ESET researchers have identified an espionage campaign dubbed Operation RoundPress, which targets webmail servers using cross-site scripting (XSS) vulnerabilities and is most likely orchestrated by the Russia-aligned Sednit group.

Operation RoundPress leverages spearphishing emails that exploit vulnerabilities in popular webmail platforms, including Roundcube, Horde, MDaemon, and Zimbra, to deliver malicious JavaScript payloads directly into victims' webmail pages.

The primary focus of the campaign appears to be governmental entities and defence companies linked to the ongoing conflict in Ukraine. ESET has reported that many of the affected defence companies in Bulgaria and Romania are actively engaged in producing Soviet-era weapons for shipment to Ukraine.

ESET's research also notes that other government-related targets span across Africa, the European Union, and South America, highlighting the international reach of the campaign.

Matthieu Faou, ESET Researcher, explained the technical nature of the attacks, stating: "Last year, we observed different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Sednit also started to use a more recent vulnerability in Roundcube, CVE-2023-43770. The MDaemon vulnerability — CVE-2024-11182, now patched — was a zero day, most likely discovered by Sednit, while the ones for Horde, Roundcube, and Zimbra were already known and patched."

According to ESET, Sednit sends emails containing XSS exploits, which, once opened by the target in a vulnerable webmail portal, execute malicious JavaScript in the context of the user's session. This technique gives attackers access to only the data available through the compromised account, such as credentials, contacts, and email messages.

The success of this form of attack relies on convincing recipients to open the malicious email in their webmail client. The spearphishing emails are crafted to evade spam filters and employ credible subject lines mimicking news headlines. ESET's findings identified fake headlines such as: "SBU arrested a banker who worked for enemy military intelligence in Kharkiv" and "Putin seeks Trump's acceptance of Russian conditions in bilateral relations". The emails often cited well-known news outlets like Ukraine's Kyiv Post and Bulgaria's News.bg to increase believability.

ESET reports that various JavaScript payloads, including SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA, are deployed depending on the targeted platform. These tools are able to steal webmail credentials, exfiltrate contact lists and address books, and access email correspondence. Of particular note, the SpyPress.MDAEMON variant can bypass two-factor authentication protections by extracting the authentication secret and creating an app-specific password, permitting attackers direct mailbox access via a mail application.

Faou expanded further on the attackers' motivations and the vulnerabilities exploited, adding: "Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups, including Sednit, GreenCube, and Winter Vivern. Because many organizations don't keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft."

The Sednit group, also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy, has a documented history of cyberespionage dating back to at least 2004. The group has been previously named by the U.S. Department of Justice as responsible for the Democratic National Committee breach preceding the 2016 U.S. elections and has links to the GRU, Russia's military intelligence agency. Other high-profile attacks attributed to Sednit include the compromise of TV5Monde, the World Anti-Doping Agency email leak, among other incidents.