"Roundcube Webmail Vulnerability Exploited in Government Attack"

Security researchers at Positive Technologies recently observed a threat actor attempting to exploit a recent vulnerability in Roundcube Webmail against a governmental organization in a Commonwealth of Independent States (CIS) country.  Tracked as CVE-2024-37383 and described as a cross-site scripting (XSS) issue affecting the way Roundcube was handling SVG animate attributes, the bug was patched on May 19 in Roundcube Webmail versions 1.5.7 and 1.6.7.  The researchers noted that the targeted entity received an email message that only contained an attachment without a text body.  The message was sent in June.  The email client did not show the attachment, and the email body contained distinctive tags and a statement to decode and execute JavaScript code.  As part of the observed attack, the executed code was meant to save the attached document and to obtain emails from the server using the ManageSieve plugin.  The code also added fields for the recipient's username and password to the displayed HTML page to harvest the credentials and send them to an attacker-controlled server.  The researchers were not able to link the attack to a known threat actor, but they noted that Roundcube's vulnerabilities were preciously exploited by Winter Vivern, which is a Russian cyberespionage group. 

SecurityWeek reports: "Roundcube Webmail Vulnerability Exploited in Government Attack"