Analysis Summary

Unknown threat actors have been seen attempting to execute a phishing attack intended to acquire user credentials to take advantage of a vulnerability in the open-source Roundcube webmail program that has since been fixed.

Researchers found out last month that an email was sent to an unidentified political body in a Commonwealth of Independent States (CIS) nation. It is important to remember that the message was first sent in June 2024. The email seemed to be a text-only communication with a document attached, but the email client hid the attachment from view. The email's body includes unique tags containing the statement eval(atob(...)) that decode and run JavaScript code.

Researchers describe the attack chain as an effort to leverage CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animation elements that permits the victim's web browser to execute any JavaScript within its context. Stated differently, a remote attacker may fool an email recipient into opening a specially designed message, so allowing the attacker to load arbitrary JavaScript code and access sensitive data. As of May 2024, the problem has been fixed in versions 1.5.7 and 1.6.7.

When a Roundcube client opens a malicious email, we can run JavaScript code on the Roundcube page by putting it as the value for "href". In this instance, the JavaScript payload saves the blank Microsoft Word attachment ("Road map.docx") and uses the ManageSieve plugin to get mail server messages. In an attempt to trick victims into giving their Roundcube credentials, it also shows a login form on the HTML page that is shown to them.

The last step is exfiltrating the username and password information to a remote server ("libcdn[.]org") that is hosted on Cloudflare. The identity of the perpetrators of the exploitation activity is unknown at this time, while several threat groups, including APT28, Winter Vivern, and TAG-70, have exploited Roundcube vulnerabilities in the past. Even though Roundcube webmail isn't the most popular email client, threat actors still target it because so many government entities use it. Attacks on this software have the potential to cause a lot of harm and provide thieves access to private data.

Impact

• Credential Theft
• Cross-Site Scripting
• Code Execution

Indicators of Compromise

Domain Name

• rcm.codes
• libcdn.org

Affected Vendors

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Upgrade to the latest version of Roundcube Webmail, available from the roundcubemail GIT Repository.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.