Operation RoundPress targeting high-value webmail servers

SUMMARY :

Operation RoundPress is a Russia-aligned espionage campaign targeting webmail servers through XSS vulnerabilities. The attackers, believed to be the Sednit group, use spearphishing emails to exploit vulnerabilities in Roundcube, Horde, MDaemon, and Zimbra webmail software. Their goal is to steal confidential data from specific email accounts. The operation expanded its targets in 2024, using both known and zero-day vulnerabilities. Victims include government entities and defense companies, primarily in Eastern Europe. The attackers employ various JavaScript payloads (SpyPress) to steal credentials, exfiltrate contacts and emails, and in some cases bypass two-factor authentication. The campaign demonstrates the ongoing threat to organizations with outdated webmail servers.

OPENCTI LABELS :

espionage,data exfiltration,xss,credential theft,zero-day,spearphishing,webmail,eastern europe,spypress.roundcube,spypress.mdaemon,cve-2023-43770,cve-2024-27443,cve-2024-11182,spypress.zimbra,spypress.horde


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation RoundPress targeting high-value webmail servers