Recommended reading

Global Russian hacking campaign steals data from government agencies

News
By published

Russian hackers found a way into webmail accounts

Close up of a person touching an email icon.
Image Credit: Pixabay (Image credit: Geralt / Pixabay)
  • ESET uncovers a major cyber-espionage campaign
  • It was attributed to APT28, AKA Fancy Bear
  • The campaign leveraged multiple n-day and zero-day flaws

For years now, Russian state-sponsored threat actors have been eavesdropping on email communications from governments across Eastern Europe, Africa, and Latin America.

A new report from cybersecurity researchers ESET has found that the crooks were abusing multiple zero-day and n-day vulnerabilities in webmail servers to steal the emails.

ESET named the campaign “RoundPress”, and says that it started in 2023. Since then, Russian attackers known as Fancy Bear (AKA APT28), were sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.

Save up to 68% on identity theft protection for TechRadar readers!

Save up to 68% on identity theft protection for TechRadar readers!

TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

Preferred partner (What does this mean?)

View Deal

Government, military, and other targets

The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the webmail browser page that the victim was using, and create invisible input fields where browsers and password managers would auto-fill login credentials.

Furthermore, the code would read the DOM, or send HTTP requests, collecting email messages, contacts, webmail settings, 2FA information, and more. All of the information would then be exfiltrated to a hardcoded C2 address.

Unlike traditional phishing messages, which require some action on the victim’s side, these attacks only needed the victim to open and view the email. Everything else was being done in the background.

The silver lining here is that the payload has no persistence mechanism, so it only runs when the victim opens the email. That being said, once is most likely enough since people rarely change their email passwords that often.

ESET identified multiple flaws being abused in this attack, including two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.

Victims include government organizations, military organizations, defense companies, and critical infrastructure firms.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.