1.0 Introduction
Recently, unknown threat actors are actively exploiting a now-patched cross-site scripting (XSS) vulnerability in Roundcube webmail software, specifically CVE-2024-37383.
2.0 Impact
This vulnerability is being used for phishing attacks aimed at stealing user credentials by the threat actors.
3.0 Affected Products
- Roundcube version earlier than 1.5.6 and versions 1.6 to 1.6.6
4.0 MITRE ATT&CK Matrix
| ID | Name | Description |
| Execution | ||
| T059.007 | JavaScript | Cybercriminals use JavaScript code to execute payloads within the victim's email session in their browser. |
| Collection | ||
| T1114.003 | Remote email collection | Cybercriminals collect the contents of the victim's mailbox using the ManageSieve plugin |
| Web portal capture | Cybercriminals insert the login and password input fields into an email webpage and send the entered data to a remote server |
5.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the following security release and apply the necessary updates.
Kindly refer to the following URL: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/fake-attachment-roundcube-mail-server-attacks-exploit-cve-2024-37383-vulnerability
Generally, Cyber999 advises users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17.30 MYT
Web:
https://www.mycert.org.my
6.0 References