CERT Polska has identified a sophisticated spear phishing campaign targeting Polish organizations this week, where
The attack, attributed to UNC1151 with high confidence, demonstrates an alarming evolution in email-based cyber threats, utilizing JavaScript execution capabilities to harvest user credentials through malicious Service Workers deployed directly in victims’ browsers.
The campaign specifically targeted Polish entities through convincing invoice-themed emails designed to trigger immediate action from recipients.
The malicious messages carried subjects such as “[!IMPORTANT] Invoice to reservation number: S2500650676” and contained seemingly legitimate business correspondence requesting invoice processing for travel reservations.
According to CERT Polska’s analysis, the attackers demonstrated sophisticated social engineering techniques, crafting emails that appeared to originate from legitimate business sources.
The messages included detailed company information, Polish addresses, and tax identification numbers to enhance credibility and bypass initial scrutiny from recipients.
Security researchers have attributed this campaign to UNC1151, a threat group associated with Belarusian government operations according to Mandiant and Google publications, though other intelligence sources suggest connections to Russian intelligence services.
This marks the first recorded exploitation attempt of CVE-2024-42009 by this particular threat actor, representing a notable tactical evolution in their attack methodology.
The exploitation mechanism leverages CVE-2024-42009, a vulnerability in Roundcube’s HTML sanitization process that allows arbitrary JavaScript execution when victims simply open specially crafted email messages.
This represents a significant escalation from traditional phishing attacks that typically require user interaction beyond viewing the email content.
The attack unfolds through a sophisticated two-stage process. Initially, malicious code exploits the Roundcube vulnerability to install a Service Worker in the victim’s browser, effectively establishing persistent presence within the web application environment.
Subsequently, users are redirected to their organization’s legitimate webmail login page, where the installed Service Worker intercepts and captures authentication credentials in real-time.
The malicious code demonstrates advanced technical capabilities, utilizing browser Service Worker functionality to monitor POST requests and extract username and password parameters.
Captured credentials are then transmitted to attacker-controlled infrastructure, specifically the domain a.mpk-krakow[.]pl, while simultaneously allowing legitimate login processes to proceed normally, maintaining operational stealth.
Security experts emphasize the critical importance of immediate remediation measures for organizations utilizing Roundcube installations.
CERT Polska strongly recommends updating to the latest available versions (1.6.11 or 1.5.10) to address the exploited vulnerability, as the attacks specifically target outdated installations lacking recent security patches.
Organizations should immediately analyze network logs for connections to the identified command and control domain and review email traffic for similar suspicious messages.
For entities confirmed as targets, experts recommend enforcing password resets for affected users and manually unregistering any installed Service Workers through browser developer tools.
The discovery coincides with identification of another critical Roundcube vulnerability, CVE-2025-49113, which allows authenticated attackers to execute code and potentially compromise entire webmail servers.
While no active exploitation has been observed, security researchers warn this vulnerability could be combined with credential harvesting attacks to create devastating attack chains, highlighting the urgent need for comprehensive email security assessments across organizational infrastructures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
The post Hackers Exploit Roundcube Vulnerability to Steal User Credentials appeared first on Cyber Security News.
The casting search for the next actor to play James Bond is officially underway. Amazon…
I can think of few activities I'd enjoy more than playing a video game on…
The list of nominees for the 2026 Will Eisner Comic Industry Awards has been revealed.…
A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have…
A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have…
Security researchers at Calif, a Palo Alto-based cybersecurity firm, have used techniques derived from an…
This website uses cookies.