Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.

Key Takeaways

• A stored cross-site scripting (XSS) vulnerability in Roundcube was exploited.

• The vulnerability, identified as CVE-2024-37383, has a CVSS score of 6.1.

• Attackers used a malicious email to execute JavaScript and steal login credentials.

• The issue has been patched in versions 1.5.7 and 1.6.7.

Russian cybersecurity company Positive Technologies reported that the attack was aimed at a governmental organization in a Commonwealth of Independent States (CIS) country. The phishing email, sent in June 2024, contained an attachment that was not visible in the email client, but included JavaScript code designed to execute when the email was opened.

The Attack Chain

The attack exploited a vulnerability that allowed attackers to execute arbitrary JavaScript in the victim's web browser. Here’s how the attack unfolded:

1. Malicious Email: The email appeared to be empty but contained hidden JavaScript code.

2. JavaScript Execution: The code executed when the email was opened, allowing the attacker to load arbitrary JavaScript.

3. Credential Theft: The JavaScript saved a fake Microsoft Word attachment and displayed a login form to capture user credentials.

4. Data Exfiltration: Captured credentials were sent to a remote server hosted on Cloudflare.

Vulnerability Details

The vulnerability, CVE-2024-37383, is a stored XSS flaw that allows attackers to execute JavaScript via SVG animate attributes. This means that by simply opening a malicious email, users could unknowingly expose sensitive information.

• CVSS Score: 6.1

• Affected Versions: Prior to 1.5.7 and 1.6.7

• Attack Vector: Malicious emails with hidden JavaScript

Implications for Users

While Roundcube may not be the most widely used email client, it is particularly vulnerable due to its adoption by government agencies. The exploitation of this vulnerability could lead to significant data breaches, allowing cybercriminals to access sensitive information.

The recent exploitation of the Roundcube webmail XSS vulnerability highlights the ongoing risks associated with email security. Users are urged to update their software to the latest versions to mitigate potential threats. Cybersecurity remains a critical concern, especially for organizations handling sensitive data.

As cyber threats continue to evolve, it's more important than ever to protect your business from potential vulnerabilities. At BetterWorld Technology, we're committed to staying ahead of these challenges and ensuring your systems are secure. Don’t wait until it's too late—schedule a consultation with BetterWorld Technology today and let our team of experts help safeguard your business.

Sources

• Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials, The Hacker News.