A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET.
The activity, which commenced in 2023, has been codenamed Operation RoundPress by the Slovak cybersecurity company. It has been attributed with medium confidence to the Russian state-sponsored hacking group tracked as APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
“The ultimate goal of this operation is to steal confidential data from specific email accounts,” ESET researcher Matthieu Faou said in a report shared with The Hacker News. “Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.”
This is not the first time APT28 has been tied to attacks exploiting flaws in webmail software. In June 2023, Recorded Future detailed the threat actor’s abuse of multiple flaws in Roundcube (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to conduct reconnaissance and data gathering.
Since then, other threat actors like Winter Vivern and UNC3707 (aka GreenCube) have also targeted email solutions, including Roundcube, in various campaigns over the years. Operation RoundPress’ ties to APT28 stem from overlaps in the email address used to send the spear-phishing emails and similarities in the way certain servers were configured.
A majority of the targets of the campaign in 2024 have been found to be Ukrainian governmental entities or defense companies in Bulgaria and Romania, some of which are producing Soviet-era weapons to be sent to Ukraine. Other targets include government, military, and academic organizations in Greece, Cameroon, Ecuador, Serbia, and Cyprus.
The attacks entail the exploitation of XSS vulnerabilities in Horde, MDaemon, and Zimbra to execute arbitrary JavaScript code in the context of the webmail window. It’s worth noting that CVE-2023-43770, an XSS bug in Roundcube, was added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog in February 2024.
While the attacks targeting Horde (an unspecified old flaw fixed in Horde Webmail 1.0 released in 2007), Roundcube (CVE-2023-43770), and Zimbra (CVE-2024-27443) leveraged security defects already known and patched, the MDaemon XSS vulnerability is assessed to have been used by the threat actor as a zero-day. Assigned the CVE identifier CVE-2024-11182 (CVSS score: 5.3), it was patched in version 24.5.1 last November.
“Sednit sends these XSS exploits by email,” Faou said. “The exploits lead to the execution of malicious JavaScript code in the context of the webmail client web page running in a browser window. Therefore, only data accessible from the victim’s account can be read and exfiltrated.”
However, for the exploit to be successful, the target must be convinced to open the email message in the vulnerable webmail portal, assuming it’s able to bypass the software’s spam filters and land on the user’s inbox. The contents of the email themselves are innocuous, as the malicious code that triggers the XSS flaw resides within the HTML code of the email message’s body and, therefore, is not visible to the user.
Successful exploitation leads to the execution of an obfuscated JavaScript payload named SpyPress that comes with the ability to steal webmail credentials and harvest email messages and contact information from the victim’s mailbox. The malware, despite lacking a persistence mechanism, gets reloaded every time the booby-trapped email message is opened.
“In addition, we detected a few SpyPress.ROUNDCUBE payloads that have the ability to create Sieve rules,” ESET said. “SpyPress.ROUNDCUBE creates a rule that will send a copy of every incoming email to an attacker-controlled email address. Sieve rules are a feature of Roundcube and therefore the rule will be executed even if the malicious script is no longer running.”
The gathered information is subsequently exfiltrated via an HTTP POST request to a hard-coded command-and-control (C2) server. Select variants of the malware have also been found to capture login history, two-factor authentication (2FA) codes, and even create an application password for MDAEMON to retain access to the mailbox even if the password or the 2FA code gets changed.
“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,” Faou said. “Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.”
