Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
How did a seemingly empty email turn out to be the key to compromising the network?
In cyberspace, an attempt by attackers to exploit a vulnerability in Roundcube, a popular open-source web-based email client, has been recorded. Positive Technologies specialists discovered that in June 2024, a phishing email was sent to one of the government agencies in the CIS country. At the same time, the message looked empty and did not contain visible text, except for the attachment.
However, the analysis showed that the email included specific tags with the code eval(atob(...)), which allows JavaScript to be run directly in the recipient's browser. This approach exploited CVE-2024-37383 – Stored XSS vulnerability via SVG animation, rated 6.1 on the CVSS scale.
The problem was that the attackers could inject arbitrary JavaScript as a value for "href" and activate it when the email was opened. The malicious code saved an empty Word attachment ("Road map.docx") and then accessed the mail server via the ManageSieve plugin to receive messages.
Later, a fake login form imitating the Roundcube interface was displayed on the page of the mail client. After entering the login and password, the data was sent to a remote server libcdn[.]org, which was hosted by Cloudflare.
While it has not been possible to determine exactly which specific threat actors were behind this attack, APT28, Winter Vivern, and TAG-70 groups have previously been implicated in operations targeting Roundcube. Positive Technologies emphasizes that despite the limited distribution of Roundcube, this email client is actively used in government agencies, which makes it an attractive target for cyberattacks.
The vulnerability was fixed in versions 1.5.7 and 1.6.7, released in May 2024.
Source
In cyberspace, an attempt by attackers to exploit a vulnerability in Roundcube, a popular open-source web-based email client, has been recorded. Positive Technologies specialists discovered that in June 2024, a phishing email was sent to one of the government agencies in the CIS country. At the same time, the message looked empty and did not contain visible text, except for the attachment.
However, the analysis showed that the email included specific tags with the code eval(atob(...)), which allows JavaScript to be run directly in the recipient's browser. This approach exploited CVE-2024-37383 – Stored XSS vulnerability via SVG animation, rated 6.1 on the CVSS scale.
The problem was that the attackers could inject arbitrary JavaScript as a value for "href" and activate it when the email was opened. The malicious code saved an empty Word attachment ("Road map.docx") and then accessed the mail server via the ManageSieve plugin to receive messages.
Later, a fake login form imitating the Roundcube interface was displayed on the page of the mail client. After entering the login and password, the data was sent to a remote server libcdn[.]org, which was hosted by Cloudflare.
While it has not been possible to determine exactly which specific threat actors were behind this attack, APT28, Winter Vivern, and TAG-70 groups have previously been implicated in operations targeting Roundcube. Positive Technologies emphasizes that despite the limited distribution of Roundcube, this email client is actively used in government agencies, which makes it an attractive target for cyberattacks.
The vulnerability was fixed in versions 1.5.7 and 1.6.7, released in May 2024.
Source
