- ESET discovers an important cyber hobby campaign
- It was attributed to APT28, also known as elegant bear
- The campaign took advantage of multiple N-Day and Zero-Day failures
For years, threat actors sponsored by the Russian State have been listening to the email of governments in Eastern Europe, Africa and Latin America.
A new report by Cybernetic Security researchers ESET discovered that criminals were abusing multiple zero-day vulnerabilities on web mail servers to steal emails.
East appointed the “Roundpress” campaign, and says that it began in 2023. Since then, the Russian attackers known as Fancy Bear (also known as APT28), sent electronic pHishing emails to the victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon and Ecuador.
Government, military and other objectives
The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of Javascript code. An Failure of Cruzados Sites Commands (XSS) would explode on the webmail browser page that the victim was using and would create invisible entry fields where browsers and password administrators would fill the login credentials.
In addition, the Code would read the DOM, or send HTTP requests, collecting email messages, contacts, web email configuration, 2FA information and more. All information will be exfiltrated to a encoded C2 address.
Unlike traditional phishing messages, which require some action on the victim’s side, these attacks only needed the victim to open and see email. Everything else was being done in the background.
The positive side here is that the payload does not have a persistence mechanism, so it only runs when the victim opens the email. That said, once is enough, since people rarely change their email passwords often.
East identified multiple defects that were abused in this attack, including two XSS failures in Roundcube, one day zero xss in MDaemon, an unknown XSS in Horde and an XSS defect in Zimbra.
Victims include government organizations, military organizations, defense companies and critical infrastructure firms.
Through Bleepingcomputer
