Cybersecurity

Russian Cyber Group Targets Email Servers with XSS Vulnerability

Highlights

  • Russian group TAG-70 exploits email XSS flaw.
  • Over 80 governmental organizations breached.
  • Indicators of compromise and malware identified.
NEWSLINKER
NEWSLINKER

Cybersecurity experts have identified a Russian cyber group, known as TAG-70, which has been exploiting a critical Cross-Site Scripting (XSS) flaw in Roundcube webmail servers. This group, which has connections to known threat actors Winter Vivern, TA473, and UAC-0114, has launched attacks on more than 80 organizations related to government, military, and national infrastructure, focusing on targets in Georgia, Poland, and Ukraine since October 2023.

Contents
Strategic Email ExploitsDetailed Threat Operations

Strategic Email Exploits

The campaign is not isolated, representing the latest in a series of email server attacks by Russian-aligned cyber groups. These groups aim to gather sensitive intelligence that could influence the ongoing conflict between Russia and Ukraine. TAG-70, in particular, has been active in the cyber-espionage arena, previously creating a fake Ukrainian Ministry of Foreign Affairs website and exploiting vulnerabilities in the Zimbra webmail portal.

Detailed Threat Operations

Their recent campaign, exploiting the XSS flaw CVE-2023-5631, allowed them to list and exfiltrate email contents from victim accounts surreptitiously. Suspected TAG-70 controlled IP addresses and domains were tracked, showing communications over TCP port 7662 and the use of Tor for administering command-and-control (C2) servers. A detailed analysis indicated the high level of sophistication and funding behind TAG-70’s operations.

In February 2023, suspicious activity involving a C2 IP address was discovered, leading to the identification of TAG-70 controlled domains communicating with victim systems. This activity also included communications with an IP address associated with the Uzbekistan Embassy in Ukraine, further illustrating the geographical scope of TAG-70’s cyber-espionage activities.

Cybersecurity responders continue to monitor and analyze TAG-70’s evolving tactics and infrastructure. As part of this ongoing surveillance, several domains and IP addresses have been identified as indicators of compromise, along with malware samples linked to the group’s campaigns.

The escalating series of cyber-attacks emphasizes the need for heightened vigilance and robust cybersecurity measures, especially among entities at risk of state-sponsored espionage.

You can follow us on Youtube, Telegram, Facebook, Linkedin, Twitter ( X ), Mastodon and Bluesky

You Might Also Like

Microsoft Seizes 240 Sites Tied to Egyptian Phishing Kit Seller

Meta Removes Millions of Scam Accounts Linked to ‘Pig Butchering’

Crum & Forster Launches Liability Coverage for CISOs

Authorities Charge Five for Scattered Spider Cyber Attacks

Senator Pushes FCC to Implement Telecom Wiretap Security Measures

Share This Article
Avatar
By NEWSLINKER
NEWS LINKER is your premier source for the latest in business, finance, science, gaming, and technology. We are dedicated to bringing you the most accurate, timely, and engaging content from across these dynamic industries. Dive deep into the world of cutting-edge developments, breakthroughs, market trends, and game-changing innovations..
Previous Article Pokemon Company Sets Date for Exciting News Broadcast
Next Article New Samsung TV Innovations Spotlighted at European Tech Seminar

Stay Connected

Latest News

Latest Hints Released for Today’s Wordle Challenge
Gaming
Investor Reallocates Holdings from Uber to Tesla
Electric Vehicle
Scientists Obtain Detailed Images of Red Supergiant WOH G64
Space
Asteroid 2024 PT5 Orbits Earth as Temporary Mini-Moon
Space
Black Holes Inherit Magnetic Fields from Parent Stars
Space