Unknown risk actors have been noticed trying to take advantage of a now-patched safety flaw within the open-source Roundcube webmail software program as a part of a phishing assault designed to steal consumer credentials.
Russian cybersecurity firm Constructive Applied sciences stated it found final month that an e-mail was despatched to an unspecified governmental group situated in one of many Commonwealth of Unbiased States (CIS) international locations. Nevertheless, it bears noting that the message was initially despatched in June 2024.
“The e-mail seemed to be a message with out textual content, containing solely an hooked up doc,” it stated in an evaluation printed earlier this week.
“Nevertheless, the e-mail consumer did not present the attachment. The physique of the e-mail contained distinctive tags with the assertion eval(atob(…)), which decode and execute JavaScript code.”
The assault chain, per Constructive Applied sciences, is an try to take advantage of CVE-2024-37383 (CVSS rating: 6.1), a saved cross-site scripting (XSS) vulnerability by way of SVG animate attributes that enables for execution of arbitrary JavaScript within the context of the sufferer’s internet browser.
Put otherwise, a distant attacker may load arbitrary JavaScript code and entry delicate data just by tricking an e-mail recipient into opening a specially-crafted message. The problem has since been resolved in variations 1.5.7 and 1.6.7 as of Might 2024.
“By inserting JavaScript code as the worth for “href”, we will execute it on the Roundcube web page each time a Roundcube consumer opens a malicious e-mail,” Constructive Applied sciences famous.
The JavaScript payload, on this case, saves the empty Microsoft Phrase attachment (“Street map.docx”), after which proceeds to acquire messages from the mail server utilizing the ManageSieve plugin. It additionally shows a login type within the HTML web page exhibited to the consumer in a bid to deceive victims into offering their Roundcube credentials.
Within the last stage, the captured username and password data is exfiltrated to a distant server (“libcdn[.]org“) hosted on Cloudflare.
It is presently not clear who’s behind the exploitation exercise, though prior flaws found in Roundcube have been abused by a number of hacking teams comparable to APT28, Winter Vivern, and TAG-70.
“Whereas Roundcube webmail is probably not probably the most broadly used e-mail consumer, it stays a goal for hackers as a consequence of its prevalent use by authorities companies,” the corporate stated. “Assaults on this software program can lead to important harm, permitting cybercriminals to steal delicate data.”