CyberSecurity news
FlagThis - #xss
|
Field Effect@Blog
//
A Russia-aligned espionage operation, dubbed Operation RoundPress, has been discovered by ESET researchers. The operation targets webmail software to steal secrets from email accounts, primarily those belonging to governmental organizations in Ukraine and defense contractors in the EU. The Sednit group, also known as APT28 and Fancy Bear, is suspected to be behind the attacks, leveraging spear-phishing emails that exploit XSS vulnerabilities to inject malicious JavaScript code into targeted webmail pages.
The attackers initially targeted Roundcube, but later expanded their reach to include other webmail software such as Horde, MDaemon, and Zimbra. The operation exploits security holes in webmail software to target Ukrainian governmental entities and defense companies in Eastern Europe. Some attacks have even circumvented two-factor authentication, demonstrating the sophistication of the operation and the challenges it poses to threat detection and response mechanisms. While most of the victims are currently based overseas, security experts suggest that North American entities, particularly those in government, defense, and critical infrastructure sectors, could also be targeted. The group's ability to exploit both known and zero-day vulnerabilities across multiple platforms, coupled with the ability to adapt payloads to specific targets, underscores the need for organizations using vulnerable webmail platforms to remain vigilant. According to experts the hackers are able to steal credentials, emails and contacts without persistent malware installation.
Share:
References :
Classification:
Field Effect@Blog
//
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.
In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails. The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.
Share:
References :
Classification: |