Russian Hackers Breached 80+ Organizations Using Roundcube XSS Flaw

The Russia-based fully mostly possibility neighborhood TAG-70 has been chanced on to be exploiting Roundcube webmail servers with a fair currently disclosed Scandalous-Map Scripting vulnerability CVE-2023-5631.

Their targets consist of executive, militia, and nationwide infrastructure-associated entities. This possibility actor overlaps with Frosty climate Vivern, TA473, and UAC-0114 possibility neighborhood.

Nevertheless, this Roundcube focusing on marketing and marketing campaign has been accomplished since October 2023, attacking over 80 organizations, essentially in Georgia, Poland, and Ukraine.

Moreover, here’s the supreme most novel marketing and marketing campaign from the Russia-aligned possibility groups focusing on electronic mail servers.

As a part of the ongoing battle between Ukraine and Russia, plenty of Russia-based fully mostly cyber-espionage groups had been attacking governmental entities in Europe as a mode of gathering intelligence relating to the battle effort and planning, relationships and negotiations, militia and financial help, and varied recordsdata that would attend in fighting the battle.

Russian Hackers Exploited Roundcube XSS Flaw

Per the reports shared with Cyber Security News, TAG-70 has previously created a spoofed net net site of the MInistry of International Affairs of Ukraine for luring users to procure a malicious intention under the impersonation of “scanning infected PCs for viruses”.

In March 2023, TAG-70 was attributed to the exploitation of the Zimbra webmail portal through CVE-2022-27926 to construct rep admission to to the emails of militia, executive, and diplomatic European organizations which also can very neatly be inquisitive relating to the Russia-Ukraine battle.

Taken with the sophistication and attack vectors of this possibility actor signifies a neatly-funded and expert possibility actor in the encourage of these operations.

Nevertheless, their most novel XSS zero-day exploitation of Roundcube webmail servers was investigated, revealing that the possibility actors had been the usage of this vulnerability to record and exfiltrate victims’ mailbox contents with none interaction from the victim except by opening the malicious electronic mail.

Threat Prognosis

In February 2023, suspicious project was chanced on, which fervent a C2 IP tackle 198.50.170[.]72 over TCP port 7662.

Nevertheless, this IP was later attributed to the domain bugiplaysec[.]com, owned by TAG-70. This domain was chanced on to check with a victim IP tackle over port 443.

Moreover, a same project was chanced on between an IP tackle associated with the Embassy of the Republic of Uzbekistan in Ukraine.

This IP tackle was communicating with but one more C2 domain ocsp-reloads[.]com resolving to 38.180.2[.]23. In both of the eventualities, TAG-70 administered the C2 domains through Tor.

As of this most novel Roundcube webmail server exploitation marketing and marketing campaign, TAG-70 veteran an infrastructure configuration with a net site recsecas[.]com and C2 38.180.76.[.]31 tunneling to but one more C2 administered through Tor.

Indicators Of Compromise

Domains:

• bugiplaysec[.]com
• hitsbitsx[.]com
• ocsp-reloads[.]com
• recsecas[.]com

IP Addresses:

• 38.180.2[.]23
• 38.180.3[.]57
• 38.180.76[.]31
• 86.105.18[.]113
• 176.97.66[.]57
• 176.97.76[.]118
• 176.97.76[.]129
• 198.50.170[.]72

Malware Samples (SHA256):

• 6800357ec3092c56aab17720897c29bb389f70cb49223b289ea5365314199a26
• ea22b3e9ecdfd06fae74483deb9ef0245aefdc72f99120ae6525c0eaf37de32e