October 21, 2024 at 05:20PM
Threat actors exploited CVE-2024-37383, a stored XSS vulnerability in Roundcube Webmail, targeting CIS government organizations. This medium-severity flaw allows malicious JavaScript execution via crafted emails to steal credentials. System administrators are urged to update to version 1.6.9, as earlier versions remain vulnerable to attacks.
### Meeting Takeaways
1. **Threat Overview**:
– A vulnerability (CVE-2024-37383) in the Roundcube Webmail client is being exploited by threat actors to target government organizations in the CIS region.
– Attack activity was identified starting in June 2024 and reported by Positive Technologies in September 2024.
2. **Vulnerability Details**:
– The exploit is a medium-severity stored XSS (cross-site scripting) vulnerability that allows malicious JavaScript code execution via specially crafted emails.
– The issue arises from improper processing of SVG elements in emails, bypassing standard security checks.
3. **Attack Methodology**:
– Emails sent to targets appear empty but contain a base64-encoded JavaScript payload disguised within a .DOC attachment.
– This payload downloads a decoy document while injecting an unauthorized login form into the Roundcube interface, tricking users into providing their login credentials.
– Captured credentials are sent to a remote server hosted on Cloudflare and identified as “libcdn[.]org.”
4. **Data Exfiltration**:
– Attackers utilize the ManageSieve plugin to exfiltrate messages from compromised mail servers.
5. **Mitigation Recommendations**:
– Versions of Roundcube prior to 1.5.6 and 1.6 to 1.6.6 are susceptible to this vulnerability. Administrators should update to at least version 1.5.7 or 1.6.7, with 1.6.9 being the latest recommendation (released September 1, 2024).
6. **Context of Roundcube Exploits**:
– The open-source nature of Roundcube makes it a frequent target for hackers, especially due to its use in significant organizations.
– Previous warnings and exploits include targeting CVE-2023-43770 and CVE-2023-5631, indicating a pattern of vulnerabilities being exploited by various threat actor groups, including Russian hackers.
7. **Action Items**:
– Review and assess current Roundcube Webmail versions being used across all departments.
– Implement necessary updates to ensure security against identified vulnerabilities.
– Raise awareness among users about potential phishing attempts and the importance of verifying email content.
### Next Steps:
– Schedule a follow-up meeting to discuss the implementation of security updates and user training on phishing awareness.