- ESET uncovers a major cyber-espionage campaign
- It was attributed to APT28, AKA Fancy Bear
- The campaign leveraged multiple n-day and zero-day flaws
For years now, Russian state-sponsored threat actors have been eavesdropping on email communications from governments across Eastern Europe, Africa, and Latin America.
A new report from cybersecurity researchers ESET has found that the crooks were abusing multiple zero-day and n-day vulnerabilities in webmail servers to steal the emails.
ESET named the campaign “RoundPress”, and says that it started in 2023. Since then, Russian attackers known as Fancy Bear (AKA APT28), were sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.
Government, military, and other targets
The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the webmail browser page that the victim was using, and create invisible input fields where browsers and password managers would auto-fill login credentials.
Furthermore, the code would read the DOM, or send HTTP requests, collecting email messages, contacts, webmail settings, 2FA information, and more. All of the information would then be exfiltrated to a hardcoded C2 address.
Unlike traditional phishing messages, which require some action on the victim’s side, these attacks only needed the victim to open and view the email. Everything else was being done in the background.
The silver lining here is that the payload has no persistence mechanism, so it only runs when the victim opens the email. That being said, once is most likely enough since people rarely change their email passwords that often.
ESET identified multiple flaws being abused in this attack, including two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.
Victims include government organizations, military organizations, defense companies, and critical infrastructure firms.
Via BleepingComputer
You might also like
- Solar grids could be hijacked and even potentially disabled by these security flaws
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
