Menace actors working with pursuits aligned to Belarus and Russia have been linked to a brand new cyber espionage marketing campaign that probably exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to focus on over 80 organizations.
These entities are primarily positioned in Georgia, Poland, and Ukraine, based on Recorded Future, which attributed the intrusion set to a menace actor often known as Winter Vivern, which is also referred to as TA473 and UAC0114. The cybersecurity agency is monitoring the hacking outfit underneath the moniker Menace Exercise Group 70 (TAG-70).
Winter Vivern’s exploitation of safety flaws in Roundcube and software program was beforehand highlighted by ESET in October 2023, becoming a member of different Russia-linked menace actor teams resembling APT28, APT29, and Sandworm which might be recognized to focus on electronic mail software program.
The adversary, which has been lively since a minimum of December 2020, has additionally been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration electronic mail software program final yr to infiltrate organizations in Moldova and Tunisia in July 2023.
The marketing campaign found by Recorded Future occurred from the beginning of October 2023 and continued till the center of the month with the aim of amassing intelligence on European political and navy actions. The assaults overlap with further TAG-70 exercise towards Uzbekistan authorities mail servers that had been detected in March 2023.
“TAG70 has demonstrated a excessive stage of sophistication in its assault strategies,” the corporate stated. “The menace actors leveraged social engineering strategies and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to achieve unauthorized entry to focused mail servers, bypassing the defenses of presidency and navy organizations.”
The assault chains contain exploiting Roundcube flaws to ship JavaScript payloads which might be designed to exfiltrate person credentials to a command-and-control (C2) server.
Recorded Future stated it additionally discovered proof of TAG-70 focusing on the Iranian embassies in Russia and the Netherlands, in addition to the Georgian Embassy in Sweden.
“The focusing on of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical curiosity in assessing Iran’s diplomatic actions, particularly concerning its assist for Russia in Ukraine,” it stated.
“Equally, espionage towards Georgian authorities entities displays pursuits in monitoring Georgia’s aspirations for European Union (EU) and NATO accession.”
