Source: CyberNews
Summary
APT28, a codeword for the cyber arm of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), has breached email servers belonging to multiple Ukrainian organizations, including government entities.
APT28 leveraged content related to the Russian invasion of Ukraine to trick targets into opening malicious emails that would exploit known Roundcube Webmail vulnerabilities to hack into unpatched servers.
After breaching the email servers, APT28 deployed malicious scripts that redirected the incoming emails of targeted individuals to an email address under its control. The scripts were also capable of stealing the victims' Roundcube address books, session cookies, and other information stored within Roundcube's database.
Analysis
The compromise of Ukrainian government email accounts would likely yield valuable intelligence for the GRU, currently tasked with supporting Russia’s invasion of Ukraine. The GRU has a long history of targeting Ukrainian entities and uses a wide range of TTPs, including cyber operations like this campaign, Signals Intelligence (SIGINT) collection, and Human Intelligence (HUMINT) operations.
The compromise of Ukrainian email servers through the exploitation of known vulnerabilities highlights the importance of maintaining a high patching cadence. This specific campaign would not have been successful had the servers been updated with patches released in 2020 and 2021.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Roundcube. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture given the threat posed by Russian state-sponsored cyber actors.
We also encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.
References
