Users of Roundcube, Horde, MDaemon, and Zimbra Fall Prey to XSS Attacks

By Netvora Tech News

---

Antivirus firm ESET has revealed that users of webmail services from Roundcube, Horde, MDaemon, and Zimbra have been targeted by cross-site scripting (XSS) attacks. The attacks aimed to steal login credentials, contacts, login history, and email messages. In the case of MDaemon, the attackers also attempted to steal two-factor authentication secrets.

How the Attacks Worked

The attacks began with spear-phishing emails containing malicious code. When the target opened the email, malicious JavaScript was injected into the webmail page, which stole sensitive information. The attacks were directed at governments in Africa, Europe, and South America, as well as European defense companies, according to ESET.

Timeline of the Attacks

The attacks took place in 2023 and 2024, with the last reported incident occurring in December. The vulnerabilities in Horde, Roundcube, and Zimbra were well-known and had available updates. However, not all system administrators had implemented these patches. In the case of MDaemon, no update was available at the time of the attack.

Why Webmail Servers are a Prime Target

According to ESET, webmail servers like Roundcube and Zimbra are a popular target for spy groups. "Many organizations fail to keep their webmail servers up-to-date, and since the vulnerabilities can be exploited remotely by sending an email, it's an attractive target for attackers to steal email and other sensitive information."

Prevention is Key

To prevent such attacks, it is essential to keep webmail servers up-to-date with the latest security patches and to implement robust security measures. Users should also be cautious when opening emails from unknown senders and should avoid clicking on suspicious links or downloading attachments from untrusted sources.