Contents:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new security flaws to its KEV list on Thursday. Governmental agencies have until July 13 to patch these vulnerabilities, but it is also advisable for other businesses to do so.
Three of the added vulnerabilities were exploited by Russian APT28 cyberspies to get access to the Roundcube email servers used by Ukrainian government agencies.
The cyberespionage group (also tracked as Fancy Bear or BlueDelta) was previously linked to Russia’s General Staff Main Intelligence Directorate (GRU), the country’s military intelligence service.
Details on the Vulnerabilities
A joint investigation by Ukraine’s Computer Emergency Response Team (CERT-UA) and Recorded Future’s threat research unit Insikt Group found that the attackers used the conflict between Russia and Ukraine to trick recipients into opening malicious emails that would allow them to take advantage of Roundcube Webmail software vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) and gain access to unpatched servers.
According to BleepingComputer, once the email servers were taken over, the attackers utilized malicious scripts for reconnaissance, extracting emails of interest, and stealing the Roundcube address book, session cookies, and other important data kept in Roundcube’s database from the targets.
The investigation’s findings indicate that this campaign’s main goal was to exfiltrate military intelligence in order to facilitate Russia’s invasion of Ukraine.
We identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor’s office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment,
The Insikt Group (Source)
Federal Agencies Have to Patch the Vulnerabilities by July 13
Other vulnerabilities added by CISA to the KEV catalog today include a major VMware bug that allows remote code execution and has since been patched (CVE-2023-20887), as well as flaws in Microsoft Win32k privilege escalation and Mozilla Firefox/Thunderbird that were addressed in 2016.
By July 13, U.S. federal agencies must determine whether their systems are affected by these flaws and take the necessary security patches or mitigations to safeguard them. While the KEV catalog’s main goal is to inform federal agencies about exploited vulnerabilities that need to be fixed right away, it is also strongly urged that commercial organizations all around the world make fixing these problems a priority.
Earlier this month, CISA ordered U.S. federal agencies to patch the MOVEit vulnerability exploited by the Clop Ransomware gang for data theft. Additionally, CISA ordered last week that government organizations secure improperly configured or Internet-exposed networking hardware within 14 days of being aware of it.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.