The Russian state-sponsored group APT28 has been carrying out a large-scale campaign exploiting XSS vulnerabilities in mail servers, according to cybersecurity firm ESET.
APT28 also known as Fancy Bear, Forest Blizzard, Sednit, and Sofacy is linked to Russia's General Staff Main Intelligence Directorate (GRU). Active since at least 2004, the group has targeted government, military, media, and energy sectors across the US and Europe.
Just two weeks ago, French authorities accused APT28 of breaching over a dozen government agencies and other organizations. One of the group’s known attacks dates back ten years and involved the TV5Monde broadcasting network.
On Thursday, ESET disclosed a new wave of attacks affecting organizations in Europe, Africa, and South America. The operation, named Operation RoundPress, has been ongoing since September 2023 and exploits vulnerabilities in mail servers such as Roundcube, Horde, MDaemon, and Zimbra.
In these attacks, APT28 inserted malicious JavaScript into victims’ webmail interfaces to harvest credentials and exfiltrate emails and contacts.
The campaign began with the exploitation of CVE-2020-35730, a known XSS vulnerability in Roundcube, which allowed attackers to inject arbitrary JavaScript into the webmail page. This flaw was added to CISA’s Known Exploited Vulnerabilities catalog in June 2023.
By 2024, the campaign had expanded to target Horde, MDaemon, and Zimbra mail servers. Attackers also began exploiting a newer Roundcube flaw, CVE-2023-43770, included in the KEV catalog in February 2024. The MDaemon vulnerability, CVE-2024-11182, was exploited as a zero-day but has since been patched.
ESET observed that APT28 delivered the XSS exploits via email, executing the malicious code within the victim’s browser when they opened the message in a vulnerable webmail client. This tactic meant that the malware could only access the user's specific account data. The email had to evade spam filters and appear convincing enough to prompt the recipient to open it.
The malicious payloads, collectively referred to as SpyPress, were customized for each server platform. Once deployed, they could steal credentials, forward emails to the attackers, gather messages and contact lists, and even bypass two-factor authentication by mimicking legitimate login processes.
In 2024, the campaign primarily focused on entities involved in the war in Ukraine, including Ukrainian government bodies and defense contractors in Bulgaria and Romania. However, government organizations in Africa, Europe, and South America were also affected.
ESET noted that webmail platforms like Roundcube and Zimbra have become common targets for espionage groups such as Sednit, GreenCube, and Winter Vivern. This is largely due to the fact that many organizations fail to update their mail servers regularly, and vulnerabilities can be remotely exploited simply by sending an email.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
