Positive Technologies, a Russian cybersecurity firm, said that last month, threat actors targeted multiple government organizations based out of CIS (Commonwealth of Independent States) countries. Roundcube webmail is not a very popular choice amongst corporates, but it is widely used by government agencies, and hence, the flaw poses a potent risk of sensitive information getting compromised.
This phishing message was sent in June 2024. The email did not contain any text and only had an attachment. Although the email client didn’t show the attachment, the body of the email contained distinctive tags with the statement “eval(atob(…))”, which decodes and executes JavaScript code.
The attack campaign is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allow for the execution of arbitrary JavaScript in the context of the victim’s web browser. The flaw allows a remote attacker to load arbitrary JavaScript code and access sensitive information simply by tricking an email recipient into opening a specially crafted message. The issue has since been resolved in versions 1.5.7 and 1.6.7 as of May 2024.
The JavaScript payload saves the empty Microsoft Word attachment (“Road map.docx”) and then proceeds to fetch messages from the mail server using the ManageSieve plugin. It also displays a login form in the HTML page displayed to the user in a bid to deceive victims into providing their Roundcube credentials. If the victim falls prey to the crafted login page, then the captured credentials are exfiltrated by a remote server (“libcdn[.]org”) hosted on Cloudflare.
The threat actor has still not been identified. However, users of RoundCube are advised to upgrade immediately to the stable versions to stay safe.
