The Russian state-sponsored group APT28 has been exploiting XSS vulnerabilities in mail servers in a widespread campaign targeting government and defense entities, ESET reports.
Also tracked as Fancy Bear, Forest Blizzard, Sednit, and Sofacy, and linked to the Russian General Staff Main Intelligence Directorate (GRU), APT28 has been active since at least 2004, targeting energy, government, military, and media entities in the US and Europe.
Two weeks ago, France accused APT28 of compromising a dozen government organizations and other French entities. One of the attacks, targeting the TV5Monde broadcasting station, occurred a decade ago.
On Thursday, ESET shared details on a wave of APT28 attacks aimed at organizations in Europe, Africa, and South America that involved the exploitation of vulnerable Roundcube, Horde, MDaemon, and Zimbra mail servers since September 2023.
As part of the campaign, dubbed Operation RoundPress, the Russian hackers injected the victims’ webmail pages with malicious JavaScript code designed to steal credentials and exfiltrate contacts and messages.
In September 2023, the APT targeted an XSS vulnerability in Roundcube, tracked as CVE-2020-35730, to load arbitrary JavaScript code on the webmail page. The flaw was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in June 2023.
In 2024, Operation RoundPress expanded to Horde, MDaemon, and Zimbra servers, and added another Roudcube flaw to the arsenal, namely CVE-2023-43770, which was added to the KEV catalog in February 2024. The MDaemon bug, now patched and tracked as CVE-2024-11182, was exploited as a zero-day.
The hacking group was observed sending XSS exploits via email to execute JavaScript code in the victim’s browser, in the context of the webmail webpage, meaning that it could only access data from the victim’s account.
“Note that, in order for the exploit to work, the target must be convinced to open the email message in the vulnerable webmail portal. This means that the email needs to bypass any spam filtering and the subject line needs to be convincing enough to entice the target into reading the email message,” ESET explains.
The observed payloads, tailored for each mail server but collectively tracked as ‘SpyPress’, would create rules to send copies of emails to the attackers, steal webmail credentials (auto-filled in a hidden form or entered by the victim on a fake login page), collect messages and contact information, and bypass two-factor authentication.
In 2024, the attacks mainly targeted entities associated with the war in Ukraine, such as governmental organizations in Ukraine and defense companies in Bulgaria and Romania. However, African, European, and South American governments were also hit.
“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don’t keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft,” ESET notes.
Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns
Related: Firefox Affected by Flaw Similar to Chrome Zero-Day Exploited in Russia
Related: Russian Espionage Group Using Ransomware in Attacks
Related: Russian Ransomware Gang Exploited Windows Zero-Day Before Patch