RoundPress Targets Global Governments
RoundPress, a sophisticated cyberespionage campaign, hacks webmail systems to steal sensitive data. Attackers exploit cross-site scripting (XSS) vulnerabilities in platforms like Roundcube and Zimbra. For example, they target governments in Greece, Ukraine, and Serbia. Active since 2023, the campaign persists with new exploits in 2024.
Spear-Phishing as the Entry Point
The attack begins with spear-phishing emails tied to current political events. These emails embed malicious JavaScript payloads in their HTML. When victims open them, the script triggers XSS flaws in webmail interfaces. No additional clicks or inputs are required for the attack.
Stealing Data with Precision
The malicious script creates hidden input fields to capture autofilled credentials. It also extracts email content, contacts, login histories, and two-factor authentication details. For instance, stolen data is sent to attacker-controlled servers via HTTP POST requests. Each payload is customized for specific webmail platforms.
Exploited Webmail Vulnerabilities
Hackers target multiple webmail systems with XSS flaws. In 2023, a Roundcube flaw allowed scripts in email bodies. In 2024, a zero-day MDaemon vulnerability enabled credential theft. Additionally, a Zimbra calendar flaw executed hidden code. However, an attempted Horde exploit failed due to updated filters.
Specific Flaws and Impact
A Roundcube vulnerability mishandled hyperlink text, allowing script injection. Zimbra’s calendar invites lacked input sanitization, enabling base64-encoded scripts. A report highlights these flaws’ widespread presence in webmail systems. Consequently, attackers access sensitive government and military data effortlessly.
Who’s Behind the Campaign?
Researchers link RoundPress to a Russian state-sponsored group with medium confidence. The group targets military units in Ukraine, defense firms in Romania, and infrastructure in Bulgaria. For example, their attacks exploit trust in widely used webmail platforms. Their adaptability makes them a persistent threat.
Why It’s Hard to Detect
RoundPress scripts lack persistence, executing only when emails are opened. They blend with legitimate webmail functions, evading detection. Therefore, organizations may not notice breaches until data is compromised. The campaign’s reliance on zero-day flaws adds to its stealth.
Preventing RoundPress Attacks
To counter RoundPress, patch webmail systems immediately. For example, update Roundcube, Zimbra, and MDaemon to fix XSS flaws. Train employees to spot phishing emails and use email filters to block suspicious messages. Additionally, enable two-factor authentication and monitor accounts for unusual activity. These measures protect against espionage and data theft.
Sleep well, we got you covered.
