{"id":46216,"date":"2025-05-27T17:21:22","date_gmt":"2025-05-27T10:21:22","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=46216"},"modified":"2025-06-10T17:22:10","modified_gmt":"2025-06-10T10:22:10","slug":"tin-tac-apt28-khai-thac-lo-hong-zero-day-mdaemon-de-tan-cong-may-chu-webmail","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/tin-tac-apt28-khai-thac-lo-hong-zero-day-mdaemon-de-tan-cong-may-chu-webmail\/","title":{"rendered":"Tin t\u1eb7c APT28 khai th\u00e1c l\u1ed7 h\u1ed5ng zero-day MDaemon \u0111\u1ec3 t\u1ea5n c\u00f4ng m\u00e1y ch\u1ee7 Webmail"},"content":{"rendered":"<p class=\"mt-3 excerpt\">Theo nh\u1eefng ph\u00e1t hi\u1ec7n m\u1edbi \u0111\u00e2y t\u1eeb c\u00f4ng ty an ninh m\u1ea1ng ESET (Slovakia), nh\u00f3m tin t\u1eb7c APT28 \u0111\u00e3 th\u1ef1c hi\u1ec7n h\u00e0ng ho\u1ea1t cu\u1ed9c t\u1ea5n c\u00f4ng gi\u00e1n \u0111i\u1ec7p m\u1ea1ng nh\u1eafm v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 Webmail nh\u01b0 Roundcube, Horde, MDaemon v\u00e0 Zimbra th\u00f4ng qua c\u00e1c l\u1ed7 h\u1ed5ng XSS, bao g\u1ed3m c\u1ea3 l\u1ed7 h\u1ed5ng zero-day trong MDaemon.<\/p>\n<div id=\"relatedPost\" class=\"mt-3 mb-3\">\n<div class=\"\">\n<ul class=\"ms-2\">\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Tin t\u1eb7c Marbled Dust khai th\u00e1c l\u1ed7 h\u1ed5ng zero-day trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng gi\u00e1n \u0111i\u1ec7p\">Tin t\u1eb7c Marbled Dust khai th\u00e1c l\u1ed7 h\u1ed5ng zero-day trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng gi\u00e1n \u0111i\u1ec7p<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Ng\u01b0\u1eddi d\u00f9ng Android c\u1ea7n c\u1ea9n tr\u1ecdng v\u1edbi chi\u1ebfn d\u1ecbch gian l\u1eadn qu\u1ea3ng c\u00e1o Kaleidoscope m\u1edbi\">Ng\u01b0\u1eddi d\u00f9ng Android c\u1ea7n c\u1ea9n tr\u1ecdng v\u1edbi chi\u1ebfn d\u1ecbch gian l\u1eadn qu\u1ea3ng c\u00e1o Kaleidoscope m\u1edbi<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"G\u1ea7n 3 t\u1ec9 m\u1eadt kh\u1ea9u v\u00e0 14 tri\u1ec7u th\u1ebb t\u00edn d\u1ee5ng b\u1ecb \u0111\u00e1nh c\u1eafp\">G\u1ea7n 3 t\u1ec9 m\u1eadt kh\u1ea9u v\u00e0 14 tri\u1ec7u th\u1ebb t\u00edn d\u1ee5ng b\u1ecb \u0111\u00e1nh c\u1eafp<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<article id=\"content\" class=\"content gradient\"><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/e5ac167f-6714-4ee7-a523-a68c034fdf59\/22575678_1.jpg\" \/><\/p>\n<p>Ho\u1ea1t \u0111\u1ed9ng n\u00e0y b\u1eaft \u0111\u1ea7u v\u00e0o n\u0103m 2023, \u0111\u01b0\u1ee3c ESET \u0111\u1eb7t t\u00ean l\u00e0 Chi\u1ebfn d\u1ecbch RoundPress. Cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c cho l\u00e0 do nh\u00f3m tin t\u1eb7c \u0111\u01b0\u1ee3c Ch\u00ednh ph\u1ee7 Nga h\u1eadu thu\u1eabn, v\u1edbi t\u00ean g\u1ecdi APT28 (c\u00f2n \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy v\u00e0 TA422)<\/p>\n<p>\u201cM\u1ee5c ti\u00eau cu\u1ed1i c\u00f9ng l\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u b\u00ed m\u1eadt t\u1eeb c\u00e1c t\u00e0i kho\u1ea3n\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/tin-tac-trieu-tien-su-dung-dia-chi-email-cua-nga-de-tan-cong-danh-cap-thong-tin-xac-thuc\">email<\/a>\u00a0c\u1ee5 th\u1ec3. H\u1ea7u h\u1ebft n\u1ea1n nh\u00e2n l\u00e0 c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 v\u00e0 c\u00f4ng ty qu\u1ed1c ph\u00f2ng \u1edf \u0110\u00f4ng \u00c2u, m\u1eb7c d\u00f9 ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y c\u00e1c ch\u00ednh ph\u1ee7 \u1edf ch\u00e2u Phi,\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/danh-sap-mang-luoi-phat-tan-hinh-anh-lam-dung-tre-em-tai-chau-au\">ch\u00e2u \u00c2u<\/a>\u00a0v\u00e0 Nam M\u1ef9 c\u0169ng b\u1ecb nh\u1eafm m\u1ee5c ti\u00eau\u201d, nh\u00e0 nghi\u00ean c\u1ee9u Matthieu Faou c\u1ee7a ESET cho bi\u1ebft.<\/p>\n<p>\u0110\u00e2y kh\u00f4ng ph\u1ea3i l\u00e0 l\u1ea7n \u0111\u1ea7u ti\u00ean tin t\u1eb7c APT28 b\u1ecb li\u00ean \u0111\u1edbi \u0111\u1ebfn c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng khai th\u00e1c l\u1ed7 h\u1ed5ng trong ph\u1ea7n m\u1ec1m Webmail. V\u00e0o th\u00e1ng 6\/2023, h\u00e3ng b\u1ea3o m\u1eadt Recorded Future (M\u1ef9) \u0111\u00e3 c\u00f4ng b\u1ed1 chi ti\u1ebft v\u1ec1 vi\u1ec7c c\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda l\u1ee3i d\u1ee5ng nhi\u1ec1u l\u1ed7 h\u1ed5ng trong Roundcube (CVE-2020-12641, CVE-2020-35730 v\u00e0 CVE-2021-44026) \u0111\u1ec3 ti\u1ebfn h\u00e0nh do th\u00e1m v\u00e0\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/man-hinh-giam-sat-suc-khoe-cua-trung-quoc-chua-cua-hau-de-thu-thap-du-lieu\">thu th\u1eadp d\u1eef li\u1ec7u<\/a>.<\/p>\n<p>K\u1ec3 t\u1eeb \u0111\u00f3, c\u00e1c nh\u00f3m tin t\u1eb7c kh\u00e1c nh\u01b0 Winter Vivern v\u00e0 UNC3707 (hay c\u00f2n g\u1ecdi l\u00e0 GreenCube) c\u0169ng nh\u1eafm v\u00e0o c\u00e1c gi\u1ea3i ph\u00e1p email, bao g\u1ed3m c\u1ea3 Roundcube trong nhi\u1ec1u chi\u1ebfn d\u1ecbch kh\u00e1c nhau trong nh\u1eefng n\u0103m qua. M\u1ed1i li\u00ean h\u1ec7 c\u1ee7a Chi\u1ebfn d\u1ecbch RoundPress v\u1edbi tin t\u1eb7c APT28 b\u1eaft ngu\u1ed3n t\u1eeb s\u1ef1 tr\u00f9ng l\u1eb7p trong \u0111\u1ecba ch\u1ec9 email \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 g\u1eedi email l\u1eeba \u0111\u1ea3o, \u0111\u1ed3ng th\u1eddi c\u00f3 s\u1ef1 t\u01b0\u01a1ng \u0111\u1ed3ng trong c\u00e1ch c\u1ea5u h\u00ecnh m\u1ed9t s\u1ed1 m\u00e1y ch\u1ee7 nh\u1ea5t \u0111\u1ecbnh.<\/p>\n<p>Ph\u1ea7n l\u1edbn c\u00e1c m\u1ee5c ti\u00eau c\u1ee7a chi\u1ebfn d\u1ecbch \u0111\u01b0\u1ee3c th\u1ef1c hi\u1ec7n trong n\u0103m 2024 \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n l\u00e0 c\u00e1c th\u1ef1c th\u1ec3 Ch\u00ednh ph\u1ee7\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/tin-tac-ukraine-tan-cong-mang-vao-cong-ty-truyen-thong-nha-nuoc-nga\">Ukraine<\/a>, ho\u1eb7c c\u00e1c c\u00f4ng ty qu\u1ed1c ph\u00f2ng \u1edf Bulgaria v\u00e0 Romania. C\u00e1c m\u1ee5c ti\u00eau kh\u00e1c bao g\u1ed3m c\u00e1c t\u1ed5 ch\u1ee9c ch\u00ednh ph\u1ee7, qu\u00e2n \u0111\u1ed9i v\u00e0 gi\u1edbi h\u1ecdc thu\u1eadt \u1edf Hy L\u1ea1p, Cameroon, Ecuador, Serbia v\u00e0 S\u00edp.<\/p>\n<p>C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng bao g\u1ed3m vi\u1ec7c khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng XSS trong Horde, MDaemon v\u00e0 Zimbra \u0111\u1ec3 th\u1ef1c thi m\u00e3 JavaScript t\u00f9y \u00fd. C\u1ea7n l\u01b0u \u00fd r\u1eb1ng l\u1ed7 h\u1ed5ng CVE-2023-43770 \u0111\u00e3 \u0111\u01b0\u1ee3c C\u01a1 quan An ninh m\u1ea1ng v\u00e0 C\u01a1 s\u1edf h\u1ea1 t\u1ea7ng M\u1ef9 (CISA) th\u00eam v\u00e0o danh m\u1ee5c L\u1ed7 h\u1ed5ng khai th\u00e1c \u0111\u00e3 bi\u1ebft (KEV) \u0111\u00e3 bi\u1ebft v\u00e0o th\u00e1ng 02\/2024.<\/p>\n<p>Trong khi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nh\u1eafm v\u00e0o Horde (m\u1ed9t l\u1ed7 h\u1ed5ng c\u0169 kh\u00f4ng x\u00e1c \u0111\u1ecbnh \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 trong Horde Webmail 1.0 ph\u00e1t h\u00e0nh n\u0103m 2007), Roundcube (CVE-2023-43770) v\u00e0 Zimbra (CVE-2024-27443) \u0111\u00e3 t\u1eadn d\u1ee5ng c\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt \u0111\u00e3 bi\u1ebft v\u00e0 \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1, th\u00ec l\u1ed7 h\u1ed5ng MDaemon XSS \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 \u0111\u00e3 \u0111\u01b0\u1ee3c t\u00e1c nh\u00e2n \u0111e d\u1ecda s\u1eed d\u1ee5ng nh\u01b0 m\u1ed9t l\u1ed7 h\u1ed5ng zero-day. \u0110\u01b0\u1ee3c g\u00e1n m\u00e3 \u0111\u1ecbnh danh CVE-2024-11182 (\u0111i\u1ec3m CVSS: 5.3), l\u1ed7 h\u1ed5ng n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 trong phi\u00ean b\u1ea3n 24.5.1 v\u00e0o th\u00e1ng 11 n\u0103m ngo\u00e1i.<\/p>\n<p>Tuy nhi\u00ean, \u0111\u1ec3 khai th\u00e1c th\u00e0nh c\u00f4ng, m\u1ee5c ti\u00eau ph\u1ea3i b\u1ecb thuy\u1ebft ph\u1ee5c m\u1edf tin nh\u1eafn email trong c\u1ed5ng Webmail d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng, gi\u1ea3 s\u1eed r\u1eb1ng n\u00f3 c\u00f3 th\u1ec3 v\u01b0\u1ee3t qua b\u1ed9 l\u1ecdc email spam c\u1ee7a ph\u1ea7n m\u1ec1m v\u00e0 v\u00e0o h\u1ed9p th\u01b0 \u0111\u1ebfn c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. N\u1ed9i dung c\u1ee7a email l\u00e0 v\u00f4 h\u1ea1i, v\u00ec m\u00e3 \u0111\u1ed9c k\u00edch ho\u1ea1t l\u1ed7 h\u1ed5ng XSS n\u1eb1m trong m\u00e3 HTML c\u1ee7a n\u1ed9i dung tin nh\u1eafn email v\u00e0 do \u0111\u00f3, ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng d\u1ec5 \u0111\u1ec3 c\u00f3 th\u1ec3 ph\u00e1t hi\u1ec7n.<\/p>\n<p>Khai th\u00e1c th\u00e0nh c\u00f4ng d\u1eabn \u0111\u1ebfn vi\u1ec7c th\u1ef1c hi\u1ec7n m\u1ed9t payload JavaScript \u0111\u01b0\u1ee3c \u1ea9n gi\u1ea5u c\u00f3 t\u00ean l\u00e0 SpyPress, c\u00f3 kh\u1ea3 n\u0103ng \u0111\u00e1nh c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp Webmail v\u00e0 thu th\u1eadp tin nh\u1eafn email, c\u0169ng nh\u01b0 th\u00f4ng tin li\u00ean l\u1ea1c t\u1eeb h\u1ed9p th\u01b0 c\u1ee7a n\u1ea1n nh\u00e2n. Ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i m\u1eb7c d\u00f9 kh\u00f4ng c\u00f3 c\u01a1 ch\u1ebf duy tr\u00ec, \u0111\u01b0\u1ee3c t\u1ea3i l\u1ea1i m\u1ed7i khi tin nh\u1eafn email c\u00f3 m\u1ed3i nh\u1eed \u0111\u01b0\u1ee3c m\u1edf.<\/p>\n<p>Th\u00f4ng tin thu th\u1eadp \u0111\u01b0\u1ee3c sau \u0111\u00f3 \u0111\u01b0\u1ee3c tr\u00edch xu\u1ea5t th\u00f4ng qua y\u00eau c\u1ea7u HTTP POST \u0111\u1ebfn m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n v\u00e0 ra l\u1ec7nh (C2) \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng. M\u1ed9t s\u1ed1 bi\u1ebfn th\u1ec3 c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i c\u0169ng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n c\u00f3 th\u1ec3 ghi l\u1ea1i l\u1ecbch s\u1eed \u0111\u0103ng nh\u1eadp, m\u00e3 x\u00e1c th\u1ef1c hai y\u1ebfu t\u1ed1 (2FA) v\u00e0 th\u1eadm ch\u00ed t\u1ea1o m\u1eadt kh\u1ea9u \u1ee9ng d\u1ee5ng cho MDAEMON, \u0111\u1ec3 duy tr\u00ec quy\u1ec1n truy c\u1eadp v\u00e0o h\u1ed9p th\u01b0 ngay c\u1ea3 khi m\u1eadt kh\u1ea9u ho\u1eb7c m\u00e3 2FA b\u1ecb thay \u0111\u1ed5i.<\/p>\n<p>\u201cTrong hai n\u0103m qua, c\u00e1c m\u00e1y ch\u1ee7 Webmail nh\u01b0 Roundcube v\u00e0 Zimbra \u0111\u00e3 tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau ch\u00ednh c\u1ee7a m\u1ed9t s\u1ed1 nh\u00f3m gi\u00e1n \u0111i\u1ec7p m\u1ea1ng nh\u01b0 Sednit, GreenCube v\u00e0 Winter Vivern. V\u00ec nhi\u1ec1u t\u1ed5 ch\u1ee9c kh\u00f4ng c\u1eadp nh\u1eadt m\u00e1y ch\u1ee7 Webmail c\u1ee7a h\u1ecd v\u00e0 v\u00ec c\u00e1c l\u1ed7 h\u1ed5ng c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t t\u1eeb xa b\u1eb1ng c\u00e1ch g\u1eedi tin nh\u1eafn email, n\u00ean r\u1ea5t thu\u1eadn ti\u1ec7n cho nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng nh\u1eafm v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 nh\u01b0 v\u1eady \u0111\u1ec3 \u0111\u00e1nh c\u1eafp email\u201d, Faou cho bi\u1ebft.<\/p>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>Theo nh\u1eefng ph\u00e1t hi\u1ec7n m\u1edbi \u0111\u00e2y t\u1eeb c\u00f4ng ty an ninh m\u1ea1ng ESET (Slovakia), nh\u00f3m tin t\u1eb7c APT28 \u0111\u00e3 th\u1ef1c hi\u1ec7n h\u00e0ng ho\u1ea1t cu\u1ed9c t\u1ea5n c\u00f4ng gi\u00e1n \u0111i\u1ec7p m\u1ea1ng nh\u1eafm v\u00e0o c\u00e1c m\u00e1y ch\u1ee7 Webmail nh\u01b0 Roundcube, Horde, MDaemon v\u00e0 Zimbra th\u00f4ng qua c\u00e1c l\u1ed7 h\u1ed5ng XSS, bao g\u1ed3m c\u1ea3 l\u1ed7 h\u1ed5ng zero-day trong MDaemon. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":46217,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[4,24,35],"tags":[],"class_list":["post-46216","post","type-post","status-publish","format-standard","has-post-thumbnail","category-kien-thuc-an-toan-thong-tin","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=46216"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46216\/revisions"}],"predecessor-version":[{"id":46218,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46216\/revisions\/46218"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/46217"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=46216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=46216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=46216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}