“Over the previous two years, webmail servers resembling Roundcube and Zimbra have been a significant goal for a number of espionage teams resembling Sednit, GreenCube, and Winter Vivern,” mentioned ESET’s Faou. “As a result of many organizations don’t maintain their webmail servers updated, and since the vulnerabilities might be triggered remotely by sending an electronic mail message, it is extremely handy for attackers to focus on such servers for electronic mail theft.”
A very powerful factor for CISOs is to maintain the webmail functions updated, he mentioned. “Whereas we do point out in our analysis using zero-day vulnerabilities, in a lot of the incidents we analyzed, solely identified vulnerabilities, which had been patched for months, have been used. One other hardening avenue, however in all probability too excessive for many organizations, is to forbid HTML content material in emails, and simply show uncooked textual content. Nevertheless, this could stop the use some functionalities resembling textual content formatting (daring, italic, and so forth.) or the inclusion of hyperlinks.”
Webmail might be described as a web site that shows untrusted HTML content material in a browser, he mentioned. Whereas most webmail methods sanitize the content material to take away dangerous HTML parts, which may execute JavaScript code, ESET’s analysis reveals that the sanitizers will not be with out flaws and that attackers are capable of bypass them. Because of this, he mentioned, by sending a specifically crafted electronic mail, attackers are capable of execute arbitrary JavaScript code within the context of their goal’s browser. Whereas this doesn’t result in the compromise of the pc, he identified, executing JavaScript code within the context of the browser allows to steal info from the mailbox, for instance, emails or the checklist of contacts.
