HQ/EMEAFind out how we can help your business
Hackers have leveraged the Roundcube Webmail flaw to target the Commonwealth of Independent States (CIS) government-owned agencies. Based on reports, this attack on the territory that succeeded the former Soviet Union started in June, but some claimed that the attack occurred last month.
The affected entity is an open-source, PHP-based webmail service that supports plugins to enhance its functionality and is widely used by the business sector and government institutions.
Researchers explained that threat actors exploited the medium-severity stored XSS flaw, CVE-2024-37383, to execute a malicious JavaScript code on the Roundcube page. The attack can be successful if a target opens a specially generated malicious email.
Moreover, the issue is due to faulty processing of SVG components in emails, which bypasses syntax checks and allows malicious code to run on the user’s page.
The Roundcube Webmail flaw became the initial vector of the phishing emails that can steal credentials.
According to investigations, the malicious emails used to infect targets through the Roundcube Webmail flaw have no visible content and are simple .DOC attachments.
Still, the threat actor included a hidden payload within the code, which the flawed client executes but does not show in the message body based on specified tags. Moreover, the attackers included a base64-encoded JavaScript code payload disguised as a “href” value. It downloads a fake document from the mail server to distract the recipient.
At the same time, it inserts an unauthorised login form into the HTML page to retrieve messages from the mail server. The threat actors also include an unauthorised form with blank fields on the HTML page that asks users for their usernames, logins, and passwords for the Roundcube client, which is displayed to the user.
The campaign expects its victims to fill out the two fields manually or automatically, enabling them to access the target’s account credentials. If the targets fill out the forms, the threat actors will transfer the data to an attacker-controlled server.
The CVE-2024-37383 flaw impacts Roundcube versions before patch 1.5.6, as well as versions 1.6 through 1.6.6. Therefore, system admins that still use the flawed versions should update to the latest patch so their users will avoid this newly discovered threat.
