Unknown threat actors have been seen trying to use a security hole in the open-source Roundcube webmail program that has been patched as part of a phishing attempt to obtain user passwords.
Positive Technologies, a Russian cybersecurity business, reported that it found out last month that an email was sent to an unidentified official agency in one of the Commonwealth of Independent States (CIS) nations. It’s important to remember, though, that the message was sent in June 2024.
“The email appeared to be a message without text, containing only an attached document,” it said in an analysis published earlier this week.
“However, the email client didn’t show the attachment. The body of the email contained distinctive tags with the statement eval(atob(…)), which decode and execute JavaScript code.”
According to Positive Technologies, the attack chain is an effort to take advantage of CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animation elements that permits the execution of any JavaScript within the victim’s web browser context.
In other words, by deceiving an email recipient into opening a specially crafted message, a remote attacker might load arbitrary JavaScript code and obtain private data. As of May 2024, the problem has been fixed in versions 1.5.7 and 1.6.7.
“By inserting JavaScript code as the value for “href”, we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email,” Positive Technologies noted.
In this instance, the JavaScript payload saves the blank Microsoft Word document (“Road map.docx”) before utilizing the ManageSieve plugin to retrieve messages from the mail server. Additionally, it attempts to trick victims into entering their Roundcube login credentials by including a login form on the HTML page that is shown to the user.
The last step is exfiltrating the login and password data to a remote server (“libcdn[.]org”) that is hosted on Cloudflare.
Although the source of the exploitation activity is presently unknown, several cyber groups, including APT28, Winter Vivern, and TAG-70, have exploited previous Roundcube vulnerabilities.
“While Roundcube webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies,” the company said. “Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.