Cyber Security News

Hackers Compromised the Roundcube Email Servers of Ukrainian organizations

APT28 (aka BlueDelta, Fancy Bear, Sednit, and Sofacy), a threat group connected to Russia’s GRU, hacked the Roundcube email servers of over 40 Ukrainian organizations, including government bodies.

The cyber-espionage group used news about the Russia-Ukraine conflict to trick people into opening harmful emails. These emails exploited vulnerabilities in Roundcube Webmail to hack into unsecured servers.

With the help of a malicious script, Russian military hackers redirect the individuals’ incoming emails to an email address controlled by the attackers after gaining unauthorized access to the email servers.

Moreover, this script is also used to:-

  • Gather intelligence information
  • Steal victims’ Roundcube address book
  • Steal session cookies
  • Steal other Roundcube database data

The investigation by Ukraine’s CERT-UA and Recorded Future’s Insikt Group revealed that the campaign’s objective was to collect and steal military intelligence for Russia’s invasion of Ukraine.

Since November 2021, it is believed that the APT28 military hackers have been using the same infrastructure for these cyberespionage attacks and other illicit activities.

In addition, this GRU-linked group has also faced allegations of exploiting the previously unknown zero-day vulnerabilities in Microsoft Outlook.

Investigations by Ukraine’s CERT-UA

An email titled “News of Ukraine” was detected during the thorough investigation of the mailbox contents of the computer user.

Here Below, we have mentioned all the key details regarding this email:-

  • Email received on 12.05.2023
  • Email received from ukraine_news@meta[.]ua
  • The email contained a bait article from an “NV” ( publication.
  • The email contained an exploit for the vulnerability in Roundcube CVE-2020-35730 (XSS)
  • The email contained JavaScript code for running “q.js” and “e.js” files.

An exploit for the Roundcube vulnerability that is tracked as “CVE-2021-44026” (SQLi) is present within the “q.js” file. While this exploit is primarily used to extract information from the database of Roundcube.

Moreover, the identification of the “c.js” code revealed that it carries an exploit for the CVE-2020-12641 vulnerability. This exploit allows for the execution of commands on the mail server.


Here below we have mentioned all the recommendations provided by the cybersecurity analysts:-

  • Within email attachments, the organizations should disable HTML and/or JavaScript.
  • Use anti-spoofing and authentication mechanisms to filter incoming email traffic.
  • Keep your security tools and systems up-to-date with the latest patches and updates.
  • Make sure to not open any attachments received from an unknown sender.

Manage and secure Your Endpoints Efficiently – Free Download


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

11 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago