The Russia-based threat group TAG-70 has been found exploiting a Cross-Site Scripting vulnerability (CVE-2023-5631) in Roundcube webmail servers to target government, military, and national infrastructure entities. This campaign, which has been ongoing since October 2023, has attacked over 80 organizations, primarily in Georgia, Poland, and Ukraine. TAG-70 is also linked to other threat groups such as Winter Vivern, TA473, and UAC-0114.
This specific campaign marks the latest activity from Russia-aligned threat groups targeting email servers. The attackers use the XSS flaw in Roundcube to access and exfiltrate mailbox contents without the victim’s interaction. The threat actor behind these operations appears to be well-funded and highly skilled, with a history of exploiting vulnerabilities in webmail servers for espionage purposes.
The attackers have been observed communicating with victim IP addresses and using various domains and IP addresses for their malicious activities. Some of the indicators of compromise associated with TAG-70 include domains like bugiplaysec[.]com and IP addresses like 198.50.170[.]72. The threat group’s operational infrastructure has been identified as recsecas[.]com and C2 38.180.76.[.]31, which tunnels to another C2 domain administered via Tor.
Overall, TAG-70’s exploitation of Roundcube webmail servers highlights the ongoing cyber threats posed by sophisticated threat actors with links to state-sponsored activities. Organizations are advised to stay vigilant and follow cybersecurity news for updates on potential threats and indicators of compromise.
