Operation RoundPress is a Russia-aligned espionage campaign targeting webmail servers through XSS vulnerabilities. The attackers, believed to be the Sednit group, use spearphishing emails to exploit vulnerabilities in Roundcube, Horde, MDaemon, and Zimbra webmail software. Their goal is to steal confidential data from specific email accounts. The operation expanded its targets in 2024, using both known and zero-day vulnerabilities. Victims include government entities and defense companies, primarily in Eastern Europe. The attackers employ various JavaScript payloads (SpyPress) to steal credentials, exfiltrate contacts and emails, and in some cases bypass two-factor authentication. The campaign demonstrates the ongoing threat to organizations with outdated webmail servers. Author: AlienVault
Related Tags:
Cameroon
cve-2024-11182
cve-2024-27443
cve-2023-43770
eastern europe
webmail
SpyPress.ZIMBRA
SpyPress.ROUNDCUBE
SpyPress.MDAEMON
Associated Indicators:
60D592765B0F4E08078D42B2F3DE4F5767F88773
8EBBBC9EB54E216EFFB437A28B9F2C7C9DA3A0FA
B6C340549700470C651031865C2772D3A4C81310
A5948E1E45D50A8DB063D7DFA5B6F6E249F61652
2664593E2F5DCFDA9AAA1A2DF7C4CE7EEB1EDBB6
41FE2EFB38E0C7DD10E6009A68BD26687D6DBF4C
EBF794E421BE60C9532091EB432C1977517D1BE5
AD3C590D1C0963D62702445E8108DB025EEBEC70
8E6C07F38EF920B5154FD081BA252B9295E8184D