Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws

Russian-Linked Hackers Target 80+ Organizations via Roundcube Flaws

Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations.

These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat actor known as Winter Vivern, which is also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacking outfit under the moniker Threat Activity Group 70 (TAG-70).

Winter Vivern’s exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm that are known to target email software.

The adversary, which has been active since at least December 2020, has also been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a command-and-control (C2) server.

Recorded Future said it also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden.

“The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran’s diplomatic activities, especially regarding its support for Russia in Ukraine,” it said.