Alternatives to Microsoft Outlook webmail come under attack in Europe

CISOs need to ensure that web email clients and browsers are kept up to date following the discovery of cross site scripting attacks on organizations running webmail clients such as Roundcube, Horde, MDaemon, and Zimbra.

The alert came today from researchers at ESET, who, after seeing attacks on government and defense organizations in Ukraine, Romania, and Bulgaria, believe a Russian-based threat actor is going after entities that support Ukraine.

The goal is to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. Many of the targeted firms produce Soviet-era weapons.

The spear phishing attacks lead to the execution of malicious JavaScript code in the webmail client, so anything in the victim’s account can be read and exfiltrated.

The malware also deposits implants called SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA (depending on the victim’s email system) which can steal login credentials, exfiltrate address books, contacts, and login history. SpyPress.MDAEMON is able to set up a bypass for two-factor authentication protection; it exfiltrates the two-factor authentication secret, and creates an App Password, which enables the attackers to access the mailbox from a mail application.

The malware is tailored to evade spam filters.

Among the headlines used in spear phishing messages were: “SBU [Ukraine’s security service] arrested a banker who worked for enemy military intelligence in Kharkiv” and “Putin seeks Trump’s acceptance of Russian conditions in bilateral relations”.

Although most victims are governmental entities and defense companies in Eastern Europe, the researchers have seen government employees in other parts of Europe, Africa, and South America hit as well.

The suspected threat actor is dubbed Sednit by ESET, and is better known to the security community as  Fancy Bear or APT28.

ESET calls the campaign Operation RoundPress. It exploits unpatched Roundcube systems for a vulnerability, CVE-2023-43770, says ESET researcher Matthieu Faou. The MDaemon vulnerability, CVE-2024-11182, now patched, was a zero day, he added, while the ones for Horde, Roundcube, and Zimbra were already known and patched.

Email clients are a very popular attack vector, as many not only process emails, but also store a local cached copy of entire mailboxes, attachments (unstructured files), and similar confidential information, Ed Dubrovsky, chief operating officer of international incident response firm Cypfer, told CSO. “They are a very attractive target as in many cases cached credentials to the mail system exist in the client. 

Last, but certainly not least, access to a client provides access to sending email, which might lead to a compromise of adjacent accounts, such as people who can be influenced by the sender.” 

Using a leading email client such as Microsoft Outlook doesn’t eliminate all risk around the application, he added, but simply offers a more structured and possibly secure development environment.

On the other hand, he said, smaller email clients can provide better privacy and might be less bulky in terms of features, but they also might be less functional and may introduce increase risk of security vulnerability because their development teams are usually smaller and use less sophisticated tooling to provide assurance around security. 

One consideration for CISOs, he added: Many of these smaller commercial or open source clients don’t collect personal information, which makes them more privacy oriented. 

“In terms of this specific vulnerability,” Dubrovsky said, “we have to remember that email clients are not security controls, and regardless of the client type require additional controls at the endpoint to provide additional layers of security.” 

He recommends CISOs assess their email vendors, especially at the enterprise level where vendor management programs exist, for a fit in the security layer. “Once a decision is made, it is important to understand how the developer will address vulnerabilities and how quickly patches will be made available for deployment,” he added.

Finally, he said, ensure robust multi-layer security is surrounding these applications, given the sensitive nature of the data they contain and possible risk from outside parties. 

“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,” said ESET’s Faou. “Because many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.”

The most important thing for CISOs is to keep the webmail applications up to date, he said. “While we do mention in our research the use of zero-day vulnerabilities, in most of the incidents we analyzed, only known vulnerabilities, which had been patched for months, were used. Another hardening avenue, but probably too extreme for most organizations, is to forbid HTML content in emails, and just display raw text. However, this would prevent the use some functionalities such as text formatting (bold, italic, etc.) or the inclusion of hyperlinks.”

Webmail can be described as a website that displays untrusted HTML content in a browser, he said. While most webmail systems sanitize the content to remove harmful HTML elements, which could execute JavaScript code, ESET’s research shows that the sanitizers are not without flaws and that attackers are able to bypass them. As a result, he said, by sending a specially crafted email, attackers are able to execute arbitrary JavaScript code in the context of their target’s browser. While this doesn’t lead to the compromise of the computer, he pointed out, executing JavaScript code in the context of the browser enables to steal information from the mailbox, for example, emails or the list of contacts.