The βRoundPressβ cyberespionage campaign targets high-value government and military organizations worldwide by exploiting webmail server vulnerabilities using malicious JavaScript. These attacks, attributed with medium confidence to Russian state-sponsored hackers APT28, continue to evolve with new exploits in 2024.
Affected: government organizations, military units, defense companies, critical infrastructure
Affected: government organizations, military units, defense companies, critical infrastructure
Keypoints
- The campaign uses spear-phishing emails with legitimate news references to deliver malicious scripts.
- It exploits multiple XSS vulnerabilities in popular webmail platforms like Roundcube, Horde, MDaemon, and Zimbra.
- The malicious JavaScript collects email content, contacts, and sensitive data, exfiltrating it to command-and-control servers.
- Targeted vulnerabilities include CVE-2020-35730, CVE-2023-43770, CVE-2024-11182, and CVE-2024-27443.
- The attack highlights the importance of patching webmail vulnerabilities to prevent credential theft and espionage activities.