----------------------------------------------------------------------------------
@MSGID: 31846.politicf@1:2320/105 2c8e4a55
@TZUTC: -0500
@PID: Synchronet 3.20a-Linux master/acc19483f Apr 26
202 GCC 12.2.0
@TID: SBBSecho 3.20-Linux master/acc19483f Apr 26
2024 23:04 GCC 12.2.0
@BBSID: CAPCITY2
@CHRS: ASCII 1
Global Russian hacking campaign steals data from government agencies
Date:
Fri, 16 May 2025 17:00:00 +0000
Description:
Russian hackers found a way into webmail accounts and have been using it
since 2023.
FULL STORY
======================================================================
- ESET uncovers a major cyber-espionage campaign
- It was attributed to APT28, AKA Fancy Bear
- The campaign leveraged multiple n-day and zero-day flaws
For years now, Russian state-sponsored threat actors have been eavesdropping
on email communications from governments across Eastern Europe, Africa, and
Latin America.
A new report from cybersecurity researchers ESET has found that the crooks
were abusing multiple zero-day and n-day vulnerabilities in webmail servers
to steal the emails.
ESET named the campaign RoundPress, and says that it started in 2023. Since
then, Russian attackers known as Fancy Bear (AKA APT28), were sending out
phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania,
Cameroon, and Ecuador.
Government, military, and other targets
The emails would seem benign on the surface, discussing daily political
events, but in the HTML body, they would carry a malicious piece of
JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the
webmail browser page that the victim was using, and create invisible input
fields where browsers and password managers would auto-fill login
credentials.
Furthermore, the code would read the DOM, or send HTTP requests, collecting
email messages, contacts, webmail settings, 2FA information, and more. All of
the information would then be exfiltrated to a hardcoded C2 address.
Unlike traditional phishing messages, which require some action on the
victims side, these attacks only needed the victim to open and view the
email. Everything else was being done in the background.
The silver lining here is that the payload has no persistence mechanism, so
it only runs when the victim opens the email. That being said, once is most
likely enough since people rarely change their email passwords that often.
ESET identified multiple flaws being abused in this attack, including two XSS
flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and
an XSS flaw in Zimbra.
Victims include government organizations, military organizations, defense
companies, and critical infrastructure firms.
Via BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/pro/security/global-russian-hacking-campaign-steals-
data-from-government-agencies
$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 1/120 18/0 50/109 103/705 116/116 123/0
25 180 525 755 3001 3002
SEEN-BY: 124/5016 135/115 153/757 7715 154/10 30
203/0 221/0 222/2 240/1120
SEEN-BY: 240/5832 250/1 263/1 275/1000 280/464 5003
5006 292/854 8125 301/1
SEEN-BY: 310/31 341/66 234 396/45 423/120 460/58
467/888 633/280 712/848 1321
SEEN-BY: 770/1 2320/0 105 107 3634/0 12 24 27 56
57 58 60 5000/111 5020/400
SEEN-BY: 5020/715 846 848 1042 4441 12000 5030/49
1081 5061/133 5075/128
SEEN-BY: 5083/444
@PATH: 2320/105 3634/12 222/2 263/1 280/464 467/888
5020/1042 4441