The cyberspace has recorded attempts by attackers to exploit a vulnerability in Roundcube, a popular open-source mail source. Specialists from Positive Technologies discovered that in June 2024, a phishing email was sent to a state body in a CIS country. The email appeared empty with only an investment reference.
Further analysis revealed specific tags in the email containing Eval code (…), allowing for the execution of JavaScript in the recipient’s browser. This technique exploited the CVE-2024-37383-Stored XSS vulnerability through SVG animation, rated at 6.1 on the CVSS scale.
The issue lied in attackers being able to input arbitrary JavaScript as an “Href” value and trigger it when the email was opened. The malicious code was disguised within an empty Word (“Road Map.docx”), then relayed to the mail server via the managesieve plugin for message retrieval.
Subsequently, a fake login page resembling the RoundCube interface was presented on the email client’s page. Upon entering credentials, the data was transmitted to the remote Libcdn server [.] Org, hosted by Cloudflare.
While the specific attackers could not be conclusively identified in this attack, groups such as Apt28, Winter Viveern, and TAG-70 have previously been involved in operations targeting Roundcube. Positive Technologies stress that despite Roundcube’s limited usage, it is prevalent in government institutions, making it an appealing target for cyber threats.
The vulnerability was addressed in versions 1.5.7 and 1.6.7 released in May 2024.