Hackers Compromised the Roundcube Email Servers of Ukrainian organizations

APT28 (aka BlueDelta, Fancy Bear, Sednit, and Sofacy), a threat group connected to Russia’s GRU, hacked the Roundcube email servers of over 40 Ukrainian organizations, including government bodies.

The cyber-espionage group used news about the Russia-Ukraine conflict to trick people into opening harmful emails. These emails exploited vulnerabilities in Roundcube Webmail to hack into unsecured servers.

With the help of a malicious script, Russian military hackers redirect the individuals’ incoming emails to an email address controlled by the attackers after gaining unauthorized access to the email servers.

Moreover, this script is also used to:-

• Gather intelligence information
• Steal victims’ Roundcube address book
• Steal session cookies
• Steal other Roundcube database data

The investigation by Ukraine’s CERT-UA and Recorded Future’s Insikt Group revealed that the campaign’s objective was to collect and steal military intelligence for Russia’s invasion of Ukraine.

Since November 2021, it is believed that the APT28 military hackers have been using the same infrastructure for these cyberespionage attacks and other illicit activities.

In addition, this GRU-linked group has also faced allegations of exploiting the previously unknown zero-day vulnerabilities in Microsoft Outlook.

Investigations by Ukraine’s CERT-UA

An email titled “News of Ukraine” was detected during the thorough investigation of the mailbox contents of the computer user.

Here Below, we have mentioned all the key details regarding this email:-

• Email received on 12.05.2023
• Email received from ukraine_news@meta[.]ua
• The email contained a bait article from an “NV” (nv.ua) publication.
• The email contained an exploit for the vulnerability in Roundcube CVE-2020-35730 (XSS)
• The email contained JavaScript code for running “q.js” and “e.js” files.

An exploit for the Roundcube vulnerability that is tracked as “CVE-2021-44026” (SQLi) is present within the “q.js” file. While this exploit is primarily used to extract information from the database of Roundcube.

Moreover, the identification of the “c.js” code revealed that it carries an exploit for the CVE-2020-12641 vulnerability. This exploit allows for the execution of commands on the mail server.

Recommendations

Here below we have mentioned all the recommendations provided by the cybersecurity analysts:-

• Within email attachments, the organizations should disable HTML and/or JavaScript.
• Use anti-spoofing and authentication mechanisms to filter incoming email traffic.
• Keep your security tools and systems up-to-date with the latest patches and updates.
• Make sure to not open any attachments received from an unknown sender.

Manage and secure Your Endpoints Efficiently – Free Download