Recent investigations have revealed that unidentified threat actors are making efforts to exploit a recently patched security vulnerability in the open-source Roundcube webmail software, as part of a phishing campaign aimed at acquiring user credentials.
The findings, reported last month by the Russian cybersecurity firm Positive Technologies, indicate that an email was directed to a certain governmental organization situated in one of the Commonwealth of Independent States (CIS) countries. Notably, the original message dates back to June 2024.
As stated in an analysis published earlier this week, “The email was seemingly a blank message, with only an attached document.”
“However, the email client was unable to display the attachment. The email’s body included unique tags such as eval(atob(…)), which are responsible for decoding and executing JavaScript code.”
The attack sequence, according to Positive Technologies, is an endeavor to exploit CVE-2024-37383 (with a CVSS score of 6.1), a stored cross-site scripting (XSS) vulnerability triggered via SVG animate attributes that can execute arbitrary JavaScript within the victim’s web browser context.
In simpler terms, a remote attacker can inject arbitrary JavaScript and access confidential information just by persuading a recipient to open a crafted email. This vulnerability has since been rectified in versions 1.5.7 and 1.6.7 as of May 2024.
Positive Technologies remarked, “By inserting JavaScript code as the value for ‘href’, we can execute it on the Roundcube page whenever a malicious email is accessed by a Roundcube client.”
The JavaScript payload in this instance saves an empty Microsoft Word document (“Road map.docx”) and proceeds to retrieve messages from the mail server using the ManageSieve plugin. Additionally, it presents a deceptive login form to the user in an attempt to trick them into providing their Roundcube credentials.
In its final stage, the captured username and password information is sent to a remote server hosted on Cloudflare.
It remains uncertain who the perpetrators of this exploitation are, although previous vulnerabilities identified in Roundcube have been exploited by various hacking groups, including APT28, Winter Vivern, and TAG-70.
Positive Technologies emphasized, “Despite Roundcube webmail not being the most widely adopted email client, it still attracts hackers due to its extensive use among government agencies. Attacks targeting this software can incur considerable damage, enabling cybercriminals to steal sensitive information.”
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.