Threat actors, likely supported by the Russian government, hacked multiple high-value mail servers around the world by exploiting XSS vulnerabilities, a class of bug that was among the most commonly exploited in decades past.
XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now.
Just add JavaScript
On Thursday, security firm ESET reported that Sednit, a Kremlin-backed hacking group also tracked as APT28, Fancy Bear, Forest Blizzard, and Sofacy—gained access to high-value email accounts by exploiting XSS vulnerabilities in mail server software from four different makers. Those packages are: Roundcube, MDaemon, Horde, and Zimbra.
The hacks most recently targeted mail servers used by defense contractors in Bulgaria and Romania, some of which are producing Soviet-era weapons for use in Ukraine as it fends off an invasion from Russia. Governmental organizations in those countries were also targeted. Other targets have included governments in Africa, the European Union, and South America.
RoundPress, as ESET has named the operation, delivered XSS exploits through spearphishing emails. Hidden inside some of the HTML in the emails was an XSS exploit. In 2023, ESET observed Sednit exploiting CVE-2020-43770, a vulnerability that has since been patched in Roundcube. A year later, ESET watched Sednit exploit different XSS vulnerabilities in Horde, MDaemon, and Zimbra. One of the now-patched vulnerabilities, from MDaemon, was a zero-day at the time Sednit exploited it.
