- Eset discovers a large cyber-spying campaign
- It was attributed to Apt28, alias Fancy Bear
- The campaign has exploited several faults in N-Days and zero-day
For years, the actors of the threat sponsored by the Russian state have listened to the communications by e-mail of governments of Eastern Europe, Africa and Latin America.
A new report by ESET cybersecurity researchers found that crooks abused multiple zero and N-Day vulnerabilities in web card servers to steal emails.
Eset appointed the “RoundPress” campaign and said that it began in 2023. Since then, Russian attackers known as Fancy Bear (alias Apt28), sent phishing emails to the victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon and Stig.
Government, soldier and other targets
The emails would seem mild on the surface, discussing daily political events, but in the HTML body, they would carry a piece of malicious Javascript code. It would exploit a defect in script of cross -sites (XSS) in the web browser page that the victim used and create invisible input fields where browsers and password managers would automatically fill the connection identification information.
In addition, the Code will read the DOM or send HTTP requests, collection of electronic messages, contacts, web card settings, 2FA information, etc. All information would then be exfiltrated to a hard coded C2.
Unlike traditional phishing messages, which require measures on the victim’s side, these attacks only needed the victim to open and see the email. Everything else was done in the background.
The silver lining here is that the payload has no persistence mechanism, so it only works when the victim opens the e-mail. That being said, it is enough once people are rarely changing passwords by e-mail.
ESET has identified several mistreated defects in this attack, including two XSS defects in Roundcube, an XSS Zero-Day in Mdaemon, an unknown XSS in Horde and an XSS in Zimbra defect.
Victims include government organizations, military organizations, defense companies and critical infrastructure companies.
Via Bleeping Compompute
