CVE-2020-35730, CVE-2021-44026, CVE-2020-12641 Exploit Detection: APT28 Group Abuses Roundcube Flaws In Spearphishing Espionage Attacks

[post-views]
June 21, 2023 · 5 min read
CVE-2020-35730, CVE-2021-44026, CVE-2020-12641 Exploit Detection: APT28 Group Abuses Roundcube Flaws In Spearphishing Espionage Attacks

With the ongoing russian cyber offensive operations targeting Ukraine and its allies, the aggressor is continuously launching cyber-espionage campaigns against state bodies and other organizations representing critical infrastructure. Less than a week after CERT-UA researchers warned of a spike in cyber-espionage attacks by russia-linked Shuckworm group, another nefarious hacking group comes back to the scene. 

CERT-UA in conjunction with the Recorded Future’s Insikt Group has recently uncovered the ongoing malicious activity of the infamous russian state-sponsored APT28 hacking group that had similarities with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The latest offensive operations involve massively spreading spearphishing emails leveraging vulnerability exploitation. The weaponized flaws are found in the Roundcube web-based email client and are tracked as CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641.

APT28 Attack Analysis Covered in the CERT-UA#6805 Alert

CERT-UA has been recently notified of the identified network communication between the information and communication system of one of the Ukrainian public sector organizations and the malicious infrastructure affiliated with the APT28 group. The investigation revealed traces of this communication with malicious actors dating back to May 12, 2023, however, luckily, the infection failed.

Recorded Future’s Insikt Group researchers have found that the ongoing operations by APT28 overlap with the earlier BlueDelta campaign exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397

In response to the incident, the CERT-UA team has released the corresponding CERT-UA#6805 heads-up that notifies of the adversary attempts of the APT28 group to target the critical infrastructure of the Ukrainian public sector organization. The research revealed a phishing email with a subject related to Ukrainian war news that contained a lure article disguised as a nv.ua media source along with a Roundcube CVE-2020-35730 vulnerability exploit. In addition, the phishing email contained malicious JavaScript code intended for downloading and launching additional JavaScript files, q.js and e.js. The latter creates the default filter aimed at redirecting inbox emails to the third-party address and performs data exfiltration via the corresponding HTTP POST requests. The former file contains another Roundcube vulnerability exploit tracked as CVE-2021-44026, which allows attackers to exfiltrate data from the Roundcube database. 

The research also uncovered another Javascript code, c.js, which involves the CVE-2020-12641 Roundcube vulnerability exploit. Upon successful vulnerability exploitation, the latter enables remote command execution on the email server. 

CERT-UA states that hackers sent similar phishing emails to 40+ Ukrainian organizations striving to massively spread the infection, while Insikt Group identifies state bodies and military entities as the major targets of this campaign.

According to the investigation, APT28 attempted to leverage the old Roundcube version 1.4.1, which gave attackers the green light to expose multiple organizations to vulnerability exploitation risks.  

Detecting APT28 (UAC-0001/UAC-0028) Cyber Attacks Against Ukrainian Public Sector

APT28 group (aka Fancy Bear) has a long history of adversary campaings against Ukraine and its supporters, actively taking part in the ongoing cyber war on behalf of the Moscow government. According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), the APT28/UAC-0028 hacking group has been spotted behind a series of cyber attacks on Ukraine’s critical infrastructure in March 2022. In other cyber attacks by the APT28 hacking group, threat actors were observed targeting European government bodies and military organizations

During the last month, CERT-UA researchers report a surge in APT28 activity proceeding with cyber-espionage and destructive attacks against the Ukrainian public sector. For instance, CERT-UA#6562 alert confirms that over April 2023, the hacking collective has been leveraging the phishing attack vector to massively distribute spoofed emails among Ukrainian state bodies. 

To ensure proactive detection of the malicious activity associated with APT28, including the latest campaign leveraging Roundcube web-based email client vulnerabilities, SOC Prime Platform provides a bundle of dedicated Sigma rules.

Hit the Explore Detections button below to reach the full list of dedicated Sigma rules detecting the latest APT28 campaign. All rules are aligned with the MITRE ATT&CK® framework v12, enriched with in-depth cyber threat context, and compatible with 28 SIEM, EDR, and XDR solutions to fit particular security needs. Also, to streamline the content search, relevant detection algorithms are available via the “CERT-UA#6805” tag based on the alert identifier.

Explore Detections

Witnessing the escalation of the ongoing global cyber war for over a decade, SOC Prime team backed by our Threat Bounty Program members has been continuously analyzing the activities of prominent APT groups worldwide to craft curated detection content and help organizations enhance their cyber defense against state-sponsored threats. Reach the full set of detection content related to the APT28 attacks by clicking the Detect APT28 Attacks button.

Detect APT28 Attacks

Additionally, SecOps teams can streamline their threat hunting procedures by searching for indicators of compromise associated with the latest APT28 attack with the help of Uncoder AI. Just insert the file, host, or network IOCs provided by CERT-UA or another source into the Uncoder and select the content type of your target query to seamlessly create a performance-optimized IOC query ready to run in the chosen environment.

IOCs to hunt for APT28 attacks covered in the CERT-UA#6805 alert via Uncoder AI

Register for the SOC Prime Platform to equip your SOC with behavior-based Sigma rules against any TTP used by advanced persistent threats in their attacks. Benefit from the world’s fastest cybersecurity feed enhanced with tailored CTI and the largest repo of 10K+ Sigma rules. Rely on the power of augmented intelligence and collective cyber defense to advance your threat hunting and detection engineering efforts. Improve attack surface visibility and identify blind spots on time to always stay one step ahead of attackers. 

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts