Alternatives to Microsoft Outlook webmail come under attack in Europe

“Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern,” said ESET’s Faou. “Because many organizations don’t keep their webmail servers up to date, and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft.”

The most important thing for CISOs is to keep the webmail applications up to date, he said. “While we do mention in our research the use of zero-day vulnerabilities, in most of the incidents we analyzed, only known vulnerabilities, which had been patched for months, were used. Another hardening avenue, but probably too extreme for most organizations, is to forbid HTML content in emails, and just display raw text. However, this would prevent the use some functionalities such as text formatting (bold, italic, etc.) or the inclusion of hyperlinks.”

Webmail can be described as a website that displays untrusted HTML content in a browser, he said. While most webmail systems sanitize the content to remove harmful HTML elements, which could execute JavaScript code, ESET’s research shows that the sanitizers are not without flaws and that attackers are able to bypass them. As a result, he said, by sending a specially crafted email, attackers are able to execute arbitrary JavaScript code in the context of their target’s browser. While this doesn’t lead to the compromise of the computer, he pointed out, executing JavaScript code in the context of the browser enables to steal information from the mailbox, for example, emails or the list of contacts.