Operation RoundPress: Cyber security firm ESET uncovers Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities to spy on Ukraine
(web.archive.org)
from Hotznplotzn@lemmy.sdf.org to cybersecurity@infosec.pub on 19 May 09:35
https://lemmy.sdf.org/post/34854863
from Hotznplotzn@lemmy.sdf.org to cybersecurity@infosec.pub on 19 May 09:35
https://lemmy.sdf.org/post/34854863
Archived
- In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
- In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
- For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
- Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
- The report provides an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
- These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox. Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.
threaded - newest