网络黑客通过Roundcube漏洞攻击80多组织

Threat actors operating with interests aligned to Belarus and Russia have been linked to a new cyber espionage campaign that likely exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers to target over 80 organizations.

据Recorded Future称，与白俄罗斯和俄罗斯利益一致的威胁行为者被发现与一场新的网络间谍活动有关，这场活动很可能利用Roundcube网络邮件服务器中的跨站脚本漏洞，以攻击80多个组织。这些实体主要位于格鲁吉亚、波兰和乌克兰。

These entities are primarily located in Georgia, Poland, and Ukraine, according to Recorded Future, which attributed the intrusion set to a threat actor known as Winter Vivern, which is also known as TA473 and UAC0114. The cybersecurity firm is tracking the hacking outfit under the moniker Threat Activity Group 70 (TAG-70).

这些实体主要位于格鲁吉亚、波兰和乌克兰，Recorded Future将入侵集合归因于一个被称为Winter Vivern的威胁行为者，也被称为TA473和UAC0114。

Winter Vivern's exploitation of security flaws in Roundcube and software was previously highlighted by ESET in October 2023, joining other Russia-linked threat actor groups such as APT28, APT29, and Sandworm that are known to target email software.

Winter Vivern利用Roundcube和软件的安全漏洞在2023年10月被ESET公司曾经提到，此前还有其他与俄罗斯相关的威胁行为者组织，如APT28、APT29和Sandworm等，这些组织都以攻击电子邮件软件而闻名。

The adversary, which has been active since at least December 2020, has also been linked to the abuse of a now-patched vulnerability in Zimbra Collaboration email software last year to infiltrate organizations in Moldova and Tunisia in July 2023.

自2020年12月以来活跃的对手，去年还被发现利用Zimbra Collaboration邮件软件的一个漏洞滥用，以渗透摩尔多瓦和突尼斯的组织。

The campaign discovered by Recorded Future took place from the start of October 2023 and continued until the middle of the month with the goal of collecting intelligence on European political and military activities. The attacks overlap with additional TAG-70 activity against Uzbekistan government mail servers that were detected in March 2023.

Recorded Future发现的这场攻击活动始于2023年10月初，持续到月中，旨在收集有关欧洲政治和军事活动的情报。这些攻击与2023年3月检测到的TAG-70对乌兹别克斯坦政府邮件服务器的进一步活动相重叠。

"TAG70 has demonstrated a high level of sophistication in its attack methods," the company said. "The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, bypassing the defenses of government and military organizations."

公司表示：“TAG70在其攻击方法中展示出较高的复杂性。威胁行为者利用社会工程技术，并利用Roundcube网络邮件服务器中的跨站脚本漏洞未经授权地访问目标邮件服务器，绕过政府和军事组织的防御。”

The attack chains involve exploiting Roundcube flaws to deliver JavaScript payloads that are designed to exfiltrate user credentials to a command-and-control (C2) server.

攻击链包括利用Roundcube漏洞传送设计用于将用户凭据外传到命令和控制（C2）服务器的JavaScript有效载荷。

Recorded Future said it also found evidence of TAG-70 targeting the Iranian embassies in Russia and the Netherlands, as well as the Georgian Embassy in Sweden.

Recorded Future还发现了TAG-70针对伊朗驻俄罗斯和荷兰大使馆，以及格鲁吉亚驻瑞典大使馆的证据。

"The targeting of Iranian embassies in Russia and the Netherlands suggests a broader geopolitical interest in assessing Iran's diplomatic activities, especially regarding its support for Russia in Ukraine," it said.

公司表示：“针对伊朗驻俄罗斯和荷兰大使馆的行动表明对评估伊朗的外交活动，尤其是在乌克兰支持俄罗斯方面的广泛地缘政治兴趣。”

"Similarly, espionage against Georgian government entities reflects interests in monitoring Georgia's aspirations for European Union (EU) and NATO accession."

“同样，对格鲁吉亚政府实体的间谍行动反映出对监视格鲁吉亚对欧盟（EU）和北约加入的愿望感兴趣。”

原文始发于微信公众号（知机安全）：网络黑客通过Roundcube漏洞攻击80多组织