#AI & #IA gpt4.0;4,5.;grok2;3.  #oprussia #superukraineintelligence
#nafoarticle5
#itarmyukr
#oprussia #CyberSecurity y #eset #ua https://www.unian.ua/techno/eksperti-eset-poyasnili-yak-rosiyski-hakeri-atakuyut-oboronni-kompaniji-v-ukrajini-ta-yes-13009083.html
Home
War
Ukraine
Politics
Economy
World
Sports
Science
Tech and Communication
Light
Games
Incidents
Health
Tourism
Interesting Facts
Weather
Special Projects
Regions
Longreads
Video from Youtube
Opinions
Articles
Interviews
Archive
Vacancies
Contacts
Services
Design Theme
News
›
Tech and Communication
rus
ESET experts explained how Russian hackers are attacking defense companies in Ukraine and the EU
Ivan Boyko
12:17, 15.05.25
4 min.1851
Russian hackers have started to more actively attack defense companies in Ukraine and the EU / photo ua.depositphotos.com
Some of these defense enterprises produce Soviet-era weapons for shipment to Ukraine.
Advertising
Experts from the information security company ESET have detected an increase in activity by Russian cyber spies targeting Ukrainian government institutions or defense companies in Bulgaria and Romania with the aim of stealing confidential data from certain email accounts.
The company notes that some of these defense enterprises produce Soviet-era weapons for shipment to Ukraine. Among other targets are the governments of African countries, the EU, and South America. This is likely related to a Russian-linked group of cyber spies Sednit (also known as Fancy Bear).
"Last year, we observed how various XSS vulnerabilities were exploited during attacks on webmail add-ons: Horde, MDaemon, and Zimbra. Sednit also began to use a newer vulnerability CVE-2023-43770 in Roundcube. The vulnerability CVE-2024-11182 in MDaemon, which has now been patched, was a 'zero-day' vulnerability, most likely discovered by Sednit, while vulnerabilities for Horde, Roundcube, and Zimbra were already known and patched," said ESET researcher Matthieu Fau.
Video of the Day
How do attackers operate?
The Sednit group sends XSS exploits via email, which lead to the execution of malicious #JavaScript code in the context of the webmail client's webpage running in the browser window. Thus, only data accessible from the victim's account can be read and intercepted.
For the exploit to work, the victim must open the email on a vulnerable webmail portal. This means that the email must bypass any spam filtering, and the subject must be convincing enough to prompt the victim to read the email. That is why attackers use the names of well-known media in malicious emails, such as the Ukrainian information publication Kyiv Post or the Bulgarian news portal News.bg. Among the headlines used by spies: "The SBU arrested a banker who worked for the enemy military intelligence in Kharkiv" or "Putin is seeking Trump's acceptance of Russian terms in bilateral relations."
Advertising
ad
Map of targets for the RoundPress operation, according to ESET telemetry
Attackers launch JavaScript components SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. They are capable of stealing credentials, intercepting the address book, contacts, and login histories, as well as email messages. SpyPress.MDAEMON can set up a bypass of two-factor authentication, including intercepting the two-factor authentication secret code and creating an application password that allows attackers to access the mailbox from the application.
"Over the past two years, webmail servers such as Roundcube and Zimbra have been a primary target for several espionage groups, such as Sednit, GreenCube, and Winter Vivern. Since many organizations fail to update their webmail servers timely, and vulnerabilities are activated remotely by sending emails, it’s very easy for attackers to target such servers to steal emails," explains ESET researcher.
Advertising
ad
The Sednit group, also known as APT28, #FancyBear, Forest Blizzard, or Sofacy, has been active since at least 2004. The U.S. Department of Justice named the group as one of those responsible for the hack of the National Democratic Party Committee (DNC) just before the 2016 elections in the U.S. and linked the group to the GRU. It is also believed that the group is responsible for the hack of the global TV network TV5Monde, the leak of emails from the World Anti-Doping Agency (WADA), and many other incidents.
To avoid becoming a victim of such attacks, it is advisable to avoid opening suspicious messages or emails and downloading unknown files in emails. It is also important to ensure robust cybersecurity for organizations, for example, by using the comprehensive solution #ESET PROTECT Elite to prevent threats, detect them, and respond quickly (XDR), as well as manage vulnerabilities and patches.
Advertising
ad
About the company:
ESET is an expert in the field of cybercrime and digital threat protection, an international developer of IT security solutions, a leading provider in the field of threat detection technology. Founded in 1992, ESET now has an extensive partner network and representation in more than 180 countries around the world. The company's headquarters is located in Bratislava, Slovakia.
#hackers