Hackers Target Roundcube Webmail Vulnerability to Steal User Credentials
Researchers uncover a phishing campaign exploiting a patched XSS vulnerability in Roundcube webmail to steal user credentials. Cybersecurity firm Positive Technologies links the attack to unknown hackers targeting government agencies, emphasizing the significance of protecting sensitive information in email communications.
Hackers Target Roundcube Webmail Vulnerability to Steal User Credentials
Cybersecurity researchers have identified an ongoing phishing campaign that exploits a recently patched security vulnerability in the open-source Roundcube webmail software. The attack aims to steal user login credentials and has been linked to unknown threat actors.
Positive Technologies, a Russian cybersecurity firm, reported that they discovered the malicious activity last month. The campaign involved an email sent to an undisclosed governmental organization in a Commonwealth of Independent States (CIS) country. Notably, the email in question was originally sent in June 2024.
The email appeared to be devoid of any text and included an attachment that was not displayed by the email client. However, its body contained specific tags featuring the code snippet eval(atob(...)), which is capable of decoding and executing JavaScript. This technique is central to the exploitation of a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-37383, which has a CVSS score of 6.1.
The XSS vulnerability is rooted in the SVG animate attributes and allows attackers to execute arbitrary JavaScript in the victim's browser. By convincing a recipient to open a specially crafted email, a remote attacker can load malicious JavaScript code to access sensitive information.
Positive Technologies outlined that the malicious JavaScript payload performs several actions. Initially, it saves an empty Microsoft Word document labeled "Road map.docx." Subsequently, it accesses messages from the mail server using the ManageSieve plugin. The script also generates a fake login form on the HTML page presented to the user, tricking them into entering their Roundcube credentials.
Captured usernames and passwords are then sent to a remote server hosted on Cloudflare under the domain "libcdn[.]org."
The identity of the hackers behind this exploitation remains unclear. However, past vulnerabilities in Roundcube have been exploited by various hacking groups, including APT28, Winter Vivern, and TAG-70.
Despite Roundcube webmail not being the most commonly used email client, it continues to be a target for cybercriminals, particularly due to its use by government agencies. Attacks on this platform can lead to significant consequences, allowing attackers to acquire sensitive information that can have detrimental effects on organizations.
Click Here to Visit
What's Your Reaction?
