Operation RoundPress: Cyber security firm ESET uncovers Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities to spy on Ukraine (web.archive.org)
from Hotznplotzn@lemmy.sdf.org to cybersecurity@sh.itjust.works on 19 May 07:37
https://lemmy.sdf.org/post/34854914

cross-posted from: lemmy.sdf.org/post/34854863

Archived

• In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
• In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
• For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
• Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
• The report provides an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
• These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.

#cybersecurity