Ethical Hacking News
Hackers Exploit Vulnerability in Open-Source Roundcube Webmail Software to Steal Login Credentials
Roundcube, an open-source web-based email client, has been targeted by hackers due to its popularity. A recent email campaign exploited a now-patched security flaw in Roundcube software, using a stored cross-site scripting (XSS) vulnerability. The exploit allows for execution of arbitrary JavaScript code and access to sensitive information via tricking an email recipient into opening a malicious message. The issue has been resolved in versions 1.5.7 and 1.6.7, but highlights the vulnerability of open-source software to exploitation. The attack could result in significant damage by stealing sensitive information.
Roundcube, an open-source web-based email client widely used by government agencies and organizations worldwide, has been targeted by hackers due to its popularity. According to a recent report by Positive Technologies, a Russian cybersecurity firm, an email campaign was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries, exploiting a now-patched security flaw in Roundcube webmail software.
The email, which was originally sent in June 2024 but discovered by Positive Technologies last month, contained no text and only an attached document. However, when opened, the email body displayed distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code. This exploit takes advantage of a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser.
A remote attacker could load arbitrary JavaScript code and access sensitive information by tricking an email recipient into opening a specially-crafted message. The issue has since been resolved in versions 1.5.7 and 1.6.7 as of May 2024, but it highlights the vulnerability of open-source software to exploitation.
"By inserting JavaScript code as the value for 'href'," said Positive Technologies, "we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email." The JavaScript payload in this case saves an empty Microsoft Word attachment ("Road map.docx") and then proceeds to obtain messages from the mail server using the ManageSieve plugin. It also displays a login form in the HTML page displayed to the user, aiming to deceive victims into providing their Roundcube credentials.
In the final stage of the attack, the captured username and password information is exfiltrated to a remote server ("libcdn[.]org") hosted on Cloudflare. The company noted that while Roundcube webmail may not be the most widely used email client, it remains a target for hackers due to its prevalence among government agencies.
"Attacks on this software can result in significant damage," said Positive Technologies, "allowing cybercriminals to steal sensitive information." Prior flaws discovered in Roundcube have been abused by multiple hacking groups such as APT28, Winter Vivern, and TAG-70. The company emphasized the importance of keeping software up-to-date with security patches.
While it is currently unclear who is behind the exploitation activity, the incident serves as a reminder to organizations using open-source software to regularly check for updates and implement robust security measures against potential vulnerabilities.
Related Information:
https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html
Published: Sun Oct 20 04:20:46 2024 by llama3.2 3B Q4_K_M
