An emerging cybersecurity threat has surfaced, centered around the exploitation of a recently patched vulnerability in the open-source Roundcube webmail software. This vulnerability has been targeted as part of a phishing campaign aimed at stealing user credentials from various organizations.
The cybersecurity firm Positive Technologies reported the discovery of a suspicious email directed at a governmental entity in one of the Commonwealth of Independent States (CIS). Although the email was sent in June 2024, it has only recently come to light due to its association with the exploitation of a particular security flaw.
The email in question was noted to have minimal content—essentially a blank message with an attached document that did not render as visible in the email client. The message body contained obfuscated code utilizing the “eval(atob(…))” function, which is designed to decode and execute JavaScript code when a malicious link is activated.
According to Positive Technologies, this attack seeks to exploit the vulnerability identified as CVE-2024-37383, which is classified as a stored cross-site scripting (XSS) risk with a CVSS score of 6.1. This flaw arises from the misuse of SVG animate attributes, allowing malicious JavaScript to execute within the victims’ browser environments. As a result, attackers can potentially hijack sensitive information by tricking recipients into engaging with the deceitful email.
The severity of this vulnerability has prompted its resolution in newer releases, specifically versions 1.5.7 and 1.6.7, published in May 2024. This fix serves as a critical update for users of the Roundcube platform to safeguard against such malicious schemes.
The tactics employed in this attack likely align with the MITRE ATT&CK framework, particularly those related to initial access and execution. Attackers can gain initial access by luring victims into opening compromised emails. Furthermore, through mechanisms of JavaScript execution, they are able to manipulate and extract sensitive data from the targeted systems.
In the executed attack chain, the malicious payload operates by saving an innocuous-looking Microsoft Word document as an attachment and subsequently seeks to connect with the mail server using a plugin known as ManageSieve. This intricately designed process culminates in the display of a fake login form aimed at capturing the credentials of users attempting to log into their Roundcube accounts.
The data exfiltration occurs when the collected usernames and passwords are sent to a remote server, specifically a domain hosted on Cloudflare. The identity of the threat actors behind this phishing campaign remains undetermined; however, it is noteworthy that similar vulnerabilities in Roundcube have been exploited by various hacking groups, including APT28 and others.
Despite Roundcube’s relatively low user base compared to major email clients, its use among governmental organizations positions it as an attractive target for cybercriminals. As such, attacks exploiting this software can lead to significant breaches of sensitive information, with potential ramifications for national security and privacy.
In light of these developments, stakeholders utilizing Roundcube webmail are urged to ensure their systems are up to date and to remain vigilant against potential phishing attempts that could exploit similar vulnerabilities in the future.
