![[Weekly funding roundup May 10-16] Large deals remain a no-show](https://images.yourstory.com/cs/2/220356402d6d11e9aa979329348d4c3e/Weekly-funding-1741961216560.jpg)
![Epic Games: Fortnite is offline for Apple devices worldwide after app store rejection [updated]](https://helios-i.mashable.com/imagery/articles/00T6DmFkLaAeJiMZlCJ7eUs/hero-image.fill.size_1200x675.v1747407583.jpg)
.jpg)
Global Russian hacking campaign steals data from government agencies
Russian hackers found a way into webmail accounts and have been using it since 2023.
- ESET uncovers a major cyber-espionage campaign
- It was attributed to APT28, AKA Fancy Bear
- The campaign leveraged multiple n-day and zero-day flaws
For years now, Russian state-sponsored threat actors have been eavesdropping on email communications from governments across Eastern Europe, Africa, and Latin America.
A new report from cybersecurity researchers ESET has found that the crooks were abusing multiple zero-day and n-day vulnerabilities in webmail servers to steal the emails.
ESET named the campaign “RoundPress”, and says that it started in 2023. Since then, Russian attackers known as Fancy Bear (AKA APT28), were sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.
Save up to 68% on identity theft protection for TechRadar readers!
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.
Preferred partner (What does this mean?)View Deal
Government, military, and other targets
The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the webmail browser page that the victim was using, and create invisible input fields where browsers and password managers would auto-fill login credentials.
Furthermore, the code would read the DOM, or send HTTP requests, collecting email messages, contacts, webmail settings, 2FA information, and more. All of the information would then be exfiltrated to a hardcoded C2 address.
Unlike traditional phishing messages, which require some action on the victim’s side, these attacks only needed the victim to open and view the email. Everything else was being done in the background.
The silver lining here is that the payload has no persistence mechanism, so it only runs when the victim opens the email. That being said, once is most likely enough since people rarely change their email passwords that often.
ESET identified multiple flaws being abused in this attack, including two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.
Victims include government organizations, military organizations, defense companies, and critical infrastructure firms.
Via BleepingComputer
You might also like
- Solar grids could be hijacked and even potentially disabled by these security flaws
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
