Russia-Linked APT28 Exploits MDaemon Zero-Day to Target Government Webmail Servers

May 15, 2025
Vulnerability / Email Security

A cyber espionage operation associated with a Russian threat actor is reportedly compromising webmail servers, including Roundcube, Horde, MDaemon, and Zimbra, by exploiting cross-site scripting (XSS) vulnerabilities, notably a zero-day flaw in MDaemon. This activity, coded as Operation RoundPress by ESET, began in 2023 and has been linked with moderate confidence to the state-sponsored hacking group APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit.

“The primary objective of this operation is to extract sensitive data from targeted email accounts,” stated ESET researcher Matthieu Faou in a report shared with The Hacker News. “While most victims are governmental and defense entities in Eastern Europe, we have also noted targets across Africa, Europe, and beyond.”

Russia-Linked APT28 Exploits MDaemon Zero-Day to Compromise Government Webmail Servers

On May 15, 2025, ESET released a report detailing a cyber espionage campaign attributed to a Russia-linked threat actor targeting webmail servers, including Roundcube, Horde, MDaemon, and Zimbra. This operation, dubbed Operation RoundPress, has been under investigation since it commenced in 2023. The findings highlight the exploitation of cross-site scripting (XSS) vulnerabilities, notably a previously unknown zero-day flaw in MDaemon.

APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit, is a hacking group believed to be sponsored by the Russian state. ESET has assessed this attribution with medium confidence. According to researcher Matthieu Faou, the primary objective of this operation is to illicitly acquire sensitive information from specific email accounts, predominantly targeting entities within governmental sectors and defense companies located in Eastern Europe.

In terms of geographical scope, while the majority of victims are centered in Eastern Europe, evidence suggests that the campaign has also extended its reach to governments in Africa and parts of Western Europe. This broad targeting indicates a calculated effort to compromise a wide array of stakeholders within both regional and international networks.

Understanding the tactics employed in this attack through the lens of the MITRE ATT&CK framework reveals several relevant adversary techniques. Initial access may have been achieved through exploiting the previously mentioned zero-day vulnerability, facilitating entry into the webmail servers. Once access was established, the attackers could leverage persistence mechanisms to maintain their presence within compromised systems. Furthermore, privilege escalation techniques may have been employed to gain higher-level access to more sensitive data.

As organizations increasingly rely on digital communications, the implications of such vulnerabilities become ever more significant. The ongoing risk posed by advanced persistent threats, particularly those state-sponsored, underscores the necessity for robust cybersecurity measures. Organizations are urged to remain vigilant, ensuring that their systems are patched against known vulnerabilities and that they adopt comprehensive threat detection and response strategies.

In light of these developments, it is crucial for business owners and cybersecurity professionals to prioritize security awareness and proactive measures, particularly in sectors that may be deemed high-value targets. The evolving landscape of cyber threats requires not just reactive responses but also a commitment to understanding and mitigating risks posed by sophisticated adversaries, such as those in APT28.

Source link

Related Posts

Samsung Addresses CVE-2025-4632, Exploited in the Wild for Mirai Botnet Deployment Through MagicINFO 9 Vulnerability

May 14, 2025
Vulnerability / Malware

Samsung has issued software updates to fix a critical security vulnerability in MagicINFO 9 Server that has been actively targeted. Identified as CVE-2025-4632 (CVSS score: 9.8), this path traversal flaw allows attackers to write arbitrary files with system-level permissions. According to the advisory, the vulnerability arises from “improper limitation of a pathname to a restricted directory” in versions before 21.1052 of the MagicINFO 9 Server. Notably, CVE-2025-4632 serves as a patch bypass for a previously addressed vulnerability, CVE-2024-7399, which was mitigated by Samsung in August 2024. Shortly after a proof-of-concept was released by SSD Disclosure on April 30, 2025, CVE-2025-4632 began to be exploited in the wild, with reports of it being used to deploy the Mirai botnet. Initial investigations into these attacks mistakenly pointed to CVE-2024-7399, but cybersecurity firm Huntress later clarified the situation.

New Intel CPU Vulnerabilities Uncovered: Memory Leaks and Spectre v2 Exploits Persist

May 16, 2025
Hardware Security / Vulnerability

Researchers at ETH Zürich have identified a critical new security flaw that affects all modern Intel CPUs, allowing the leakage of sensitive data from memory. This latest vulnerability, dubbed Branch Privilege Injection (BPI), showcases that the Spectre threat continues to impact computer systems over seven years after its initial discovery. According to ETH Zürich, BPI can be exploited to manipulate the CPU’s prediction calculations, granting unauthorized access to information from other users on the same processor. Kaveh Razavi, head of the Computer Security Group (COMSEC) and a co-author of the study, noted that this flaw affects all Intel processors, potentially allowing malicious actors to access the cache contents and working memory of different users sharing the CPU. The attack exploits Branch Predictor Race Conditions (BPRC), which arise when a processor alternates between prediction calculations for multiple users.

Security Flaw in AWS Default IAM Roles Threatens Lateral Movement and Cross-Service Exploitation

Researchers in cybersecurity have identified concerning default identity and access management (IAM) roles within Amazon Web Services (AWS) that could potentially allow attackers to escalate privileges, manipulate other AWS services, and even compromise accounts entirely. According to Aqua researchers Yakir Kadkoda and Ofek Itach, “These roles, typically created automatically or suggested during setup, grant excessively broad permissions, including full access to S3.” They warn that these default roles create silent attack vectors for privilege escalation and cross-service access, leading to possible account breaches. The cloud security firm pinpointed vulnerabilities in default IAM roles established by AWS services such as SageMaker, Glue, EMR, and Lightsail. A similar issue has also been detected in the widely-used open-source framework Ray, which generates a default IAM role (ray-autoscaler-v1) that includes the AmazonS3FullAccess policy.

Russian Hackers Target Ukraine Aid Logistics Through Email and VPN Vulnerabilities

May 21, 2025
Cyber Espionage / Vulnerability

State-sponsored Russian cyber actors have been linked to a campaign focused on Western logistics and tech firms since 2022. This activity is attributed to APT28 (also known as BlueDelta, Fancy Bear, or Forest Blizzard), connected to the Russian GRU’s 85th Main Special Service Center, Military Unit 26165. Key targets include companies involved in the coordination and delivery of international aid to Ukraine, as highlighted in a joint advisory from agencies across Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. The bulletin notes that this cyber-espionage campaign employs a range of previously identified tactics and is likely linked to broader efforts aimed at IP cameras in Ukraine and neighboring NATO countries.