Phishing Campaign Exploits Roundcube XSS Vulnerability
Security researchers have discovered a new phishing campaign aimed at users of the popular open-source Roundcube webmail platform.
Unidentified threat actors are taking advantage of a recently patched cross-site scripting (XSS) vulnerability to steal user credentials. The flaw, tracked as CVE-2024-37383, affects Roundcube versions below 1.5.7 and 1.6.x prior to 1.6.7. This vulnerability allows attackers to execute malicious JavaScript in a victim’s browser by embedding a specially crafted SVG file with manipulated animation attributes into an email.
Discovery of the Attack
The attack was detected by Positive Technologies in September 2024 while examining a phishing attempt targeting a
government institution in a Commonwealth of Independent States (CIS) country. Although the email appeared blank, it contained
hidden JavaScript code inserted within the href attribute of SVG animate tags. The phishing message was originally sent in June 2024.
How the Exploit Works
When a victim using a vulnerable Roundcube client opens the malicious email, the JavaScript payload executes within the webmail’s interface. The script performs the following actions:
- Downloads a placeholder Word document named "Road map.docx".
- Attempts to fetch messages from the mail server using the ManageSieve plugin.
- Embeds a fake login prompt within Roundcube’s interface to harvest login credentials.
- Transfers the stolen credentials to a remote server at libcdn.org.
Impact and Risk
This incident shows how seemingly harmless emails can pose significant security risks if vulnerabilities are not addressed promptly. Although the issue was resolved in May 2024, many organizations may still be running outdated versions of Roundcube, leaving them vulnerable.
The identity of the hackers remains unknown, but previous Roundcube vulnerabilities have been exploited by groups such as APT28, Winter Vivern, and TAG-70. Government entities are particularly at risk due to their common use of Roundcube for internal communications.
CISA Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2024-37383 in its Known Exploited Vulnerabilities Catalog, cautioning that such vulnerabilities are frequently targeted by cybercriminals. CISA has instructed U.S. federal agencies to apply patches by March 4, 2024.
Recommendations
Experts strongly recommend all Roundcube users to update to versions 1.5.7 or 1.6.7 as soon as possible to mitigate this risk. Users are also advised to reset their email passwords and clear any browser data related to Roundcube for added security.
This incident emphasizes the importance of timely software updates, especially for platforms handling sensitive data like email communications.