New findings from ESET show that Russia-related threat actors are attributed to cyberspy operations targeting webmail servers such as RoundCube, Horde, Mdaemon, and Zimbra.
The activity, which began in 2023, is known as Codename Round Press by the Slovak Cybersecurity Company. This is due to moderate confidence in a Russian state-sponsored hacking group tracked as APT28. It is also known as Blue Delta, Fancy Bear, Fighting Ursa, Forest Blizzard, Froze Lake, Iron Twilight, ITG05, Pawn Storm, Cednyte, Sofacy, and TA422.
“The ultimate goal of this operation is to steal sensitive data from specific email accounts,” ESET researcher Matthieu Faou said in a report shared with Hacker News. “Most of the victims are Eastern European government agencies and defense companies, but we observe that governments in Africa, Europe and South America are also being targeted.”
This is not the first time that APT28 has been linked to an attack that exploits a flaw in its webmail software. In June 2023, recorded Future detailed the abuse of multiple flawed threat actors on the RoundCube (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026).
Since then, other threat actors like Winter Vivern and UNC3707 (aka Greencube) have also targeted email solutions including RoundCube in a variety of campaigns over the years. The relationship with the operation RoundPress APT28 is due to the overlapping email addresses used to send similarities to spear phishing emails in certain server configuration methods.
It is known that the majority of the 2024 campaign is Ukrainian government agencies or defence companies in Bulgaria and Romania, some of which produce Soviet-era weapons sent to Ukraine. Other targets include governments, military and academic organizations in Greece, Cameroon, Ecuador, Serbia and Cyprus.
This attack requires the exploitation of XSS vulnerabilities in Horde, Mdaemon, and Zimbra to execute arbitrary JavaScript code in the context of a webmail window. It is worth noting that CVE-2023-43770 was added by the US Cybersecurity and Infrastructure Security Agency (CISA) to the Known Exploited Vulnerabilities (KEV) catalog in February 2024.
Attacks targeting Horde (an unspecified defect not fixed in Horde WebMail 1.0 released in 2007), RoundCube (CVE-2023-43770), and Zimbra (CVE-2024-27443) use the already known and patched vulnerability in patient XSSSS. I assigned the CVE Identifier CVE-2024-11182 (CVSS score: 5.3) and applied the patch in version 24.5.1 last November.
“Sedonite will email these XSS exploits,” says Faou. “Exploits lead to the execution of malicious JavaScript code in the context of WebMail client web pages running in a browser window. Therefore, they can only read and extract data that is accessible from the victim’s account.”
However, for the exploit to be successful, the target must communicate to the vulnerable webmail portal to open an email message, assuming that the software can bypass the spam filter and land in the user’s inbox. The content of the email itself is harmless. The malicious code that triggers the XSS flaws is invisible to the user as it resides within the HTML code in the body of the email message.
The success of exploitation leads to the execution of an obfuscated JavaScript payload named Spypress. Malware is reloaded every time an email message trapped in a booby is opened, despite the lack of a permanent mechanism.
“In addition, we’ve detected several SpyPress.RoundCube payloads with the ability to create Sive rules,” ESET said. “Spypress.RoundCube creates a rule that sends a copy of all incoming emails to an attacker-controlled email address. Sieve rules are a feature of RoundCube, so the rules run without malicious scripts being executed.”
The collected information is excluded via HTTP POST requests to hard-coded Command and Control (C2) servers. Some variants of the malware are also known to capture login history, two factor authentication (2FA) code, and create an MDAEMON application password to retain access to the mailbox even if the password or 2FA code changes.
“For the past two years, webmail servers such as RoundCube and Zimbra have been the main target for several spy groups, such as Sednit, Greencube and Winter Vivern,” says Faou. “It’s very convenient for attackers to target such servers for email theft, as many organizations can keep their webmail servers up to date and remotely trigger vulnerabilities by sending email messages.”
Source link
