Rewterz Threat Alert – APT28 Exploits Roundcube Email Servers in Cyberattack on Ukrainian Entities – Active IOCs

Severity

High

Analysis Summary

A joint investigation conducted by Ukraine’s Response Team and researchers has revealed that the Russia-linked APT28 group, also known as Fancy Bear, hacked into Roundcube email servers belonging to multiple Ukrainian organizations. APT28 has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group has also been involved in previous attacks, including the ones targeting the 2016 Presidential election.

APT28 operates under military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). Their campaigns primarily involve spear-phishing and malware-based attacks. In the recent campaign, the threat actors used news about the ongoing conflict between Russia and Ukraine as bait. They sent crafted emails to the target organizations, exploiting vulnerabilities in Roundcube Webmail (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) to gain unauthorized access to vulnerable servers.

During the investigation, a specific email with the subject “News of Ukraine” was discovered, containing bait content and an exploit for the Roundcube CVE-2020-35730 vulnerability. The report published by the response team revealed that additional JavaScript files, “q.js” and “e.js,” were used to redirect incoming emails and exfiltrate data such as address book, session values (Cookie), and victim’s email messages.

The hackers deployed scripts to redirect incoming emails to an email address under their control and exploited an SQLi issue (CVE-2021-44026) to steal Roundcube data. One of the scripts, “c.js,” contained an exploit for the CVE-2020-12641 vulnerability. The campaign targeted more than 40 Ukrainian organizations, including government entities.

Researchers believes that this campaign, known as BlueDelta activity, has been active since November 2021. It is likely intended to support Russia’s invasion of Ukraine by gathering military intelligence. The campaign overlaps with previous APT28 attacks that exploited a Microsoft Outlook zero-day vulnerability (CVE-2023-23397) and targeted European organizations.

This incident highlights the ongoing threat posed by APT28 and their persistent targeting of organizations, particularly in the context of geopolitical conflicts. It emphasizes the importance of robust cybersecurity measures, including regular patching, employee education on phishing techniques, and proactive monitoring for potential threats. Organizations within Ukraine and other targeted regions should remain vigilant and collaborate with cybersecurity experts to enhance their defenses against APT28 and similar threat actors.

In April 2023, intelligence services from the United States and the United Kingdom issued warnings regarding APT28’s exploitation of a zero-day vulnerability in Cisco routers. The purpose of these attacks was to deploy the Jaguar Tooth malware, which facilitated the collection of intelligence from targets based in the United States and European Union.

The APT28 group gained notoriety for its role in the high-profile 2015 cyberattack on the German Federal Parliament (Deutscher Bundestag), as well as its involvement in the hacking incidents targeting the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) during the 2016 U.S. elections. The United States officially charged APT28 members in relation to these activities two years later.

Recognizing the severity of APT28’s actions, the Council of the European Union imposed sanctions on individuals associated with the group in October 2020, specifically in response to their participation in the 2015 breach of the Deutscher Bundestag.

These incidents highlight the persistent and wide-ranging cyber threats posed by APT28. It underscores the importance of robust cybersecurity measures and international cooperation in combating such state-sponsored threat actors. Governments, organizations, and individuals should remain vigilant and take proactive steps to protect their systems and sensitive information from APT28 and similar adversaries.

Impact

• Information Theft
• Data Exfiltration
• Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• aneria.net
• armpress.net
• ceriossl.info
• fountainrate.com
• global-news-world.com
• global-world-news.net
• lonejade.com
• modeselling.com
• oncetrips.com
• vtxhospital.com
• ns1.fountainrate.com
• ns2.fountainrate.com
• ns1.lonejade.com
• ns1.modeselling.com
• ns2.modeselling.com
• ns1.oncetrips.com
• ns1.vtxhospital.com
• starvars.top
• sourcescdn.net
• runstatistics.net

IP

• 185.225.226.57
• 185.82.126.85
• 77.243.181.238
• 46.183.219.207

URL

• https://global-world-news.net/about/
• https://global-world-news.net/addressbook/
• https://global-world-news.net/e?m=&r=&s=
• https://global-world-news.net/emails/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.