Operational information was received from the participant of the information exchange regarding the detection of network connections between the information and communication system (ICS) of the state organization of Ukraine and the infrastructure associated with the APT28 group.

In the process of analyzing the log files of the inter-network screen of the subject of coordination, an electronic computer (EC) was identified from which the above-mentioned communication was carried out on 12.05.2023; however, no signs of damage to the computer by malicious programs were detected.

At the same time, during the investigation of the contents of the mailbox of the computer user, an e-mail with the subject "News of Ukraine" was discovered, received on 12.05.2023 from the address "ukraine_news@meta[.]ua", which contained bait content in the form of an article from the publication "NV" (nv.ua), as well as an exploit for the vulnerability in Roundcube CVE-2020-35730 (XSS) and the corresponding JavaScript code designed to load and run additional JavaScript files: "q.js" and "e.js".

Among the mentioned files, "e.js" ensures the creation of a "default filter" filter for redirecting incoming e-mails to a third-party e-mail address, and also performs exfiltration using HTTP POST requests: address book, session values (Cookie) and victim's e-mails. In turn, "q.js" contains an exploit for the vulnerability in Roundcube CVE-2021-44026 (SQLi), which is used to exfiltrate information from the Roundcube database.

Additionally, the "c.js" program code containing an exploit for the CVE-2020-12641 vulnerability and executing commands on the mail server was discovered.

In general, similar e-mails were sent to the addresses of more than 40 Ukrainian organizations.

We emphasize that the implementation of the threat was facilitated by the use of an outdated version of Roundcube (1.4.1).

We would like to take this opportunity to express our gratitude to the researchers of the international company, with whom the prompt exchange of information made it possible to detect attempts to implement a cyber threat in a timely manner. More detailed information about the cyber attack can be obtained at the link: www.recordedfuture.com/bluedelta-exploits-ukrainian-government-roundcube-mail-servers.

source