Hackers are running cyber cyberpayan campaigns worldwide, taking advantage of zero-day and N-Day falls in webmail servers to steal emails from high-value government organizations.
ESET researchers Opened operation Give it characterized with moderate beliefs for Russian state-propelled hackers Apt28 (aka “fancy bear” or “sednet”).
The campaign began in 2023 and continued in 2024 with the adoption of new exploits, targeting Round Cube, Hoarde, MDmon and Zimbra.
Notable targets include governments in Greece, Ukraine, Serbia and Cameron, military units in Ukraine and Ecuador, Ukraine, Bulgaria and Defense Companies in Bulgaria and Romania and significant infrastructure in Ukraine and Bulgaria.
Source: ESET
Open the email, data is stolen
The attack begins with a Spear-Fishing email that refers to current news or political events, which often includes excerpts from news articles to add validity.
A malicious JavaScript Palor, embedded in the HTML body of email triggers the exploitation of a cross-site scripting (XSS) vulnerability in the webmail browser page used by the recipient.
Whatever is necessary from the victim to open an email to see it, because no other interaction/click, redirection or data input is required to execute the malicious JavaScript script.
Source: ESET
There is no firm mechanism in the payload, so it is only executed when malicious email is opened.
The script makes the credentials stored for the victim’s email accounts to trick browsers or password managers in autofiling.
Source: ESET
Additionally, it reads DOM or sends HTTP request to collect email messages, contact, webmail settings, login history, two-factor authentication and passwords.
The data is then exfiltrated for hardcoded command-end-control (C2) address using HTTP post requests.
Each script has a slightly different set of capabilities, which is adjusted to the product he is targeting.
Targeted weaknesses
Operation Roundpress targeted several XSS defects in various webmail products that important organizations usually use to inject their malicious JS scripts.
Exploitation related to this campaign ESET includes the following flaws:
- Roundcube-cve-2020-35730: A stored XSS blames hackers used in 2023 by embedding JavaScript directly into the body of an email. When the victims opened the email in a browser-based webmail session, the script was executed in their context, enabling credentials and data theft.
- Roundcube-cve-2023-43770: How the roundcube handled the hyperlink text in an XSS vulnerability, leveraged in early 2024. Inappropriate sanitization allows the attackers to injected
- Mdaemon-cve-2024-11182: A zero-day XSS defect in HTML Parser of Mdaemon email server was exploited by hackers at the end of 2024. Crafts a deformed title with a nombed tag, the attacker may be a hidden
Payload, executing JavaScript. This enabled frequent access through credential theft, 2FA bypass and app passwords.
- Hoarde – Unknown XSS: APT28 tried to take advantage of an old XSS vulnerability in the crowd by placing a script
Handler. However, the attempt failed, the possibility that due to the built -in filtering in modern hoords versions. The accurate defect is unconfirmed, but it appears to be patched in the meantime.
- Zimbra-cve-2024-27443: A XSS vulnerability in the calendar invited handling of the zimbra, which has not been actively tagged as an active exploitation earlier. Input from the X-Zimbra-Calandar-Intended for Header allowed JavaScript injection into the calendar UI. APT28 embedded a hidden script, which when invited the base 64 JavaScript decodes and executes.
Although ESET does not report any roundpress activity for 2025, hackers methods can also be easily implemented this year, because there is one constant supply New XSS flaws in popular webmail products.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
