Security researchers have uncovered a new phishing campaign targeting users of the popular open-source Roundcube webmail software.
Unknown threat actors are exploiting a now-patched cross-site scripting (XSS) vulnerability to steal login credentials from unsuspecting victims. The vulnerability, tracked as CVE-2024-37383, affects Roundcube versions prior to 1.5.7 and 1.6.x before 1.6.7.
It allows attackers to execute arbitrary JavaScript code in the victim’s browser by sending a specially crafted email containing malicious SVG animate attributes.
Researchers from Positive Technologies discovered the attack in September 2024 when analyzing an email sent to a governmental organization in a Commonwealth of Independent States (CIS) country.
The email, which was originally sent in June 2024, appeared empty but contained hidden malicious code. The attackers exploited the vulnerability by inserting JavaScript code as the value for the “href” attribute in SVG animate tags.
Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here
When a victim opens the malicious email using a vulnerable Roundcube client, the injected code executes in the context of the webmail application.
The malicious payload performs several actions:
- Saves an empty Word document named “Road map.docx”
- Attempts to retrieve messages from the mail server using the ManageSieve plugin
- Injects a fake login form into the Roundcube interface to capture user credentials
- Exfiltrates the stolen username and password to a attacker-controlled server (libcdn.org)
This attack demonstrates how seemingly innocuous emails can pose significant threats when targeting unpatched systems.
The Roundcube vulnerability was patched in May 2024, but many organizations may still be running vulnerable versions.
While the identity of the threat actors behind this campaign remains unknown, various hacking groups, including APT28, Winter Vivern, and TAG-70, have exploited previous Roundcube vulnerabilities. Government agencies are particularly attractive targets due to their frequent use of Roundcube.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-37383 to its Known Exploited Vulnerabilities Catalog, warning that such flaws are common attack vectors for malicious actors.
CISA has ordered U.S. federal agencies to patch affected Roundcube servers by March 4, 2024. Security experts strongly advise all Roundcube users to update to the latest patched versions (1.5.7 or 1.6.7) immediately.
Additionally, users should change their email passwords and clear their browser’s site data for Roundcube as a precaution.
This incident highlights the critical importance of timely software updates, especially for applications handling sensitive information like email.
Organizations using Roundcube or similar webmail solutions should implement robust patch management processes and conduct regular security assessments to mitigate such risks.
As cyber threats continue to evolve, staying vigilant and maintaining up-to-date software remains one of the most effective defenses against credential theft and other malicious activities targeting email systems.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here