October 20, 2024 at 04:48AM
Unknown threat actors exploited a patched vulnerability in Roundcube webmail to execute phishing attacks aimed at stealing user credentials. Discovered by Positive Technologies, the attack involved sending a deceptive email containing JavaScript code, targeting specific government organizations. Roundcube has since resolved the issue, but the potential for significant damage remains.
### Meeting Takeaways – October 20, 2024
**Topic:** Vulnerability / Email Security
1. **Recent Threat Activity:**
– Unknown threat actors are exploiting a recently patched vulnerability in Roundcube webmail software as part of a phishing attack aimed at stealing user credentials.
2. **Discovery by Positive Technologies:**
– A phishing email was identified, sent to an unspecified governmental organization in a CIS country, with the original message dated June 2024.
3. **Technical Analysis of the Attack:**
– The email contained no text but had an attached document that was not visible in the email client.
– It used a JavaScript code snippet within the email body to exploit the vulnerability CVE-2024-37383 (CVSS score: 6.1), a stored XSS vulnerability that allows malicious code execution.
4. **Vulnerability Details:**
– The vulnerability could allow remote attackers to load arbitrary JavaScript code and access sensitive information by deceiving users into opening the crafted email.
– This issue has been resolved in Roundcube versions 1.5.7 and 1.6.7, released in May 2024.
5. **Method of Exploitation:**
– The attack involved using JavaScript as a value for “href” in emails, enabling execution when the email is opened.
– The attack suffered an empty Microsoft Word attachment that saved sensitive information and displayed a deceptive login form to capture user credentials.
6. **Data Exfiltration:**
– Captured credentials are sent to a remote server (“libcdn[.]org”) hosted on Cloudflare.
7. **Ongoing Threat Landscape:**
– The identity of the threat actors remains unknown, but previous vulnerabilities in Roundcube have been exploited by various hacking groups (e.g., APT28, Winter Vivern, TAG-70).
– Despite being less widely used, Roundcube is targeted due to its use by government agencies, increasing risks of significant data breaches.
8. **Call to Action:**
– Emphasizes the need for vigilance and awareness regarding the security of webmail services, especially in governmental contexts.
**Note:** For ongoing updates and exclusive content, follow Positive Technologies on Twitter and LinkedIn.