation was high, quickly turning news content into exploitative lure for target audiences. The spear-phishing emails contained current affairs related to Ukraine, with subject lines and content that mirrored legitimate media sources.
Background and proposed preventive measures
The GRU-linked group, which has been in operation since at least November 2021, has been blamed for earlier use of zero-day vulnerabilities in Microsoft's flagship software, Outlook. As publicly documented, the group focuses on digital espionage of entities in Ukraine and across Europe, primarily between government and military/defense organizations. To help defenders, Recorded Future has released Indicators of Compromise (IOCs) and technical artifacts from the most recent discovery. The company recommends that organizations set up intrusion detection and prevention systems (IDS and IPS) or network defense mechanisms to detect malicious activity from malicious domains. Additionally, it suggests implementing measures to disable HTML and/or JavaScript within email attachments and filter incoming email traffic using anti-spoofing and authentication mechanisms (such as SPF or DKIM) that check the validity of sender records.
Follow us on Threads for more pills like this06/21/2023 08:00
Editorial AI