Operation RoundPress is a sophisticated cyber espionage campaign conducted by the Sednit group, aligned with Russian interests, targeting high-value webmail servers widely used in governmental and defense sectors. The campaign exploits multiple cross-site scripting (XSS) vulnerabilities, including a zero-day vulnerability in MDaemon (CVE-2023-23397) and other vulnerabilities identified by CVE-2024-11182, CVE-2024-27443, and CVE-2023-43770 affecting popular webmail platforms such as Roundcube, Horde, MDaemon, and Zimbra. By injecting malicious JavaScript payloads (SpyPress malware) directly into the webmail interfaces, attackers can harvest user credentials, email contents, contact lists, and circumvent two-factor authentication mechanisms, enabling persistent access and data exfiltration. The attack chain involves exploiting these XSS flaws to execute scripts in the context of the victim’s browser session, allowing stealthy credential theft and session hijacking. The campaign targets primarily Eastern European governmental and defense entities, reflecting a strategic focus on critical communication infrastructure, but also includes victims in Africa, Europe, and South America. Despite no public exploits being reported, the threat remains active and evolving, emphasizing the need for proactive defense. The attackers maintain persistence by chaining multiple vulnerabilities and leveraging the webmail platforms’ trust boundaries. The technical complexity and targeted nature of the campaign indicate a high level of adversary sophistication and intent to conduct long-term espionage operations.

For European organizations, particularly in Eastern Europe, the impact of Operation RoundPress is significant. Compromise of webmail servers used by government and defense entities can lead to severe breaches of confidentiality, exposing sensitive communications, strategic plans, and personal data of officials. The ability to bypass two-factor authentication increases the risk of unauthorized access and lateral movement within networks. Data exfiltration of emails and contacts can facilitate further espionage, social engineering, and disruption of diplomatic or defense operations. The persistence of the malware and exploitation of multiple vulnerabilities complicate detection and remediation efforts, potentially leading to prolonged exposure. The campaign’s focus on critical communication infrastructure threatens national security and undermines trust in digital services. Additionally, the presence of the threat in other European countries and continents indicates a broader risk to multinational organizations with interconnected communication systems.

European organizations should prioritize immediate patching of all known vulnerabilities in affected webmail platforms, including applying updates for MDaemon, Roundcube, Horde, and Zimbra as soon as they become available. Deploying advanced web application firewalls (WAFs) with tailored rules to detect and block malicious JavaScript injections and anomalous webmail traffic is critical. Organizations should implement strict Content Security Policies (CSP) to restrict execution of unauthorized scripts within webmail interfaces. Continuous monitoring for unusual JavaScript activity, abnormal login patterns, and data exfiltration attempts should be established using behavioral analytics and endpoint detection tools. Multi-factor authentication mechanisms should be reviewed and strengthened, including the use of hardware tokens or phishing-resistant methods. Incident response plans must include procedures for forensic analysis of webmail servers and rapid containment of infections. Network segmentation and limiting administrative access to webmail servers can reduce the attack surface. Finally, organizations should engage in threat intelligence sharing to stay informed about evolving tactics and indicators related to Operation RoundPress.