{"id":3196,"date":"2025-05-15T13:02:00","date_gmt":"2025-05-15T13:02:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3196"},"modified":"2025-05-15T13:02:00","modified_gmt":"2025-05-15T13:02:00","slug":"alternatives-to-microsoft-outlook-webmail-come-under-attack-in-europe","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3196","title":{"rendered":"Alternatives to Microsoft Outlook webmail come under attack in Europe"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs need to ensure that web email clients and browsers are kept up to date following the discovery of cross site scripting attacks on organizations running webmail clients such as Roundcube, Horde, MDaemon, and Zimbra.<\/p>\n<p>The alert came today from researchers at ESET, who, after seeing attacks on government and defense organizations in Ukraine, Romania, and Bulgaria, believe a Russian-based threat actor is going after entities that support Ukraine.<\/p>\n<p>The goal is to steal webmail credentials and exfiltrate contacts and email messages from the victim\u2019s mailbox. Many of the targeted firms produce Soviet-era weapons.<\/p>\n<p>The <a href=\"https:\/\/www.csoonline.com\/article\/566789\/what-is-spear-phishing-examples-tactics-and-techniques.html\">spear phishing<\/a> attacks lead to the execution of malicious JavaScript code in the webmail client, so anything in the victim\u2019s account can be read and exfiltrated.<\/p>\n<p>The malware also deposits implants called SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA (depending on the victim\u2019s email system) which can steal login credentials, exfiltrate address books, contacts, and login history. SpyPress.MDAEMON is able to set up a <a href=\"https:\/\/www.csoonline.com\/article\/570795\/how-to-hack-2fa.html\">bypass for two-factor authentication<\/a> protection; it exfiltrates the two-factor authentication secret, and creates an App Password, which enables the attackers to access the mailbox from a mail application.<\/p>\n<p>The malware is tailored to evade spam filters.<\/p>\n<p>Among the headlines used in spear phishing messages were: \u201cSBU [Ukraine\u2019s security service] arrested a banker who worked for enemy military intelligence in Kharkiv\u201d and \u201cPutin seeks Trump\u2019s acceptance of Russian conditions in bilateral relations\u201d.<\/p>\n<p>Although most victims are governmental entities and defense companies in Eastern Europe, the researchers have seen government employees in other parts of Europe, Africa, and South America hit as well.<\/p>\n<p>The suspected threat actor is dubbed Sednit by ESET, and is better known to the security community as\u00a0 <a href=\"https:\/\/www.csoonline.com\/article\/3975346\/russian-apt28-hackers-have-redoubled-efforts-during-ukraine-war-says-french-security-agency.html\" target=\"_blank\" rel=\"noopener\">Fancy Bear or APT28<\/a>.<\/p>\n<p>ESET calls the campaign <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/operation-roundpress\/\" target=\"_blank\" rel=\"noopener\">Operation RoundPress<\/a>. It exploits unpatched Roundcube systems for a vulnerability, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-43770\" target=\"_blank\" rel=\"noopener\">CVE-2023-43770<\/a>,\u00a0says ESET researcher Matthieu Faou. The MDaemon vulnerability,<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-11182\" target=\"_blank\" rel=\"noopener\">\u00a0CVE-2024-11182<\/a>,\u00a0now patched, was a zero day, he added, while the ones for Horde, Roundcube, and Zimbra were already known and patched.<\/p>\n<p>Email clients are a very popular attack vector, as many not only process emails, but also store a local cached copy of entire mailboxes, attachments (unstructured files), and similar confidential information, Ed Dubrovsky, chief operating officer of international incident response firm Cypfer, told CSO. \u201cThey are a very attractive target as in many cases cached credentials to the mail system exist in the client.\u00a0<\/p>\n<p>Last, but certainly not least, access to a client provides access to sending email, which might lead to a compromise of adjacent accounts, such as people who can be influenced by the sender.\u201d\u00a0<\/p>\n<p>Using a leading email client such as Microsoft Outlook doesn\u2019t eliminate all risk around the application, he added, but simply offers a more structured and possibly secure development environment.<\/p>\n<p>On the other hand, he said, smaller email clients can provide better privacy and might be less bulky in terms of features, but they also might be less functional and may introduce increase risk of security vulnerability because their development teams are usually smaller and use less sophisticated tooling to provide assurance around security.\u00a0<\/p>\n<p>One consideration for CISOs, he added: Many of these smaller commercial or open source clients don\u2019t collect personal information, which makes them more privacy oriented.\u00a0<\/p>\n<p>\u201cIn terms of this specific vulnerability,\u201d Dubrovsky said, \u201cwe have to remember that email clients are not security controls, and regardless of the client type require additional controls at the endpoint to provide additional layers of security.\u201d\u00a0<\/p>\n<p>He recommends CISOs assess their email vendors, especially at the enterprise level where vendor management programs exist, for a fit in the security layer. \u201cOnce a decision is made, it is important to understand how the developer will address vulnerabilities and how quickly patches will be made available for deployment,\u201d he added.<\/p>\n<p>Finally, he said, ensure robust multi-layer security is surrounding these applications, given the sensitive nature of the data they contain and possible risk from outside parties.\u00a0<\/p>\n<p>\u201cOver the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,\u201d said ESET\u2019s Faou. \u201cBecause many organizations don\u2019t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.\u201d<\/p>\n<p>The most important thing for CISOs is to keep the webmail applications up to date, he said. \u201cWhile we do mention in our research the use of zero-day vulnerabilities, in most of the incidents we analyzed, only known vulnerabilities, which had been patched for months, were used. Another hardening avenue, but probably too extreme for most organizations, is to forbid HTML content in emails, and just display raw text. However, this would prevent the use some functionalities such as text formatting (bold, italic, etc.) or the inclusion of hyperlinks.\u201d<\/p>\n<p>Webmail can be described as a website that displays untrusted HTML content in a browser, he said. While most webmail systems sanitize the content to remove harmful HTML elements, which could execute JavaScript code, ESET\u2019s research shows that the sanitizers are not without flaws and that attackers are able to bypass them. As a result, he said, by sending a specially crafted email, attackers are able to execute arbitrary JavaScript code in the context of their target\u2019s browser.\u00a0While this doesn\u2019t lead to the compromise of the computer, he pointed out, executing JavaScript code in the context of the browser enables to steal information from the mailbox, for example, emails or the list of contacts.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs need to ensure that web email clients and browsers are kept up to date following the discovery of cross site scripting attacks on organizations running webmail clients such as Roundcube, Horde, MDaemon, and Zimbra. The alert came today from researchers at ESET, who, after seeing attacks on government and defense organizations in Ukraine, Romania, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3190,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3196","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3196"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3196"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3196\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3190"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}