BURSTA sophisticated spear phishing campaign targeting Polish organizations, where threat actors successfully exploited the CVE-2024-42009 vulnerability in Roundcube webmail systems.
The attack enables JavaScript execution upon opening malicious emails, leading to credential theft through an advanced Service Worker-based approach.
Security researchers attribute this campaign to UNC1151, a threat group associated with Belarusian government operations and potentially Russian intelligence services, marking their first recorded exploitation of this specific vulnerability.
Roundcube Vulnerability Exploited
According to CERT Polska reports, the attack leverages CVE-2024-42009, a critical vulnerability in Roundcube that allows arbitrary JavaScript execution when users open specially crafted email messages.
The vulnerability stems from inadequate HTML sanitization processes that fail to properly remove dangerous elements and attributes capable of executing malicious code.
The attackers employed a two-stage JavaScript payload delivery mechanism. The initial exploit code is embedded within the email’s HTML structure:
This code exploits the CSS animation functionality to execute JavaScript that registers a Service Worker in the victim’s browser.
Service Workers are legitimate browser features that allow JavaScript to run in the background and intercept network requests, making them particularly effective for credential harvesting operations.
The second stage involves the Service Worker capturing authentication attempts through event listeners:
This sophisticated approach allows attackers to maintain persistence and capture credentials without disrupting normal user authentication flows.
Security analysts have attributed this campaign to UNC1151 with high confidence based on technical indicators and operational patterns.
UNC1151 is a threat cluster previously linked to Belarusian government operations, with some intelligence sources suggesting connections to Russian intelligence services.
The campaign utilized convincing social engineering tactics, employing urgent invoice-related subjects such as “[!IMPORTANT] Invoice to reservation number: S2500650676” to encourage immediate user interaction.
The emails masqueraded as legitimate business communications requesting invoice processing for travel reservations, targeting Polish entities specifically.
Additionally, researchers have identified CVE-2025-49113, a newly discovered Roundcube vulnerability that allows authenticated attackers to execute code and potentially compromise entire webmail servers.
While not yet observed in active exploitation, this vulnerability could create devastating attack chains when combined with credential harvesting techniques.
Mitigation
Organizations utilizing Roundcube must immediately update to the latest versions (1.6.11 or 1.5.10) to address the exploited vulnerability.
The attack specifically targets outdated installations that lack recent security patches.
Organizations must also unregister any installed Service Workers by navigating to webmail websites, opening developer tools (F12), accessing Applications → Service Workers, and clicking Unregister.
Affected users should undergo mandatory password resets and undergo a comprehensive review of their activity.
IoC
| Sender address | irina.vingriena@gmail[.]com julitaszczepanska38@gmail[.]com |
| SMTP sources address | 2001:67c:e60:c0c:192:42:116:216 |
| Email subject | [!WAZNE] Faktura do numeru rezerwacji: S2500650676 |
| 70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149, Delivery report | sha256 and name of attached JS file |
| Credential harvesting domain used by the attacker | a.mpk-krakow[.]pl |
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post Hackers Exploiting Roundcube Vulnerability to Steal User Credentials appeared first on Cyber Security News.