Global Russian hacking campaign steals data from government agencies

19 hours ago 8

Close up of a person touching an email icon.

Image Credit: Pixabay (Image credit: Geralt / Pixabay)

ESET uncovers a major cyber-espionage campaign
It was attributed to APT28, AKA Fancy Bear
The campaign leveraged multiple n-day and zero-day flaws

For years now, Russian state-sponsored threat actors have been eavesdropping on email communications from governments across Eastern Europe, Africa, and Latin America.

A new report from cybersecurity researchers ESET has found that the crooks were abusing multiple zero-day and n-day vulnerabilities in webmail servers to steal the emails.

ESET named the campaign “RoundPress”, and says that it started in 2023. Since then, Russian attackers known as Fancy Bear (AKA APT28), were sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.

Government, military, and other targets

The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the webmail browser page that the victim was using, and create invisible input fields where browsers and password managers would auto-fill login credentials.

Furthermore, the code would read the DOM, or send HTTP requests, collecting email messages, contacts, webmail settings, 2FA information, and more. All of the information would then be exfiltrated to a hardcoded C2 address.

Unlike traditional phishing messages, which require some action on the victim’s side, these attacks only needed the victim to open and view the email. Everything else was being done in the background.

The silver lining here is that the payload has no persistence mechanism, so it only runs when the victim opens the email. That being said, once is most likely enough since people rarely change their email passwords that often.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ESET identified multiple flaws being abused in this attack, including two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.

Victims include government organizations, military organizations, defense companies, and critical infrastructure firms.

Via BleepingComputer

Solar grids could be hijacked and even potentially disabled by these security flaws
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article