Unknown menace actors have been noticed trying to take advantage of a now-patched safety flaw within the open-source Roundcube webmail software program as a part of a phishing assault designed to steal consumer credentials.
Russian cybersecurity firm Optimistic Applied sciences mentioned it found final month that an e mail was despatched to an unspecified governmental group situated in one of many Commonwealth of Unbiased States (CIS) international locations. Nevertheless, it bears noting that the message was initially despatched in June 2024.
“The email appeared to be a message without text, containing only an attached document,” it mentioned in an evaluation revealed earlier this week.
“However, the email client didn’t show the attachment. The body of the email contained distinctive tags with the statement eval(atob(…)), which decode and execute JavaScript code.”
The assault chain, per Optimistic Applied sciences, is an try to take advantage of CVE-2024-37383 (CVSS rating: 6.1), a saved cross-site scripting (XSS) vulnerability by way of SVG animate attributes that enables for execution of arbitrary JavaScript within the context of the sufferer’s net browser.
Put in a different way, a distant attacker might load arbitrary JavaScript code and entry delicate info just by tricking an e mail recipient into opening a specially-crafted message. The problem has since been resolved in variations 1.5.7 and 1.6.7 as of Might 2024.
“By inserting JavaScript code as the value for “href”, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email,” Optimistic Applied sciences famous.
The JavaScript payload, on this case, saves the empty Microsoft Phrase attachment (“Road map.docx”), after which proceeds to acquire messages from the mail server utilizing the ManageSieve plugin. It additionally shows a login type within the HTML web page exhibited to the consumer in a bid to deceive victims into offering their Roundcube credentials.
Within the remaining stage, the captured username and password info is exfiltrated to a distant server (“libcdn[.]org“) hosted on Cloudflare.
It is presently not clear who’s behind the exploitation exercise, though prior flaws found in Roundcube have been abused by a number of hacking teams resembling APT28, Winter Vivern, and TAG-70.
“While Roundcube webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies,” the corporate mentioned. “Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information.”
