Full Report
CERT Polska is observing a malicious email campaign conducted by the UNC1151 group against Polish entities, exploiting a vulnerability in the Roundcube software.
Analysis Summary
# Threat Actor: UNC1151
## Attribution & Identity
**Attribution:** High confidence attribution to UNC1151 activity cluster.
**Known Aliases/Associations:** Associated with the Belarusian government (Mandiant, Google) and Russian intelligence services (other sources).
## Activity Summary
CERT Polska observed a recent spear-phishing campaign conducted by this actor targeting Polish entities. The objective of the campaign was credential harvesting, achieved by exploiting a known vulnerability in the Roundcube webmail client. The attackers used compelling email subjects to coerce recipients into opening messages, which triggered the exploitation of CVE-2024-42009, allowing for the execution of JavaScript code to steal credentials. After compromising accounts, observed actions include mailbox content analysis, address book download, and using the compromised account for further phishing dissemination.
## Tactics, Techniques & Procedures
- **Spearphishing:** Used targeted emails with urgent subjects ("[!IMPORTANT] Invoice to reservation number: S2500650676").
- **Vulnerability Exploitation (Client-Side):** Exploited **CVE-2024-42009** (a Cross-Site Scripting vulnerability in Roundcube) by crafting malicious HTML email messages which execute JavaScript upon opening.
- **Credential Harvesting:** Used injected JavaScript to harvest usernames and passwords submitted via a secondary malicious script/page structure.
- **Post-Exploitation:** Analysis of mailbox contents and address book download.
- **Lateral Movement/Dissemination:** Using compromised accounts to send further phishing messages.
**Technical Indicators Mentioned:**
- Vulnerability Exploited: **CVE-2024-42009**
- Potential Future Vulnerability Mentioned: **CVE-2025-49113** (could enable remote code execution if combined with account compromise).
## Targeting
- **Sectors:** Not explicitly detailed beyond "Polish entities," implying governmental, critical infrastructure, or corporate sectors critical to Polish operations.
- **Geography:** Poland.
- **Victims:** General "Polish entities." Specific mention of analysis occurring at "one of the affected entities."
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the primary TTP relies on client-side JavaScript injection within the email body.
- **Infrastructure (C2/Harvesting):**
- Credential Harvesting Domain: `a[.]mpk-krakow[.]pl` (used in the fetch request targeting credentials).
- **Sender Addresses (Indicators of Compromise):**
- `irina[.]vingriena@gmail[.]com`
- `julitaszczepanska38@gmail[.]com`
- **SMTP Source IP (IPv6):** `2001:67c:e60:c0c:192:42:116:216`
- **Attachment/File Indicators (SHA256):** `70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149` (for the JS file named "Delivery report").
## Implications
UNC1151 remains an active and sophisticated threat, demonstrating a rapid pivot to exploit recently disclosed, patched vulnerabilities (CVE-2024-42009) to achieve initial access via credential theft. The group's link to the Belarusian government signifies potential nation-state level espionage objectives targeting Polish infrastructure. The combination of known exploitation techniques with the possibility of leveraging newly discovered RCE flaws (CVE-2025-49113) indicates a high capability for developing effective, chained attack vectors.
## Mitigations
- **Patching:** Immediately update Roundcube installations to the latest available versions (e.g., 1.6.11 or 1.5.10) to remediate CVE-2024-42009.
- **Network Monitoring:** Analyze network logs for indicators related to the credential harvesting domain: `a[.]mpk-krakow[.]pl`.
- **Incident Response for Targeted Entities:**
1. Enforce password resets for all affected users.
2. Verify the activity logs of affected user accounts.
3. Unregister installed Service Workers on webmail interfaces (via Developer Tools -> Applications -> Service Workers).
- **Reporting:** Polish organizations receiving similar messages should report the event to CSIRT NASK, CSIRT MON, or CSIRT GOV.