By rssfeeds-admin 
CERT Polska has identified a sophisticated spear phishing campaign targeting Polish organizations this week, where
The attack, attributed to UNC1151 with high confidence, demonstrates an alarming evolution in email-based cyber threats, utilizing JavaScript execution capabilities to harvest user credentials through malicious Service Workers deployed directly in victims’ browsers.
The campaign specifically targeted Polish entities through convincing invoice-themed emails designed to trigger immediate action from recipients.
The malicious messages carried subjects such as “[!IMPORTANT] Invoice to reservation number: S2500650676” and contained seemingly legitimate business correspondence requesting invoice processing for travel reservations.
According to CERT Polska’s analysis, the attackers demonstrated sophisticated social engineering techniques, crafting emails that appeared to originate from legitimate business sources.
The messages included detailed company information, Polish addresses, and tax identification numbers to enhance credibility and bypass initial scrutiny from recipients.
Security researchers have attributed this campaign to UNC1151, a threat group associated with Belarusian government operations according to Mandiant and Google publications, though other intelligence sources suggest connections to Russian intelligence services.
This marks the first recorded exploitation attempt of CVE-2024-42009 by this particular threat actor, representing a notable tactical evolution in their attack methodology.
Roundcube Vulnerability
The exploitation mechanism leverages CVE-2024-42009, a vulnerability in Roundcube’s HTML sanitization process that allows arbitrary JavaScript execution when victims simply open specially crafted email messages.
This represents a significant escalation from traditional phishing attacks that typically require user interaction beyond viewing the email content.
The attack unfolds through a sophisticated two-stage process. Initially, malicious code exploits the Roundcube vulnerability to install a Service Worker in the victim’s browser, effectively establishing persistent presence within the web application environment.
Subsequently, users are redirected to their organization’s legitimate webmail login page, where the installed Service Worker intercepts and captures authentication credentials in real-time.
The malicious code demonstrates advanced technical capabilities, utilizing browser Service Worker functionality to monitor POST requests and extract username and password parameters.
Captured credentials are then transmitted to attacker-controlled infrastructure, specifically the domain a.mpk-krakow[.]pl, while simultaneously allowing legitimate login processes to proceed normally, maintaining operational stealth.
Security Updates
Security experts emphasize the critical importance of immediate remediation measures for organizations utilizing Roundcube installations.
CERT Polska strongly recommends updating to the latest available versions (1.6.11 or 1.5.10) to address the exploited vulnerability, as the attacks specifically target outdated installations lacking recent security patches.
Organizations should immediately analyze network logs for connections to the identified command and control domain and review email traffic for similar suspicious messages.
For entities confirmed as targets, experts recommend enforcing password resets for affected users and manually unregistering any installed Service Workers through browser developer tools.
The discovery coincides with identification of another critical Roundcube vulnerability, CVE-2025-49113, which allows authenticated attackers to execute code and potentially compromise entire webmail servers.
While no active exploitation has been observed, security researchers warn this vulnerability could be combined with credential harvesting attacks to create devastating attack chains, highlighting the urgent need for comprehensive email security assessments across organizational infrastructures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
The post Hackers Exploit Roundcube Vulnerability to Steal User Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.