On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) added six more security flaws to its list of known exploited vulnerabilities (KEVs).

Three of them were exploited by Russian cyber spies APT28 to hack Roundcube mail servers belonging to Ukrainian government organizations.

The cyber espionage group (also tracked as BlueDelta, Fancy Bear) was previously linked to the Main Intelligence Directorate of the Russian General Staff (GRU), the country’s military intelligence service.

According to a joint investigation by Recorded Future’s Threat Research Division Insikt Group and the Ukrainian Computer Emergency Response Team (AU-CERT), attackers exploited the Russian-Ukrainian conflict to trick recipients into opening malicious emails to exploit vulnerabilities (CVE-2020-35730, CVE-2020-12641And CVE-2021-44026) in the Roundcube Webmail software and granting them unauthorized access to unpatched servers.

Once the mail servers were compromised, they used malicious scripts for reconnaissance, collecting emails of interest and stealing the targets Roundcube address book, session cookies and others valuable information stored in Roundcube’s database.

Evidence gathered during the investigation suggests that the main purpose of this campaign was to exfiltrate military intelligence to support Russia’s invasion of Ukraine.

“We have identified BlueDelta activity most likely targeting a regional Ukrainian prosecutor’s office and central Ukrainian executive authority, as well as reconnaissance activity involving other Ukrainian government entities and an organization involved in upgrading and renovating the infrastructure of Ukrainian military aircraft,” the Insikt group said. said.

Federal agencies ordered to patch by July 13

Other vulnerabilities CISA added to the KEV catalog today include a now-fixed critical VMware bug allowing remote code execution (CVE-2023-20887), as well as a Mozilla Firefox/Thunderbird (CVE-2016-9079) and Microsoft Win32k privilege elevation (CVE-2016-0165) flaws fixed in 2016.

US federal agencies should check whether their systems are affected by these vulnerabilities and apply any security updates or mitigations required to secure them by July 13.

Under the BOD 22-01 Binding Operational Directive released in November 2021, Federal Civilian Executive Branch (FCEB) agencies must assess and secure their networks for all vulnerabilities listed in the KEV Catalog, which currently contains over 950 entries.

While the primary purpose of the KEV Catalog is to alert federal agencies of exploited vulnerabilities that need to be patched as soon as possible, private companies worldwide are also strongly advised to address these bugs as a priority.

Earlier this month, the cybersecurity agency ordered US federal agencies to patch a MOVEit vulnerability exploited by the Clop cyber crime gang for data theft.

Last week, CISA also issued an order ask government agencies to secure network equipment that is misconfigured or exposed to the Internet within 14 days of discovery.