Operation RoundPress targeting high-value webmail servers

SUMMARY :

ESET researchers have uncovered a Russia-aligned espionage operation named RoundPress, targeting high-value webmail servers through XSS vulnerabilities. The campaign, attributed to the Sednit group, aims to steal confidential data from specific email accounts. Initially focused on Roundcube in 2023, the operation expanded to include Horde, MDaemon, and Zimbra in 2024. The attackers exploit various vulnerabilities, including a zero-day in MDaemon, to inject malicious JavaScript code into victims' webmail pages. Targets include governmental entities and defense companies in Eastern Europe, with some victims in Africa, Europe, and South America. The malware, known as SpyPress, can steal webmail credentials, exfiltrate contacts and email messages, and in some cases, bypass two-factor authentication.

OPENCTI LABELS :

espionage,russia,xss,zero-day,spypress.roundcube,spypress.mdaemon,cve-2023-43770,cve-2024-27443,cve-2024-11182,spypress.zimbra,spypress.horde


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Operation RoundPress targeting high-value webmail servers