Threat operators aligned with Belarus and Russia have been identified in a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target more than 80 organizations.
The companies are primarily located in Georgia, Poland and Ukraine, according to Recorded Future, which attributed the set of intrusions to a threat operator called Winter Vivern, also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacker group under the moniker Threat Activity Group 70 (TAG-70).
The hacker’s exploitation of security flaws in Roundcube email servers was previously disclosed by ESET in October 2023, joining other Russian-linked threat groups such as APT28, APT29 and Sandworm, known for targeting security software. email.
TAG-70, which has been active since at least December 2020, was also linked to exploiting a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023 .
The campaign discovered by Recorded Future has been running since the beginning of October 2023 and continued until the middle of this month with the aim of collecting information about European political and military activities. The attacks coincide with additional TAG-70 activity against Uzbekistan government mail servers that were detected in March last year.
“TAG70 demonstrated a high level of sophistication in its attack methods,” the company said. “Threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted email servers, bypassing the defenses of government and military organizations.”
The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads designed to exfiltrate user credentials to a command and control (C&C) server.
Recorded Future said it also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian embassy in Sweden and NATO.
Sources: CisoAdvisor, RecordedFuture
