APT28 Targets Roundcube Vulnerabilities to Exploit Ukrainian Organizations

Category: Russia & Ukraine | Industries: Aviation, Government |

Source: Recorded Future

A collaborative threat monitoring effort from Ukraine's computer emergency response team (CERT-UA) and researchers affiliated with Recorded Future's Inskit Group has identified a spear phishing campaign attributed to APT28 (also known as Fancy Bear or BlueDelta). This campaign is traced to have been active since November 2021, and specifically targeted the Ukrainian government and an aviation organization operating within the country's military. Recorded Future assesses that the campaign is conducted to 'enable military intelligence-gathering to support Russia’s invasion of Ukraine."

The distributed emails lured victims with news regarding the Russia-Ukraine war while also exploiting vulnerabilities in the Roundcube Webmail service, specifically CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026. Once these vulnerabilities were exploited, the threat actors were able "run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books. The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta-controlled infrastructure," said Recorded Future. This campaign is noted for demonstrating "a high level of preparedness," by the threat actors, undoubtedly reflecting the unwavering efforts of a Russian APT group in their pursuit of strategic military advantages.