The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
The campaign overlaps with activity attributed by CERT-UA to APT28 (also known as Forest Blizzard and Fancy Bear), which multiple Western governments attribute to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Based on the targeting and geopolitical backdrop and the group’s organizational links, the highlighted BlueDelta activity was likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine. Infrastructure related to BlueDelta activity has likely been operational since at least November 2021. This infrastructure was identified by Insikt Group via Recorded Future® Malicious Traffic Analysis (MTA) which surfaced multiple Ukrainian entities, including government institutions, communicating with this BlueDelta infrastructure. Organizations within Ukraine are likely the primary targets of this activity. Potential targets can help to mitigate the risk of exploitation of these known vulnerabilities by ensuring that any Roundcube software is fully patched and up-to-date.
● Insikt Group identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor's office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment.
● The analyzed BlueDelta phishing campaign exploits the vulnerabilities CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026 in the open-source webmail software Roundcube in order to run multiple reconnaissance and exfiltration scripts.
● The malicious scripts are designed to redirect a victim’s future incoming emails to an actor-controlled email address, perform reconnaissance on the target Roundcube server, exfiltrate the victim’s Roundcube session cookie and address book, along with session and user information from Roundcube’s database.
Download full Report
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more