{"id":6071,"date":"2025-05-18T14:44:40","date_gmt":"2025-05-18T06:44:40","guid":{"rendered":"https:\/\/cicserver.com\/global-russian-hacking-campaign-steals-data-from-government-agencies\/"},"modified":"2025-05-18T14:44:40","modified_gmt":"2025-05-18T06:44:40","slug":"global-russian-hacking-campaign-steals-data-from-government-agencies","status":"publish","type":"post","link":"https:\/\/cicserver.com\/de\/global-russian-hacking-campaign-steals-data-from-government-agencies\/","title":{"rendered":"Global Russian hacking campaign steals data from government agencies"},"content":{"rendered":"<p><br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/cdn.mos.cms.futurecdn.net\/wBA63zhGK4GEWGaAEY7UHd.jpg\" \/><\/p>\n<div id=\"article-body\">\n<hr\/>\n<ul>\n<li><strong>ESET uncovers a major cyber-espionage campaign<\/strong><\/li>\n<li><strong>It was attributed to APT28, AKA Fancy Bear<\/strong><\/li>\n<li><strong>The campaign leveraged multiple n-day and zero-day flaws<\/strong><\/li>\n<\/ul>\n<hr\/>\n<p>For years now, Russian state-sponsored threat actors have been eavesdropping on <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.techradar.com\/news\/best-email-provider\" target=\"_blank\" data-before-rewrite-localise=\"https:\/\/www.techradar.com\/news\/best-email-provider\">email communications<\/a> from governments across Eastern Europe, Africa, and Latin America.<\/p>\n<p>A new report from cybersecurity researchers ESET has found that the crooks were abusing multiple zero-day and n-day vulnerabilities in webmail servers to steal the emails.<\/p>\n<aside data-block-type=\"embed\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\" class=\"hawk-base\"\/>\n<p>ESET named the campaign \u201cRoundPress\u201d, and says that it started in 2023. Since then, Russian attackers known as Fancy Bear (AKA APT28), were sending out phishing emails to victims in Greece, Ukraine, Serbia, Bulgaria, Romania, Cameroon, and Ecuador.<\/p>\n<aside data-component-name=\"Recirculation:ArticleRiver\" data-nosnippet=\"\">\n<span class=\"bg-secondary-500 text-white text-lg font-bold uppercase py-1 px-2 leading-[1.625rem] sm:leading-[6px] sm:text-sm\"><br \/>\nYou may like<br \/>\n<\/span><\/p>\n<\/aside>\n<h2 id=\"government-military-and-other-targets-3\">Government, military, and other targets<\/h2>\n<p>The emails would seem benign on the surface, discussing daily political events, but in the HTML body, they would carry a malicious piece of JavaScript code. It would exploit a cross-site scripting (XSS) flaw in the webmail <a data-analytics-id=\"inline-link\" href=\"https:\/\/www.techradar.com\/best\/browser\" target=\"_blank\" data-before-rewrite-localise=\"https:\/\/www.techradar.com\/best\/browser\">browser<\/a> page that the victim was using, and create invisible input fields where browsers and password managers would auto-fill login credentials.<\/p>\n<p>Furthermore, the code would read the DOM, or send HTTP requests, collecting email messages, contacts, webmail settings, 2FA information, and more. All of the information would then be exfiltrated to a hardcoded C2 address.<\/p>\n<p>Unlike traditional phishing messages, which require some action on the victim\u2019s side, these attacks only needed the victim to open and view the email. Everything else was being done in the background.<\/p>\n<p>The silver lining here is that the payload has no persistence mechanism, so it only runs when the victim opens the email. That being said, once is most likely enough since people rarely change their email passwords that often.<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-8KjtDbkrzADJxo7SXdYCgS\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-8KjtDbkrzADJxo7SXdYCgS slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>ESET identified multiple flaws being abused in this attack, including two XSS flaws in Roundcube, an XSS zero-day in MDaemon, an unknown XSS in Horde, and an XSS flaw in Zimbra.<\/p>\n<p>Victims include government organizations, military organizations, defense companies, and critical infrastructure firms.<\/p>\n<p><em>Via <\/em><a data-analytics-id=\"inline-link\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign\/\" target=\"_blank\" data-url=\"https:\/\/www.bleepingcomputer.com\/news\/security\/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign\/\" referrerpolicy=\"no-referrer-when-downgrade\" data-hl-processed=\"none\"><em>BleepingComputer<\/em><\/a><\/p>\n<h3 class=\"article-body__section\" id=\"section-you-might-also-like\"><span>You might also like<\/span><\/h3>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>ESET uncovers a major cyber-espionage campaign It was attributed to APT28, AKA Fancy Bear The campaign leveraged multiple n-day and zero-day flaws For years now, Russian state-sponsored threat actors have been eavesdropping on email communications from governments across Eastern Europe, Africa, and Latin America. A new report from cybersecurity researchers ESET has found that the [&hellip;]<\/p>","protected":false},"author":3,"featured_media":6072,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-6071","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blog"},"_links":{"self":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/6071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/comments?post=6071"}],"version-history":[{"count":0,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/6071\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media\/6072"}],"wp:attachment":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media?parent=6071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/categories?post=6071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/tags?post=6071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}