Russian APT Group Exposes Vulnerabilities in Open-Source Roundcube Webmail Software

Cyber threat intelligence firm Recorded Future has discovered, a Russia-linked APT group has been exploiting security loopholes in the open-source Roundcube webmail software to target mainly Ukrainian organizations, including the military and government institutions.

This revelation came from a joint investigation by Recorded Future and Ukraine's Computer Emergency Response Team (CERT-UA), linking the nefarious activity to Russia's GRU military intelligence division.

According to the researchers, the discovered campaign overlapped with the activity of BlueDelta, infamous for exploiting a Microsoft Outlook zero-day vulnerability, CVE-2023-23397, in 2022.

“Based on the targeting and geopolitical backdrop and the group’s organizational links, the highlighted BlueDelta activity was likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine,” reads the company’s security advisory. “Infrastructure related to BlueDelta activity has likely been operational since at least November 2021.”

The attackers’ technique involved luring potential victims to open emails with attached files using news about Russia's war against Ukraine. Unknowingly, targets would compromise vulnerable Roundcube servers, even without interaction with the attachment.

The attached files were infected with JavaScript code, which would execute additional payloads hosted on the attackers' infrastructure once opened.

The investigation revealed that the BlueDelta phishing campaign exploited three distinct vulnerabilities in the Roundcube software, used to run several reconnaissance and data exfiltration scripts:

• CVE-2020-35730 – XSS issue allowing threat actors to send plain text e-mail messages, injecting a JavaScript in a mishandled link reference element
• CVE-2020-12641– vulnerability in rcube_image.php that allowed perpetrators to execute arbitrary code via shell metacharacters
• CVE-2021-44026 – SQL injection vulnerability in Roundcube’s search or search_params

The malicious scripts let the attackers redirect the victims' future incoming emails to an attacker-controlled address, perform an extensive recon on the target Roundcube server, and ultimately steal the victims' Roundcube session cookie.

Critical information like address books and user information hosted on Roundcube's database were also potentially compromised.

The researchers' findings point to a well-coordinated and advanced persistent threat that targets not just individuals but the organizational structures they are part of.

The theft of critical information, such as address books and user session data, serves as a chilling reminder of the extent these attackers can reach. As the threat landscape continues to evolve, it has become essential for organizations to stay a step ahead to secure their digital environments effectively.