The email espionage campaign exploits XSS vulnerabilities in webmails such as Roundcube, Horde, MDaemon and Zimbra. Government targets and defense companies targeted, with theft of credentials, contacts and messages, and the possibility of bypassing two-factor authentication
Researchers of ESET, a global European leader in the cybersecurity market, have uncovered a cyber espionage operation attributed with reasonable certainty to the Russia-aligned Sednit Group, called RoundPress. The campaign targets webmail servers by exploiting XSS vulnerabilities with the ultimate goal of stealing confidential data from specific email inboxes. Most of the targets are linked to the ongoing conflict in Ukraine: they are mainly Ukrainian administrations or defense companies in Bulgaria and Romania. Some of these companies produce Soviet-era weapons destined for Ukraine. Other targets include African, EU and South American governments.
"Last year – explains Matthieu Faou, ESET researcher who discovered and analyzed Operation RoundPress – we observed the use of several every probability discovered by the group itself, while those of Horde, Roundcube and Zimbra were already known and patched”.
Sednit delivers these XSS exploits via email; the victim opening the message in a vulnerable webmail leads to the execution of malicious JavaScript code within the page. As a result, only data accessible from the victim's account can be read and exfiltrated.
For the exploit to work, the victim must open the message in the vulnerable web interface. This implies that the email must pass anti-spam filters and that the subject of the message is credible enough to push the user to read it. To achieve this goal, the attackers exploited the visual identity of well-known newspapers such as Kyiv Post or the Bulgarian portal News.bg. Among the headlines used to make spearphishing messages credible are, for example: “SBU arrests banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump's acceptance of Russian conditions in bilateral relations”.
The JavaScript payloads used include SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. These are capable of stealing credentials, stealing address books, contacts and activity history, as well as reading email messages. SpyPress.MDAEMON, in particular, allows you to bypass two-factor protection by obtaining the authentication key and generating an access credential, which allows attackers to consult the mailbox via an email client.
"Over the past two years – adds Faou – webmail servers such as Roundcube and Zimbra have been prime targets for several espionage groups, including Sednit, GreenCube and Winter Vivern. Since many organizations do not update their webmails and vulnerabilities can be activated simply by sending an email, these servers represent a very convenient target for the exfiltration of email communications."
The Sednit group — also known as APT28, Fancy Bear, Forest Blizzard or Sofacy — has been active since at least 2004. The US Department of Justice named it as responsible for the attack on the Democratic National Committee (DNC) servers before the 2016 US presidential election and linked it to the military intelligence agency of the Russian Federation (GRU). Other attacks are also attributed to the group, including the one on the French television network TV5Monde and the theft of emails from the World Anti-Doping Agency (WADA).
For a detailed and technical analysis of the tools used by Sednit in Operation RoundPress, the full post is available on the ESET Research blog, “Operation RoundPress", are WeLiveSecurity.com. To stay updated on the latest news you can follow ESET Research on X (formerly known as Twitter), BlueSky e Mastodon.
