CyberSecurity news

FlagThis

Field Effect@Blog //
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.

In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails.

The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Blog: Russian APT28 hackers leverage webmail zero-day
  • ESET Research: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
  • www.welivesecurity.com: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra..
  • The Hacker News: Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers
  • The DefendOps Diaries: Government Webmail Hacked via XSS Bugs in Global Spy Campaign
  • securityonline.info: Operation RoundPress: Sednit Weaponizes XSS to Breach Global Webmail Servers
  • Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
  • WeLiveSecurity: Sednit abuses XSS flaws to hit gov't entities, defense companies
  • WeLiveSecurity: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
  • www.scworld.com: Global government webmail servers targeted by Russian cyberespionage operation
  • BleepingComputer: Hackers are running a worldwide cyberespionage campaign dubbed 'RoundPress,' leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
  • securityonline.info: Researchers expose a covert cyberespionage campaign, dubbed Operation RoundPress, believed to be orchestrated by the Russia-aligned Sednit APT group.
  • www.techradar.com: Global Russian hacking campaign steals data from government agencies
  • www.scworld.com: Sednit group's 'Operation RoundPress' targets webmail servers globally
  • hackread.com: ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
  • Thomas Roccia :verified:: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
  • ciso2ciso.com: Russian APT Exploiting Mail Servers Against Government, Defense Organizations – Source: www.securityweek.com
Classification:
  • HashTags: #APT28 #OperationRoundPress #WebmailSecurity
  • Company: ESET
  • Target: Governmental entities and defense companies
  • Attacker: APT28
  • Product: Roundcube
  • Feature: cross-site scripting
  • Malware: SpyPress
  • Type: Espionage
  • Severity: Major