Unknown menace actors have been noticed making an attempt to use a now-patched safety flaw within the open-source Roundcube webmail software program as a part of a phishing assault designed to steal consumer credentials.
Russian cybersecurity firm Constructive Applied sciences mentioned it found final month that an e-mail was despatched to an unspecified governmental group positioned in one of many Commonwealth of Unbiased States (CIS) international locations. Nonetheless, it bears noting that the message was initially despatched in June 2024.
“The e-mail gave the impression to be a message with out textual content, containing solely an connected doc,” it mentioned in an evaluation printed earlier this week.
“Nonetheless, the e-mail consumer did not present the attachment. The physique of the e-mail contained distinctive tags with the assertion eval(atob(…)), which decode and execute JavaScript code.”
The assault chain, per Constructive Applied sciences, is an try to use CVE-2024-37383 (CVSS rating: 6.1), a saved cross-site scripting (XSS) vulnerability through SVG animate attributes that enables for execution of arbitrary JavaScript within the context of the sufferer’s net browser.
Put otherwise, a distant attacker may load arbitrary JavaScript code and entry delicate data just by tricking an e-mail recipient into opening a specially-crafted message. The difficulty has since been resolved in variations 1.5.7 and 1.6.7 as of Might 2024.
“By inserting JavaScript code as the worth for “href”, we are able to execute it on the Roundcube web page every time a Roundcube consumer opens a malicious e-mail,” Constructive Applied sciences famous.
The JavaScript payload, on this case, saves the empty Microsoft Phrase attachment (“Highway map.docx”), after which proceeds to acquire messages from the mail server utilizing the ManageSieve plugin. It additionally shows a login kind within the HTML web page exhibited to the consumer in a bid to deceive victims into offering their Roundcube credentials.
Within the closing stage, the captured username and password data is exfiltrated to a distant server (“libcdn[.]org“) hosted on Cloudflare.
It is presently not clear who’s behind the exploitation exercise, though prior flaws found in Roundcube have been abused by a number of hacking teams resembling APT28, Winter Vivern, and TAG-70.
“Whereas Roundcube webmail is probably not essentially the most extensively used e-mail consumer, it stays a goal for hackers attributable to its prevalent use by authorities businesses,” the corporate mentioned. “Assaults on this software program can lead to vital injury, permitting cybercriminals to steal delicate data.”