The actor associated with Russia was associated with cyber-spanning surgery aimed at web post-server such as RoundCube, Horde, Mdaemon and Zimbra using script vulnerability, including zero day in MDAEMON, according to ESET.
The activity that began in 2023 was named Operation round press Slovak cybersecurity campaign. It was with an attributed average confidence in a Russian state supported by a hacking group that is tracked as APT28, also called Bluedelta, Fancy Bear, Fighting Ursa, Forest Blizzard, Farzenlake, Iron Trinity, ITG0, Pawn Storm, SODNIT, SOFAW and SOFAW Ta422.
“The ultimate goal of this operation is to kidnap confidential data from specific email accounts,” – ESET researcher Matsio Faw – Note In a report that shared with Hacker News. “Most of the victims are state structures and defense companies in Eastern Europe, although we also watched the governments in Africa, Europe and South America, which are also sent.”
This is not the first time APT28 was tied to the attacks that exploit the Webmail software. In June 2023 the future was recorded minute Abuse of the actor threatens with multiple shortcomings in RoundCube (CVE-2020-12641, CVE-2020-35730 and CVE-2011-44026) for exploration and data collection.
Since then other threats as Winter Vivirn and UNC3707 (AKA Greencube) also sent solutions by email, including RoundCube to various companies. Operation “RoundPress” is related to the STEM APT28 from the overlapping at the email address used to send e -mails and the spear for the spear and resemblance In how certain servers were set.
Most of the company’s goals in 2024 were recognized by Ukrainian state structures or defense companies in Bulgaria and Romania, some of which produce a Soviet weapon era to be sent to Ukraine. Other goals include government, military and academic organizations in Greece, Cameroon, Ecuador, Serbia and Cyprus.
Attacks entail the operation of XSS’s vulnerabilities in Horde, Mdaemem and Zimbra to perform an arbitrary JavaScript code in the Webmail window context. It is worth noting that Cve-2023-43770 was added The US Cybersecurity and infrastructure agencies (CISA) before its well -known exploited vulnerabilities (KEV) in February 2024.
While the attacks aimed at the Horde (an uncertain lack recorded in the Horde Webmail 1.0, released in 2007), RoundCube (CVE-2013-43770) and ZIMBR (Cve-2024-27443) Using security defects already known and recorded, the vulnerability of the MDAEMOM XSS is estimated at what the actor threatens used as a zero day. Assigned ID CVE Cve-2024-11182 (CVSS assessment: 5.3), it was secured Version 24.5.1 Last November.
“Sednit sends these XSS feats by email,” FAU said. “Eders lead to the implementation of the malicious JavaScript code in the context of the Webmail customer’s web page that works in the browser window. Therefore, the data available from the victim’s account can be read and highlighted.”
However, in order for the Exploit to be successful, the goal must be convinced to open an email on the vulnerable portal Webmail, believing it is able to bypass the software spam and land in the user’s mailbox. The email content itself is harmless, as the malicious code that triggers the lack of XSS is within the HTML Email Message Code and thus not visible to the user.
Successful operation leads to a stubborn useful load of JavaScript called Spypress, which comes with the ability to steal the powers of the Webmail and the collection of messages via email and contact information from the victim’s mailbox. Malicious software, despite the lack of resistance mechanism, reboot every time an e -mail is opened.
“In addition, we have discovered some useful loads of Spypress.Roundcube that have the ability to create a sieve rules,” Eset said. “Spypress.RoundCube creates a rule that will give a copy of each incoming email to the controlled email address. Situ rules are RoundCube feature and therefore the rule will be followed, even if the harmful scenario is no longer working.”
Later, the information collected is operated through the HTTP request for a firmly-coded team and control server (C2). Also found selected malware options Applying a password For MDAEMON has retained access to the mailbox even if the password or 2FA code is changing.
“Over the past two years, Webmail servers, such as RoundCube and Zimbra, have become the main goal for several espionage groups such as Sednit, Greencube and Winter Vivern,” FAU said. “Since many organizations do not support their web servers, and because the vulnerabilities can be launched remotely by sending an e -mail message, the attackers are very convenient to focus on such e -mail theft.”
