In a recent cybersecurity incident, threat actors have exploited a critical vulnerability in the Roundcube webmail system, identified as CVE-2024-42009, to conduct spear phishing attacks targeting Polish organizations. This vulnerability allows for the execution of arbitrary JavaScript code when a user opens a specially crafted email, leading to potential credential theft and unauthorized access to sensitive information.
Understanding CVE-2024-42009
CVE-2024-42009 is a cross-site scripting (XSS) vulnerability that arises from inadequate HTML sanitization within Roundcube’s email processing. Specifically, the flaw permits attackers to embed malicious JavaScript code within emails, which is executed when the email is viewed in a vulnerable Roundcube client. This execution can occur without any additional user interaction beyond opening the email, making it particularly insidious.
Mechanism of the Attack
The attackers employed a sophisticated two-stage payload delivery mechanism:
1. Initial Exploit Code: Embedded within the email’s HTML structure, the initial code exploits CSS animation functionalities to execute JavaScript. This script registers a Service Worker in the victim’s browser—a legitimate feature designed to run scripts in the background and intercept network requests.
2. Credential Harvesting: The registered Service Worker captures authentication attempts by listening to specific events. This allows the attacker to intercept and exfiltrate user credentials without disrupting normal authentication flows.
This method ensures persistence and stealth, as the Service Worker continues to operate in the background, capturing credentials over time.
Attribution to UNC1151
Security analysts have attributed this campaign to UNC1151, a threat group associated with Belarusian government operations and potentially linked to Russian intelligence services. This marks the first recorded exploitation of CVE-2024-42009 by this group. UNC1151 is known for its advanced cyber espionage activities, often targeting governmental and organizational entities.
Social Engineering Tactics
The phishing emails were crafted with convincing social engineering tactics to encourage immediate user interaction. Subjects such as [!IMPORTANT] Invoice to reservation number: S2500650676 were used to create a sense of urgency. The emails masqueraded as legitimate business communications requesting invoice processing for travel reservations, specifically targeting Polish entities.
Mitigation Measures
Organizations utilizing Roundcube should take the following steps to mitigate the risk:
1. Update Roundcube: Immediately upgrade to the latest versions (1.6.11 or 1.5.10) to address the exploited vulnerability.
2. Unregister Service Workers: Navigate to webmail websites, open developer tools (F12), access Applications → Service Workers, and click Unregister to remove any installed Service Workers.
3. Password Resets and Activity Review: Affected users should undergo mandatory password resets and a comprehensive review of their account activity to detect any unauthorized access.
Indicators of Compromise (IoC)
Organizations should be vigilant for the following indicators:
– Sender Addresses: irina.vingriena@gmail[.]com, julitaszczepanska38@gmail[.]com
– SMTP Source Address: 2001:67c:e60:c0c:192:42:116:216
– Email Subject: [!WAZNE] Faktura do numeru rezerwacji: S2500650676
By recognizing these indicators and implementing the recommended mitigation measures, organizations can enhance their defenses against such sophisticated phishing campaigns.
