Unknown risk actors have been noticed trying to take advantage of a now-patched security flaw within the open-source Roundcube webmail software program as a part of a phishing assault designed to steal consumer credentials.
Russian cybersecurity firm Constructive Applied sciences mentioned it found final month that an e mail was despatched to an unspecified governmental group positioned in one of many Commonwealth of Impartial States (CIS) international locations. Nevertheless, it bears noting that the message was initially despatched in June 2024.
“The e-mail seemed to be a message with out textual content, containing solely an hooked up doc,” it mentioned in an evaluation revealed earlier this week.
“Nevertheless, the e-mail consumer did not present the attachment. The physique of the e-mail contained distinctive tags with the assertion eval(atob(…)), which decode and execute JavaScript code.”
The assault chain, per Constructive Applied sciences, is an try to take advantage of CVE-2024-37383 (CVSS rating: 6.1), a saved cross-site scripting (XSS) vulnerability by way of SVG animate attributes that enables for execution of arbitrary JavaScript within the context of the sufferer’s net browser.
Put in another way, a distant attacker may load arbitrary JavaScript code and entry delicate info just by tricking an e mail recipient into opening a specially-crafted message. The difficulty has since been resolved in variations 1.5.7 and 1.6.7 as of Might 2024.
“By inserting JavaScript code as the worth for “href”, we will execute it on the Roundcube web page each time a Roundcube consumer opens a malicious e mail,” Constructive Applied sciences famous.
The JavaScript payload, on this case, saves the empty Microsoft Phrase attachment (“Highway map.docx”), after which proceeds to acquire messages from the mail server utilizing the ManageSieve plugin. It additionally shows a login kind within the HTML web page exhibited to the consumer in a bid to deceive victims into offering their Roundcube credentials.
Within the closing stage, the captured username and password info is exfiltrated to a distant server (“libcdn[.]org”) hosted on Cloudflare.
It is presently not clear who’s behind the exploitation exercise, though prior flaws found in Roundcube have been abused by a number of hacking teams comparable to APT28, Winter Vivern, and TAG-70.
“Whereas Roundcube webmail might not be essentially the most broadly used e mail consumer, it stays a goal for hackers as a result of its prevalent use by authorities companies,” the corporate mentioned. “Attacks on this software program can lead to vital injury, permitting cybercriminals to steal delicate info.”
