Unlocking the Power of IoT: A Game-Changer in Cyber Security
October 21, 2024Major Security Flaws Found in Popular E2EE Cloud Storage Providers
October 22, 2024Webmail XSS Vulnerability
Cybersecurity researchers recently uncovered a phishing attack leveraging a stored cross-site scripting (XSS) flaw (CVE-2024-37383) in the popular open-source Roundcube webmail platform. This vulnerability, now patched, allowed hackers to inject malicious JavaScript into emails, leading to stolen user credentials.
In June 2024, attackers targeted a government organization in the Commonwealth of Independent States (CIS) by sending an email with a concealed payload. The email appeared to contain only an attached document, but when opened, malicious JavaScript was executed through the victim’s browser. The attack exploited SVG animate attributes, allowing the script to execute arbitrary code and gain access to sensitive information without user awareness.
Attack Overview
The attackers leveraged Roundcube’s stored XSS vulnerability to manipulate email content and trick recipients into downloading a seemingly harmless attachment (“Road map.docx”). However, when the recipient opened the email, the malicious JavaScript ran automatically, allowing the attacker to retrieve emails from the victim’s server via the ManageSieve plugin. The script then displayed a fake login form, tricking users into providing their Roundcube credentials, which were exfiltrated to a remote server hosted on Cloudflare.
Targeting Government Agencies
Roundcube may not be the most widely used email client, but it remains a preferred target for cybercriminals due to its extensive use by government agencies. Even though the vulnerability has been patched in Roundcube versions 1.5.7 and 1.6.7 as of May 2024, this incident serves as a stark reminder of the persistent threats posed by phishing attacks. Such attacks, if successful, could result in severe consequences, including the exposure of sensitive government information.
The Role of Hacking Groups
While the specific perpetrators behind this attack remain unidentified, similar Roundcube exploits have been previously used by hacking groups like APT28, Winter Vivern, and TAG-70. These groups are known for targeting governmental organizations and using sophisticated phishing techniques to compromise email security. Roundcube’s vulnerability, even if not widely used, presents a significant risk due to the nature of its user base.