Attackers Exploit Roundcube Webmail Vulnerability

Cybersecurity experts from Positive Technologies’ Security Expert Center (PT ESC) have uncovered an exploit targeting Roundcube Webmail, an open-source email client written in PHP.  

According to the researchers, Roundcube’s “extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide.”

However, this popularity has also put us in the crosshairs of cybercriminals who rapidly adapt exploits once they become publicly known in the hope of stealing credentials and corporate email communications.

The attack leverages a vulnerability—CVE-2024-37383—and poses a significant threat to firms that have yet to update their Roundcube installations.

Distinctive Attributes

In September, PT ESC researchers identified an email attack aimed at a government entity in a Commonwealth of Independent States country. Forensic analysis revealed the malicious email had been sent in June 2024. The email itself appeared blank, containing only an invisible attachment. However, closer examination revealed that the JavaScript code was embedded in the email body, exploiting a known vulnerability in Roundcube.

This exploit focused on a stored cross-site scripting (XSS) flaw, allowing malicious actors to execute malicious JavaScript code simply by having a user open a specially crafted email in Roundcube versions earlier than 1.5.6 or from 1.6 to 1.6.6. The malicious email contained distinctive attributes and tags designed to bypass the email client’s filters, indicating that the attackers were well-versed in Roundcube’s vulnerabilities.

How it Works

CVE-2024-37383 was first discovered by CrowdStrike researchers and patched on 19 May 2024. The vulnerability lay in how Roundcube processed certain SVG elements in email content. During this process, attributes like “href” were not properly sanitized, allowing attackers to insert malicious code into the email body.

The attack described by PT ESC exploited this flaw by adding an extra space to the “href” attribute, bypassing Roundcube’s filtering mechanisms. As a result, JavaScript code embedded within the email was executed when the email was opened, compromising the user’s browser session and potentially exposing sensitive information.

The Attack Payload

The payload executed included attempts to steal user credentials. The code prompted the user’s browser to save a seemingly empty document titled “Road map.docx” and initiated requests to gather messages from the Roundcube mail server using the ManageSieve plugin.

Additionally, the attack inserted a login form, tricking users into entering their credentials. These credentials were then sent to a server hosted on the domain libcdn.org, registered in June 2024, and hosted on Cloudflare infrastructure.

Adoption by Govt Agencies

Roundcube Webmail, though not the most widely used email client, remains a target for cybercriminals due to its adoption by many government agencies. Vulnerabilities like CVE-2024-37383 highlight the risks posed by unpatched software, especially when such software is used to handle sensitive communications.

While this specific attack has not yet been attributed to a known threat actor, it bears similarities to other campaigns, such as those conducted by the Winter Vivern group, which also exploited vulnerabilities in Roundcube to target European government agencies.

Adam Pilton, Senior Cybersecurity Consultant at CyberSmart, says many are unaware of Roundcube webmail because it’s not widely used. However, being government entities, its users are a key target for bad actors. “This attack is a reminder that who you are is particularly relevant to cyber criminals as well as what software you are using.”

In this case, PIlton says a phishing email was sent, trying to exploit a vulnerability in Roundcube, although he says it’s important to note that a patch was created for this vulnerability and has been around since May. But a patch is only useful if it has been applied.

“In June this year, phishing emails were sent, and ultimately, we’re trying to steal the credentials of those using Roundcube.”

Pilton says this is a timely reminder to all that whoever we are and whatever software we’re using, we can only protect ourselves by ensuring we’re using the latest software. “Vulnerability management is crucial in defending ourselves from cybercriminals. Whether it’s Roundcube, Microsoft Office, or your Chrome browser, they all require updating.”