A threat actor was caught attempting to exploit a recent vulnerability in Roundcube Webmail against a governmental organization in a Commonwealth of Independent States (CIS) country, cybersecurity firm Positive Technologies reports.
Tracked as CVE-2024-37383 and described as a cross-site scripting (XSS) issue affecting the way Roundcube was handling SVG animate attributes, the bug was patched on May 19 in Roundcube Webmail versions 1.5.7 and 1.6.7.
According to Positive Technologies, the targeted entity received an email message that only contained an attachment, without a text body. The message was sent in June.
The email client, the cybersecurity firm says, did not show the attachment, and the email body contained distinctive tags and a statement to decode and execute JavaScript code.
“The distinctive attribute name (attributeName=“href ”), containing an extra space, indicated that the email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail,” Positive Technologies explains.
Prior to displaying the email message, when processing SVG elements with the animate attribute, Roundcube would exclude elements containing the ‘href’ attribute name from the final page.
However, the function responsible for checking the attribute did not exclude elements if their tag attribute name contained the extra space, allowing them to appear on the page.
Furthermore, because the attribute value would be considered as the attribute name, an attacker could insert JavaScript code as the value for ‘href’, which would be executed whenever the Roundcube client opened the malicious email.
As part of the observed attack, the executed code was meant to save the attached document and to obtain emails from the server using the ManageSieve plugin.
The code also added fields for the recipient’s username and password to the displayed HTML page, to harvest the credentials and send them to an attacker-controlled server.
The cybersecurity firm could not link the attack to a known threat actor, but Roundcube vulnerabilities were previously exploited by the Russian cyberespionage group Winter Vivern.
“While Roundcube Webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies. Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information,” Positive Technologies notes.
Related: North Korean APT Exploited IE Zero-Day in Supply Chain Attack
Related: Flaws in STEM Conference Room Speakerphone Can Be Exploited to Spy on Users
Related: Ukraine Bans Telegram Messenger App on State-Issued Devices Because of Russian Security Threat
Related: Pro-Russian Hackers Claim Downing of French Senate Website