- ESET uncovers a serious cyber-espionage marketing campaign
- It was attributed to APT28, AKA Fancy Bear
- The marketing campaign leveraged a number of n-day and zero-day flaws
For years now, Russian state-sponsored risk actors have been eavesdropping on electronic mail communications from governments throughout Japanese Europe, Africa, and Latin America.
A brand new report from cybersecurity researchers ESET has discovered that the crooks have been abusing a number of zero-day and n-day vulnerabilities in webmail servers to steal the emails.
ESET named the marketing campaign “RoundPress”, and says that it began in 2023. Since then, Russian attackers often known as Fancy Bear (AKA APT28), have been sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.
Authorities, navy, and different targets
The emails would appear benign on the floor, discussing day by day political occasions, however within the HTML physique, they’d carry a malicious piece of JavaScript code. It might exploit a cross-site scripting (XSS) flaw within the webmail browser web page that the sufferer was utilizing, and create invisible enter fields the place browsers and password managers would auto-fill login credentials.
Moreover, the code would learn the DOM, or ship HTTP requests, amassing electronic mail messages, contacts, webmail settings, 2FA data, and extra. The entire data would then be exfiltrated to a hardcoded C2 handle.
Not like conventional phishing messages, which require some motion on the sufferer’s aspect, these assaults solely wanted the sufferer to open and look at the e-mail. All the pieces else was being executed within the background.
The silver lining right here is that the payload has no persistence mechanism, so it solely runs when the sufferer opens the e-mail. That being mentioned, as soon as is most probably sufficient since folks not often change their electronic mail passwords that always.
ESET recognized a number of flaws being abused on this assault, together with two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.
Victims embody authorities organizations, navy organizations, protection firms, and demanding infrastructure corporations.
Through BleepingComputer
You may additionally like
{content material}
Supply: {feed_title}
