Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws

Threat actors with affiliations to Belarus and Russia have been implicated in a recent cyber espionage campaign, believed to have exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations.

These targeted entities are predominantly situated in Georgia, Poland, and Ukraine, as per findings from Recorded Future. The campaign has been attributed to a threat actor known as Winter Vivern, also identified as TA473 and UAC0114, and is being monitored by cybersecurity firm Recorded Future under the designation Threat Activity Group 70 (TAG-70).

Winter Vivern's utilization of security loopholes in Roundcube and other software has been previously documented by ESET in October 2023, adding to the roster of Russia-associated threat actor groups such as APT28, APT29, and Sandworm, all of which are notorious for targeting email software.

This adversary, operational since at least December 2020, has also been linked to exploiting a now-patched vulnerability in Zimbra Collaboration email software in July 2023 to infiltrate organizations in Moldova and Tunisia.

The campaign uncovered by Recorded Future commenced at the onset of October 2023 and persisted until mid-month, with the primary objective of gathering intelligence on European political and military activities. These attacks coincide with other TAG-70 activities targeting Uzbekistan government mail servers detected in March 2023.

According to Recorded Future, "TAG70 has demonstrated a high level of sophistication in its attack methods." The threat actors employed social engineering tactics and exploited XSS vulnerabilities in Roundcube webmail servers to illicitly access targeted mail servers, circumventing the defenses of government and military organizations.

The attack chains involve leveraging Roundcube vulnerabilities to deploy JavaScript payloads, designed to extract user credentials to a command-and-control (C2) server.

Recorded Future's investigation also revealed instances of TAG-70 targeting Iranian embassies in Russia and the Netherlands, along with the Georgian Embassy in Sweden.

"The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine," noted Recorded Future. "Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession."