On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six more security flaws to its known exploited vulnerabilities (KEV) list.
Three of them were exploited by Russian APT28 cyberspies to hack into Roundcube email servers belonging to Ukrainian government organizations.
The cyber-espionage group (also tracked as BlueDelta, Fancy Bear) was previously linked to Russia’s General Staff Main Intelligence Directorate (GRU), the country’s military intelligence service.
According to a joint investigation from Recorded Future’s threat research division Insikt Group and Ukraine’s Computer Emergency Response Team (CERT-UA), the attackers exploited the Russia-Ukraine conflict to deceive recipients into opening malicious emails to exploit vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube Webmail software and granting them unauthorized access to unpatched servers.
Once the email servers were compromised, they used malicious scripts for reconnaissance, harvesting emails of interest, and stealing the targets’ Roundcube address book, session cookies, and other valuable information stored within Roundcube’s database.
Evidence gathered during the investigation suggests that the primary objective of this campaign was to exfiltrate military intelligence to support Russia’s invasion of Ukraine.
“We identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor’s office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment,” the Insikt Group said.
Federal agencies ordered to patch by July 13
Other vulnerabilities CISA added to the KEV catalog today include a now-patched critical VMware bug allowing remote code execution (CVE-2023-20887), as well as a Mozilla Firefox/Thunderbird (CVE-2016-9079) and Microsoft Win32k privilege escalation (CVE-2016-0165) flaws patched in 2016.
U.S. federal agencies must check if their systems are impacted by these vulnerabilities and apply required security updates or mitigations to secure them by July 13.
Under the BOD 22-01 binding operational directive issued in November 2021, Federal Civilian Executive Branch Agencies (FCEB) must assess and secure their networks for all vulnerabilities listed in the KEV catalog, which currently contains over 950 entries.
While the KEV catalog’s primary focus is alerting federal agencies of exploited vulnerabilities that must be patched as soon as possible, it is also highly advised that private companies worldwide prioritize addressing these bugs.
Earlier this month, the cybersecurity agency ordered U.S. federal agencies to patch a MOVEit vulnerability exploited by the Clop cybercrime gang for data theft.
Last week, CISA also issued an order asking government agencies to secure misconfigured or Internet-exposed networking equipment within 14 days of discovery.