• Posted by: Michael Johnson
• October 21, 2024

Exploiting Roundcube Webmail Vulnerability in Phishing Attack | XSS Threat

Unknown threat actors have been observed trying to exploit a recently patched security flaw in the open-source Roundcube webmail software. This attack is part of a phishing campaign designed to steal user credentials.

Russian cybersecurity company Positive Technologies disclosed that in June 2024, an email was sent to an unspecified governmental organization in one of the Commonwealth of Independent States (CIS) countries. The email, however, went unnoticed until it was discovered during an analysis last month.

“The email appeared to be a message without any text, containing only an attached document,” Positive Technologies noted in their analysis, published last week.

“However, the email client didn't display the attachment. Instead, the body of the email contained distinctive tags with the statement eval(atob(...)), which is used to decode and execute JavaScript code.”

The attack chain aimed to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes, enabling the execution of arbitrary JavaScript in the victim's web browser.

In simple terms, a remote attacker could inject malicious JavaScript and steal sensitive information by tricking the email recipient into opening a specially-crafted message. Fortunately, this issue has been resolved with Roundcube versions 1.5.7 and 1.6.7, released in May 2024.

Roundcube Webmail XSS Vulnerability

“By embedding JavaScript code in the 'href' value, we can execute it whenever a Roundcube client opens a malicious email,” Positive Technologies explained.

The JavaScript payload, in this case, saves an empty Microsoft Word attachment called “Road map.docx” and proceeds to retrieve messages from the mail server using the ManageSieve plugin. It also displays a fake login form on the HTML page to trick users into entering their Roundcube credentials.

At the final stage, the captured username and password are sent to a remote server, “libcdn[.]org,” hosted by Cloudflare.

It is currently unknown who is behind this exploitation attempt. However, previous vulnerabilities in Roundcube have been used by various hacking groups, including APT28, Winter Vivern, and TAG-70.

While Roundcube may not be the most popular email client, it is still a prime target for cyberattacks due to its widespread use by government agencies. According to Positive Technologies, “Attacks on this software can result in significant damage, as cybercriminals can steal sensitive information.”